cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who is reading other's emails without authorization?

joym8
Copper Contributor

‎May 13 2019 07:31 AM

‎May 13 2019 07:31 AM

Who is reading other's emails without authorization?

An employee is complaining they suspect their emails are being read without consent. Their password may have been compromised. Does Office 365 Exchange store the IP address where an organization's internal email changed unread state to read state?
Labels:
1,462 Views
2 Likes
4 Replies
Reply
4 Replies
Christopher Hoard

‎May 13 2019 07:44 AM

‎May 13 2019 07:44 AM

Re: Who is reading other's emails without authorization?

Hi @joym8,

See following article

https://techcommunity.microsoft.com/t5/Office-365/Can-I-audit-where-the-mailbox-over-log-in/m-p/1509...

You can see sign in activity through Azure AD > Monitoring > Sign Ins. This will show you the IP address where the user is logging in from

You could also look to use the audit log. As stated in the article the IP address corresponding to an activity performed by any user is included in most audit records. Information about the client used is also included in the audit record.

https://docs.microsoft.com/en-us/office365/securitycompliance/auditing-troubleshooting-scenarios

I would also check the Exchange Admin Centre to see if any mailbox permissions have been added to the user.

Hope that answers your questions

Best, Chris
1 Like
Reply
Vasil Michev

‎May 13 2019 09:52 AM

‎May 13 2019 09:52 AM

Re: Who is reading other's emails without authorization?

Well if the password has been compromised, you will not be able to get much information out of the Exchange audit logs, as Onwer actions are not being audited. So at best you can see when the user logged in from a different/unknown IP and try to correlate this with the date the messages in question were received.

1 Like
Reply
Akshay_Mane

‎May 14 2019 12:10 PM

‎May 14 2019 12:10 PM

Re: Who is reading other's emails without authorization?

@joym8 

 

Make sure auditing is enabled on mailbox. 
- Run audit log searches in  security and compliance center.
- Mention Start date, End date & Users. 
- Check for different IP from your location.
 
As a best practise Enable MFA.
 
Regards,
Akshay
System Admin - Apps4Rent
1 Like
Reply
Chris Webb

‎May 17 2019 10:31 PM

‎May 17 2019 10:31 PM

Re: Who is reading other's emails without authorization?

90% of these will be picked up one of two ways. Search for exchange mailbox rule changes in the compliance auditing. Or check in azure ad portal and suspicious sign ins for an impossible sign in. You’ll see users that might have people logging in from Africa and what not if compromised
1 Like
Reply