Who is reading other's emails without authorization?

%3CLINGO-SUB%20id%3D%22lingo-sub-563813%22%20slang%3D%22en-US%22%3EWho%20is%20reading%20other's%20emails%20without%20authorization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-563813%22%20slang%3D%22en-US%22%3EAn%20employee%20is%20complaining%20they%20suspect%20their%20emails%20are%20being%20read%20without%20consent.%20Their%20password%20may%20have%20been%20compromised.%20Does%20Office%20365%20Exchange%20store%20the%20IP%20address%20where%20an%20organization's%20internal%20email%20changed%20unread%20state%20to%20read%20state%3F%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-563813%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-563851%22%20slang%3D%22en-US%22%3ERe%3A%20Who%20is%20reading%20other's%20emails%20without%20authorization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-563851%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341429%22%20target%3D%22_blank%22%3E%40joym8%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3ESee%20following%20article%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365%2FCan-I-audit-where-the-mailbox-over-log-in%2Fm-p%2F150914%3Fadvanced%3Dfalse%26amp%3Bcollapse_discussion%3Dtrue%26amp%3Bq%3Dmailbox%2520audit%2520log%26amp%3Bsearch_type%3Dthread%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FOffice-365%2FCan-I-audit-where-the-mailbox-over-log-in%2Fm-p%2F150914%3Fadvanced%3Dfalse%26amp%3Bcollapse_discussion%3Dtrue%26amp%3Bq%3Dmailbox%2520audit%2520log%26amp%3Bsearch_type%3Dthread%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20see%20sign%20in%20activity%20through%20Azure%20AD%20%26gt%3B%20Monitoring%20%26gt%3B%20Sign%20Ins.%20This%20will%20show%20you%20the%20IP%20address%20where%20the%20user%20is%20logging%20in%20from%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20also%20look%20to%20use%20the%20audit%20log.%20As%20stated%20in%20the%20article%20the%20IP%20address%20corresponding%20to%20an%20activity%20performed%20by%20any%20user%20is%20included%20in%20most%20audit%20records.%20Information%20about%20the%20client%20used%20is%20also%20included%20in%20the%20audit%20record.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fauditing-troubleshooting-scenarios%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fauditing-troubleshooting-scenarios%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20also%20check%20the%20Exchange%20Admin%20Centre%20to%20see%20if%20any%20mailbox%20permissions%20have%20been%20added%20to%20the%20user.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20answers%20your%20questions%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-564143%22%20slang%3D%22en-US%22%3ERe%3A%20Who%20is%20reading%20other's%20emails%20without%20authorization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-564143%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20if%20the%20password%20has%20been%20compromised%2C%20you%20will%20not%20be%20able%20to%20get%20much%20information%20out%20of%20the%20Exchange%20audit%20logs%2C%20as%20Onwer%20actions%20are%20not%20being%20audited.%20So%20at%20best%20you%20can%20see%20when%20the%20user%20logged%20in%20from%20a%20different%2Funknown%20IP%20and%20try%20to%20correlate%20this%20with%20the%20date%20the%20messages%20in%20question%20were%20received.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-566363%22%20slang%3D%22en-US%22%3ERe%3A%20Who%20is%20reading%20other's%20emails%20without%20authorization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-566363%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341429%22%20target%3D%22_blank%22%3E%40joym8%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3EMake%20sure%20auditing%20is%20enabled%20on%20mailbox.%26nbsp%3B%3CBR%20%2F%3E-%20Run%20audit%20log%20searches%20in%20%26nbsp%3Bsecurity%20and%20compliance%20center.%3CBR%20%2F%3E-%20Mention%20Start%20date%2C%20End%20date%20%26amp%3B%20Users.%26nbsp%3B%3CBR%20%2F%3E-%20Check%20for%20different%20IP%20from%20your%20location.%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3EAs%20a%20best%20practise%20Enable%20MFA.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ERegards%2C%3C%2FDIV%3E%3CDIV%3EAkshay%3C%2FDIV%3E%3CDIV%3ESystem%20Admin%20-%20Apps4Rent%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-584359%22%20slang%3D%22en-US%22%3ERe%3A%20Who%20is%20reading%20other's%20emails%20without%20authorization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-584359%22%20slang%3D%22en-US%22%3E90%25%20of%20these%20will%20be%20picked%20up%20one%20of%20two%20ways.%20Search%20for%20exchange%20mailbox%20rule%20changes%20in%20the%20compliance%20auditing.%20Or%20check%20in%20azure%20ad%20portal%20and%20suspicious%20sign%20ins%20for%20an%20impossible%20sign%20in.%20You%E2%80%99ll%20see%20users%20that%20might%20have%20people%20logging%20in%20from%20Africa%20and%20what%20not%20if%20compromised%3C%2FLINGO-BODY%3E
Highlighted
Frequent Visitor
An employee is complaining they suspect their emails are being read without consent. Their password may have been compromised. Does Office 365 Exchange store the IP address where an organization's internal email changed unread state to read state?
4 Replies
Highlighted
Hi @joym8,

See following article

https://techcommunity.microsoft.com/t5/Office-365/Can-I-audit-where-the-mailbox-over-log-in/m-p/1509...

You can see sign in activity through Azure AD > Monitoring > Sign Ins. This will show you the IP address where the user is logging in from

You could also look to use the audit log. As stated in the article the IP address corresponding to an activity performed by any user is included in most audit records. Information about the client used is also included in the audit record.

https://docs.microsoft.com/en-us/office365/securitycompliance/auditing-troubleshooting-scenarios

I would also check the Exchange Admin Centre to see if any mailbox permissions have been added to the user.

Hope that answers your questions

Best, Chris
Highlighted

Well if the password has been compromised, you will not be able to get much information out of the Exchange audit logs, as Onwer actions are not being audited. So at best you can see when the user logged in from a different/unknown IP and try to correlate this with the date the messages in question were received.

Highlighted

@joym8 

 

Make sure auditing is enabled on mailbox. 
- Run audit log searches in  security and compliance center.
- Mention Start date, End date & Users. 
- Check for different IP from your location.
 
As a best practise Enable MFA.
 
Regards,
Akshay
System Admin - Apps4Rent
Highlighted
90% of these will be picked up one of two ways. Search for exchange mailbox rule changes in the compliance auditing. Or check in azure ad portal and suspicious sign ins for an impossible sign in. You’ll see users that might have people logging in from Africa and what not if compromised