Forum Discussion
Investigating Excel-Initiated Email Activity Without Sent Items Trace
Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the Simp...
I think this is where it all starts.
- ~$ = temporary Office file
- .dotm = macro-enabled Word template
This means Word macros were loaded, even if the user never noticed Word opening.
Very common when:
- Excel automates Word
- A template is referenced
- A macro runs silently
How you can reproduce it yourself (quick test)- Open Excel
- Press Alt + F11
- Paste this into a module:
- Sub TestSend() CreateObject("Outlook.Application") _ .CreateItem(0) _ .Send End Sub
- Run it
- You’ll see:
- Email sent
- No Sent Items copy
- Outlook.exe used
- Excel.exe is parent
Same behavior you’re investigating.
To Prevent this; 👉 Microsoft Defender for Endpoint
Security settings → Attack surface reduction → Rules
Enable:- Excel → Outlook email automation
- Word macros sending mail
- Office launching cmd.exe / powershell.exe
Enable: Block Office apps from creating child processes → It should block.