Multiple rapid email update events

lfk73 · ‎Sep 23 2019

Upon review logs today I came across one user who had 18+ update message events all within seconds of each other, some places 2 or 3 in a second. The other strange thing is the IP shows as ::1 and it occurred at 5:29am in my local timezone (log shows the Zulu time). No way a human can update this many emails that quickly plus the ClientInfoString says Client=REST;

What could this be? Is it a mail rule running at a set time?

{
"OrganizationName": "XXXX",
"OrganizationId": "XXXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T19:29:12.0000000Z",
"Workload": "Exchange",
"RecordType": 2,
"ModifiedProperties": [
"AttachmentCollection"
],
"UserId": "XXXX@XXXX",
"UserType": 0,
"UserKey": "XXXX",
"ClientInfoString": "Client=REST;;",
"OriginatingServer": "XXXX\r\n",
"MailboxOwnerSid": "XXXX",
"LogonUserSid": "XXXX",
"Item": {
"Attachments": " (15598b); (15598b); (15598b); (15358b); (15546b); (5886b); (9160b)",
"IsRecord": false,
"ParentFolder": {
"Path": "\\Calendar",
"Id": "XXXX"
},
"InternetMessageId": "XXXX",
"Id": "XXXX",
"Subject": "Project WIP Meeting"
},
"ResultStatus": "Succeeded",
"ClientIP": "::1",
"InternalLogonType": 0,
"MailboxOwnerUPN": "XXXX",
"Version": 1,
"ClientIPAddress": "::1",
"LogonType": 0,
"Operation": "Update",
"MailboxGuid": "XXXX",
"Id": "XXXX"
}

Sebastien Molendijk · ‎Sep 30 2019

Hi @lfk73 ,

This should be some message update requests from the client (Outlook I assume) where some property was updated. In your case it's a calendar event, maybe because someone accepted or changed the answer.

Best regards

GaryBerger · ‎Aug 15 2022

@lfk73 Did you ever get any addition information on what the "update" operation means?

Multiple rapid email update events

Multiple rapid email update events

Re: Multiple rapid email update events

Re: Multiple rapid email update events

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Multiple rapid email update events