Advance Message Trace, Device Email Client

%3CLINGO-SUB%20id%3D%22lingo-sub-688820%22%20slang%3D%22en-US%22%3EAdvance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688820%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20an%20Office%20365%20user%20who%20has%20somehow%20sent%20500%2B%20emails%20with%20a%20onedrive%20link%20to%20some%20shady%20stuff.%20Of%20course%2C%20he%20hasn't%20done%20this%2C%20but%20something%20has.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20something%20has%20sent%20500%2B%20emails%20with%20shady%20content%20during%201%20minute%3C%2FP%3E%3CP%3E2.%20something%20has%20added%20an%20inbox%20filter%20to%20make%20all%20new%20messages%20go%20to%20%22deleted%20items%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20sound%20ludicrous%2C%20but%20that's%20the%20case.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%2C%20I%20want%20to%20establish%20from%20which%20device%20these%20has%20been%20sent.%20He%20has%20a%20computer%20with%20Outlook%20and%20an%20Android%20phone.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20export%20the%20advanced%20message%20trace%2C%20is%20there%20any%20way%20to%20know%20which%20of%20his%20email%20clients%20has%20sent%20it%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-688820%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-688837%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-688837%22%20slang%3D%22en-US%22%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20article%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fdetailed-properties-in-the-office-365-audit-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fdetailed-properties-in-the-office-365-audit-log%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ELook%20at%20properties%20Client%20and%20ClientInfoString%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20be%20able%20to%20get%20the%20information%20out%20of%20Azure%20AD%20too%20through%20the%20sign%20in%20report%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-sign-ins%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20question!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-689336%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689336%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20afraid%20the%20message%20trace%20logs%20wont%20be%20of%20much%20help%20here%2C%20as%20they%20don't%20contain%20information%20about%20the%20client.%20You%20should%20be%20able%20to%20get%20the%20IP%20however.%20The%20event%20logs%20in%20the%20SCC%20do%20have%20the%20client%20information%2C%20but%20those%20are%20not%20generated%20for%20owner%20sent%20messages%2C%20so%20you%20might%20not%20even%20see%20the%20entries%20there.%20Records%20are%20generated%20for%20any%20delete%20events%20though%2C%20so%20you%20should%20be%20able%20to%20see%20those.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-689742%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-689742%22%20slang%3D%22en-US%22%3ERegarding%20Azure%20AD%2C%20it%20says%3A%20The%20sign-ins%20report%20only%20displays%20the%20interactive%20sign-ins%2C%20that%20is%2C%20sign-ins%20where%20a%20user%20manually%20signs%20in%20using%20their%20username%20and%20password.%20Non-interactive%20sign-ins%2C%20such%20as%20service-to-service%20authentication%2C%20are%20not%20displayed%20in%20the%20sign-ins%20report.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-695994%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-695994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BI'm%20not%20sure%20what%20you%20mean%20here.%20I%20see%20an%20IP%3A%26nbsp%3B52.232.123.80%20for%20almost%20all%20messages%2C%20but%20this%20IP%20is%20a%20Microsoft%20IP%2C%20not%20the%20device%20that%20sent%20the%20message%20IP.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-697315%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-697315%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20might%20simply%20mean%20that%20OWA%20was%20used%20as%20the%20client.%20But%20it%20can%20also%20mean%20that%20something%20like%20a%20Flow%20interacted%20with%20the%20mailbox%2C%20etc.%20Hard%20to%20guess%20without%20being%20able%20to%20see%20what%20little%20info%20is%20in%20the%20message%20trace.%20Check%20the%20audit%20logs%20for%20the%20delete%20events%2C%20you%20might%20be%20able%20to%20see%20client%20info%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-716358%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716358%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3BAn%20inbox%20rule%20was%20responsible%20for%20the%20deletions%2C%20so%20that%20wouldn't%20belong%20to%20a%20user%20client.%20Is%20there%20no%20way%20to%20confirm%20that%20OWA%20was%20used%20as%20the%20client%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-716804%22%20slang%3D%22en-US%22%3ERe%3A%20Advance%20Message%20Trace%2C%20Device%20Email%20Client%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716804%22%20slang%3D%22en-US%22%3EIf%20you%20have%20not%20already%2C%20follow%20the%20instructions%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fresponding-to-a-compromised-email-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fresponding-to-a-compromised-email-account%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have an Office 365 user who has somehow sent 500+ emails with a onedrive link to some shady stuff. Of course, he hasn't done this, but something has. 

 

1. something has sent 500+ emails with shady content during 1 minute

2. something has added an inbox filter to make all new messages go to "deleted items"

 

This sound ludicrous, but that's the case. 

 

First, I want to establish from which device these has been sent. He has a computer with Outlook and an Android phone. 

 

When I export the advanced message trace, is there any way to know which of his email clients has sent it? 

7 Replies
Highlighted
Hi!

See article

https://docs.microsoft.com/en-us/office365/securitycompliance/detailed-properties-in-the-office-365-...

Look at properties Client and ClientInfoString

You should be able to get the information out of Azure AD too through the sign in report

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

Hope that answers your question!

Best, Chris
Highlighted

I'm afraid the message trace logs wont be of much help here, as they don't contain information about the client. You should be able to get the IP however. The event logs in the SCC do have the client information, but those are not generated for owner sent messages, so you might not even see the entries there. Records are generated for any delete events though, so you should be able to see those.

Highlighted
Regarding Azure AD, it says: The sign-ins report only displays the interactive sign-ins, that is, sign-ins where a user manually signs in using their username and password. Non-interactive sign-ins, such as service-to-service authentication, are not displayed in the sign-ins report.
Highlighted

@Vasil Michev I'm not sure what you mean here. I see an IP: 52.232.123.80 for almost all messages, but this IP is a Microsoft IP, not the device that sent the message IP. 

 

Highlighted

This might simply mean that OWA was used as the client. But it can also mean that something like a Flow interacted with the mailbox, etc. Hard to guess without being able to see what little info is in the message trace. Check the audit logs for the delete events, you might be able to see client info there.

Highlighted

@Vasil Michev An inbox rule was responsible for the deletions, so that wouldn't belong to a user client. Is there no way to confirm that OWA was used as the client?  

Highlighted