Forum Discussion
Advance Message Trace, Device Email Client
I have an Office 365 user who has somehow sent 500+ emails with a onedrive link to some shady stuff. Of course, he hasn't done this, but something has.
1. something has sent 500+ emails with shady content during 1 minute
2. something has added an inbox filter to make all new messages go to "deleted items"
This sound ludicrous, but that's the case.
First, I want to establish from which device these has been sent. He has a computer with Outlook and an Android phone.
When I export the advanced message trace, is there any way to know which of his email clients has sent it?
- Hi!
See article
https://docs.microsoft.com/en-us/office365/securitycompliance/detailed-properties-in-the-office-365-audit-log
Look at properties Client and ClientInfoString
You should be able to get the information out of Azure AD too through the sign in report
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
Hope that answers your question!
Best, Chris- Regarding Azure AD, it says: The sign-ins report only displays the interactive sign-ins, that is, sign-ins where a user manually signs in using their username and password. Non-interactive sign-ins, such as service-to-service authentication, are not displayed in the sign-ins report.
I'm afraid the message trace logs wont be of much help here, as they don't contain information about the client. You should be able to get the IP however. The event logs in the SCC do have the client information, but those are not generated for owner sent messages, so you might not even see the entries there. Records are generated for any delete events though, so you should be able to see those.
VasilMichev I'm not sure what you mean here. I see an IP: 52.232.123.80 for almost all messages, but this IP is a Microsoft IP, not the device that sent the message IP.
This might simply mean that OWA was used as the client. But it can also mean that something like a Flow interacted with the mailbox, etc. Hard to guess without being able to see what little info is in the message trace. Check the audit logs for the delete events, you might be able to see client info there.
