Multiple rapid email update events


Upon review logs today I came across one user who had 18+ update message events all within seconds of each other, some places 2 or 3 in a second.  The other strange thing is the IP shows as ::1 and it occurred at 5:29am in my local timezone (log shows the Zulu time).  No way a human can update this many emails that quickly plus the ClientInfoString says Client=REST;


 What could this be?  Is it a mail rule running at a set time?


"OrganizationName": "XXXX",
"OrganizationId": "XXXX",
"ExternalAccess": false,
"CreationTime": "2019-09-23T19:29:12.0000000Z",
"Workload": "Exchange",
"RecordType": 2,
"ModifiedProperties": [
"UserId": "XXXX@XXXX",
"UserType": 0,
"UserKey": "XXXX",
"ClientInfoString": "Client=REST;;",
"OriginatingServer": "XXXX\r\n",
"MailboxOwnerSid": "XXXX",
"LogonUserSid": "XXXX",
"Item": {
"Attachments": " (15598b); (15598b); (15598b); (15358b); (15546b); (5886b); (9160b)",
"IsRecord": false,
"ParentFolder": {
"Path": "\\Calendar",
"Id": "XXXX"
"InternetMessageId": "XXXX",
"Id": "XXXX",
"Subject": "Project WIP Meeting"
"ResultStatus": "Succeeded",
"ClientIP": "::1",
"InternalLogonType": 0,
"MailboxOwnerUPN": "XXXX",
"Version": 1,
"ClientIPAddress": "::1",
"LogonType": 0,
"Operation": "Update",
"MailboxGuid": "XXXX",
"Id": "XXXX"

2 Replies

Hi @lfk73 ,


This should be some message update requests from the client (Outlook I assume) where some property was updated. In your case it's a calendar event, maybe because someone accepted or changed the answer.


Best regards

@lfk73 Did you ever get any addition information on what the "update" operation means?