May 13 2019 07:31 AM
May 13 2019 07:44 AM
May 13 2019 09:52 AM
Well if the password has been compromised, you will not be able to get much information out of the Exchange audit logs, as Onwer actions are not being audited. So at best you can see when the user logged in from a different/unknown IP and try to correlate this with the date the messages in question were received.
May 14 2019 12:10 PM
May 17 2019 10:31 PM