Multiple rapid email update events

%3CLINGO-SUB%20id%3D%22lingo-sub-871388%22%20slang%3D%22en-US%22%3EMultiple%20rapid%20email%20update%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871388%22%20slang%3D%22en-US%22%3E%3CP%3EUpon%20review%20logs%20today%20I%20came%20across%20one%20user%20who%20had%2018%2B%20update%20message%20events%20all%20within%20seconds%20of%20each%20other%2C%20some%20places%202%20or%203%20in%20a%20second.%26nbsp%3B%20The%20other%20strange%20thing%20is%20the%20IP%20shows%20as%20%3A%3A1%20and%20it%20occurred%20at%205%3A29am%20in%20my%20local%20timezone%20(log%20shows%20the%20Zulu%20time).%26nbsp%3B%20No%20way%20a%20human%20can%20update%20this%20many%20emails%20that%20quickly%20plus%20the%26nbsp%3BClientInfoString%20says%20Client%3DREST%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BWhat%20could%20this%20be%3F%26nbsp%3B%20Is%20it%20a%20mail%20rule%20running%20at%20a%20set%20time%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22OrganizationName%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22OrganizationId%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22ExternalAccess%22%3A%20false%2C%3CBR%20%2F%3E%22CreationTime%22%3A%20%222019-09-23T19%3A29%3A12.0000000Z%22%2C%3CBR%20%2F%3E%22Workload%22%3A%20%22Exchange%22%2C%3CBR%20%2F%3E%22RecordType%22%3A%202%2C%3CBR%20%2F%3E%22ModifiedProperties%22%3A%20%5B%3CBR%20%2F%3E%22AttachmentCollection%22%3CBR%20%2F%3E%5D%2C%3CBR%20%2F%3E%22UserId%22%3A%20%22XXXX%40XXXX%22%2C%3CBR%20%2F%3E%22UserType%22%3A%200%2C%3CBR%20%2F%3E%22UserKey%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22ClientInfoString%22%3A%20%22Client%3DREST%3B%3B%22%2C%3CBR%20%2F%3E%22OriginatingServer%22%3A%20%22XXXX%5Cr%5Cn%22%2C%3CBR%20%2F%3E%22MailboxOwnerSid%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22LogonUserSid%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22Item%22%3A%20%7B%3CBR%20%2F%3E%22Attachments%22%3A%20%22%20(15598b)%3B%20(15598b)%3B%20(15598b)%3B%20(15358b)%3B%20(15546b)%3B%20(5886b)%3B%20(9160b)%22%2C%3CBR%20%2F%3E%22IsRecord%22%3A%20false%2C%3CBR%20%2F%3E%22ParentFolder%22%3A%20%7B%3CBR%20%2F%3E%22Path%22%3A%20%22%5C%5CCalendar%22%2C%3CBR%20%2F%3E%22Id%22%3A%20%22XXXX%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22InternetMessageId%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22Id%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22Subject%22%3A%20%22Project%20WIP%20Meeting%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22ResultStatus%22%3A%20%22Succeeded%22%2C%3CBR%20%2F%3E%22ClientIP%22%3A%20%22%3A%3A1%22%2C%3CBR%20%2F%3E%22InternalLogonType%22%3A%200%2C%3CBR%20%2F%3E%22MailboxOwnerUPN%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22Version%22%3A%201%2C%3CBR%20%2F%3E%22ClientIPAddress%22%3A%20%22%3A%3A1%22%2C%3CBR%20%2F%3E%22LogonType%22%3A%200%2C%3CBR%20%2F%3E%22Operation%22%3A%20%22Update%22%2C%3CBR%20%2F%3E%22MailboxGuid%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22Id%22%3A%20%22XXXX%22%3CBR%20%2F%3E%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-871388%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-881993%22%20slang%3D%22en-US%22%3ERe%3A%20Multiple%20rapid%20email%20update%20events%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-881993%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400114%22%20target%3D%22_blank%22%3E%40lfk73%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20should%20be%20some%20message%20update%20requests%20from%20the%20client%20(Outlook%20I%20assume)%20where%20some%20property%20was%20updated.%20In%20your%20case%20it's%20a%20calendar%20event%2C%20maybe%20because%20someone%20accepted%20or%20changed%20the%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Upon review logs today I came across one user who had 18+ update message events all within seconds of each other, some places 2 or 3 in a second.  The other strange thing is the IP shows as ::1 and it occurred at 5:29am in my local timezone (log shows the Zulu time).  No way a human can update this many emails that quickly plus the ClientInfoString says Client=REST;

 

 What could this be?  Is it a mail rule running at a set time?

 

{
"OrganizationName": "XXXX",
"OrganizationId": "XXXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T19:29:12.0000000Z",
"Workload": "Exchange",
"RecordType": 2,
"ModifiedProperties": [
"AttachmentCollection"
],
"UserId": "XXXX@XXXX",
"UserType": 0,
"UserKey": "XXXX",
"ClientInfoString": "Client=REST;;",
"OriginatingServer": "XXXX\r\n",
"MailboxOwnerSid": "XXXX",
"LogonUserSid": "XXXX",
"Item": {
"Attachments": " (15598b); (15598b); (15598b); (15358b); (15546b); (5886b); (9160b)",
"IsRecord": false,
"ParentFolder": {
"Path": "\\Calendar",
"Id": "XXXX"
},
"InternetMessageId": "XXXX",
"Id": "XXXX",
"Subject": "Project WIP Meeting"
},
"ResultStatus": "Succeeded",
"ClientIP": "::1",
"InternalLogonType": 0,
"MailboxOwnerUPN": "XXXX",
"Version": 1,
"ClientIPAddress": "::1",
"LogonType": 0,
"Operation": "Update",
"MailboxGuid": "XXXX",
"Id": "XXXX"
}

1 Reply

Hi @lfk73 ,

 

This should be some message update requests from the client (Outlook I assume) where some property was updated. In your case it's a calendar event, maybe because someone accepted or changed the answer.

 

Best regards