Home  ›  Can Someone See if You Forwarded Their Email

Can Someone See if You Forwarded Their Email

Written By Thursday, 17 February 2022 Add Comment Edit
  1. Home
  2. Collaboration
  3. Microsoft Substitution

I accept been asked to investigate a potential security breach which would have involved a member of staff forwarding all their corporate emails to their personal email address, and then that they still accept access to information if they were removed from this position.

I have access to Sophos messagelabs and tin perform electronic mail track and trace, but this isn't e'er reliable.

I was wondering if I could employ Substitution management shell to bank check for auto forwarding or other types of e-mail forwarding?

1981DMC
1981DMC This person is a Verified Professional
This person is a verified professional.
Verify your business relationship to enable IT peers to meet that you are a professional.
Aug xviii, 2022 at 12:24 UTC

Of course! Employ message tracking logs. The cmdlet in the trounce for 2010 is Get-MessageTrackingLog. You can specify filters such every bit sender, recipient, commencement and cease times, etc. In 2013 I recall the changed it to Get-MessageTrace. Usually just default your logs go back thirty days in a 2010 on-prem deployment, if memory serves me correctly.

Popular Topics in Microsoft Exchange
Which of the following retains the information it's storing when the arrangement ability is turned off?
  • ROM
  • CPU
  • RAM
  • GPU
88% of It pros got this right.

11 Replies

1981DMC
1981DMC This person is a Verified Professional
This person is a verified professional.
Verify your business relationship to enable IT peers to meet that y'all are a professional person.
Aug xviii, 2022 at 12:24 UTC

Of grade! Utilise message tracking logs. The cmdlet in the shell for 2010 is Get-MessageTrackingLog. Yous can specify filters such every bit sender, recipient, start and finish times, etc. In 2013 I retrieve the changed it to Get-MessageTrace. Usually but default your logs go back 30 days in a 2010 on-prem deployment, if memory serves me correctly.

Dropkick
Dropkick This person is a Verified Professional
This person is a verified professional.
Verify your account to enable It peers to run into that you are a professional person.
Aug 18, 2022 at 12:24 UTC

To view the server side rules you can run:

Get-InboxRule -mailbox email@address.com | fl

If there are address listed in theforwardto field and then you know messages are beingness sent to this address, given the criteria listed in a higher place.

1981DMC
1981DMC This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that y'all are a professional.
Aug 18, 2022 at 12:25 UTC

Dropkick wrote:

To view the server side rules you tin can run:

Go-InboxRule -mailbox e-mail@address.com | fl

If there are accost listed in theforwardto field then you know letters are being sent to this address, given the criteria listed higher up.

This is only if the user is forwarding all his/her mail somewhere else. My example would evidence actual messages were sent from said sender to said recipient.
Dropkick
Dropkick This person is a Verified Professional
This person is a verified professional.
Verify your business relationship to enable IT peers to see that you are a professional.
Aug 18, 2022 at 12:28 UTC

1981DMC wrote:

This is only if the user is forwarding all his/her mail somewhere else. My example would prove actual messages were sent from said sender to said recipient.
True, just y'all need to know if there are machine forwarding rules enabled to be able to remediate the security alienation!
Rob Dunn
Rob Dunn This person is a Verified Professional
This person is a verified professional.
Verify your account to enable Information technology peers to meet that you are a professional.
Aug 18, 2022 at 12:31 UTC

The tracking logs are what y'all are looking for, similar 1981DMC stated.  Here'south a keen how-to which I've used from fourth dimension to time: http://exchangeserverpro.com/searching-bulletin-tracking-logs-by-sender-or-recipient-electronic mail-address/

Rob Dunn
Rob Dunn This person is a Verified Professional
This person is a verified professional.
Verify your account to enable Information technology peers to come across that you lot are a professional.
Aug xviii, 2022 at 12:33 UTC

Dropkick wrote:

1981DMC wrote:

This is only if the user is forwarding all his/her mail somewhere else. My example would prove actual messages were sent from said sender to said recipient.
True, but y'all need to know if at that place are auto forwarding rules enabled to be able to remediate the security breach!
Which goes to show that you lot may need to perform a couple dissimilar queries to become the information you're looking for.  Nothing wrong with checking multiple places for a possible breach!

I would also check your outbound spam filter if there is ane in place; accept a wait at analyzing the outbound content.

Geoshot

1981DMC wrote:

Dropkick wrote:

To view the server side rules you can run:

Get-InboxRule -mailbox email@accost.com | fl

If there are address listed in theforwardto field and then you know messages are existence sent to this accost, given the criteria listed above.

This is but if the user is forwarding all his/her mail somewhere else. My case would prove bodily messages were sent from said sender to said recipient.
Both answers here are exactly what I require and so thank you very muchly.

I was able to determine that the alienation existed by Sophos message labs, but determining how those emails are being sent is now my next step - So knowing if is is a rule being used would be very helpful.

Geoshot

Is it possible to take a customer side only rule that would forrad emails, or would it always be a server side dominion?

Merely making sure I've explored all options here.

Dropkick
Dropkick This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that y'all are a professional.
Aug xviii, 2022 at 12:52 UTC

Geoshot wrote:

Is it possible to take a client side only rule that would forward emails, or would it always be a server side rule?

Only making sure I've explored all options here.

It is possible to have client side rules. I believe Outlook 2007 or later stores the rules in the OST / PST file, which are in a hidden folder. If PST, and so y'all could merely open it with Outlook. Still, OST would be a bit more difficult, you may want to catechumen it before you can open.
Geoshot

Aye 2007 did in fact exercise that I remember now, all our users are using Office 2013 suite which is all hooked upwards to Substitution 2010 - So this shouldn't exist the case but I can see what I can pull from this users laptop and check anyway.

Rupesh (Lepide)
Rupesh (Lepide) This person is a Verified Professional
This person is a verified professional.
Verify your account to enable It peers to see that y'all are a professional.
Aug nineteen, 2022 at 04:44 UTC

Brand Representative for Lepide

Sounds practiced that above suggestions helped you to resolve your business organisation.

Past the fashion, You can too have a look at Lepide exchange reporter which can exist a dainty alternative choice in such situation. It helps to track every sent/received emails within or outside the domain into real time.

This topic has been locked past an administrator and is no longer open for commenting.

To keep this discussion, delight ask a new question.

woorewellegly.blogspot.com

Source: https://community.spiceworks.com/topic/1776008-check-if-a-user-is-forwarding-emails-exchange-2010

0 Response to "Can Someone See if You Forwarded Their Email"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel