none
Is It Possible to Find Who Deleted an Email

    Question

  • Hi,

    We had an incident which happened two weeks ago, where some emails of a user got deleted, we troubleshooted the issue and suspected that his email was compromised and also found that someone created a rule forwarding emails to a suspicious account.

    Is there a way to know from which Client and which IP address the emails were deleted? And is there a way to know when and from where the rule was created.

    Thanks

    Wednesday, August 17, 2016 9:10 AM

Answers

All replies

  • You can get the details if you the mailbox audit logging enabled on mailbox level. Which can give you sufficient details where the email got deleted and all.

    Check the below artical :-

    http://exchangeserverpro.com/tracking-mailbox-owner-deletes-using-mailbox-audit-logging/

    I dont know if can track it down if we dont have the audit logging already enabled?

    Thanks,

    Yogesh

    Wednesday, August 17, 2016 9:20 AM
  • Hi Rami,

    You need to enable auditing in your environment and you should be able to find out the actual culprit.

    Please check this PDF guide which summarizes the steps in detail - https://gallery.technet.microsoft.com/Enabling-Exchange-2010-368786d3


    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Wednesday, August 17, 2016 9:33 AM
  • Hi,

    We can enable Audit log to monitor the actions for mailbox, include actions, IP address. More details mailbox audit log entry, for your reference:
    https://technet.microsoft.com/en-us/library/ff459237%28v=exchg.160%29.aspx#Mailbox

    Since this issue occur in the past, then audit log cannot record the actions before it enabled. The more important is recover messages and mailbox.

    Please try to use "Recover deleted items" function in Outlook, or use Search-Mailbox to find items and restore.
    For your reference: https://technet.microsoft.com/en-us/library/ff660637(v=exchg.160).aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    • Marked as answer by Rami Saber Thursday, August 18, 2016 10:17 AM
    Thursday, August 18, 2016 8:25 AM
    Moderator