Finding out who set an email forwarder on a mailbox
When troubleshooting an issue with a customer just the other day they noticed that a mailbox in their environment had email forwarding in place. This is unusual since they don’t usually implement that sort of thing.
I explained to them that our Audit & Compliance module would help with identifying who did this, and when, so that it can be followed up with the individual involved.
Our customer was excited by that. In this blog let me spend a few minutes explaining, by an example in our lab, how we dig into email forwarding details with our Audit & Compliance module.
First of all, if you sign up for our trial and give consent, Microsoft will begin sending us audit events. From this time onwards we will securely receive, and store, these events so that you can search on them. It’s the nature of Microsoft Office 365 auditing that you don’t get past events unfortunately.
Let’s assume we spotted an email forwarder in place on a test mailbox called ‘johnsmith’. We could go to the Auditing section of the application and we can search for ‘johnsmith’ in the ‘full text search’ text box.
This might give us a lot of results, so we would probably want to also change the date range, and then do a search.
The results might look like this:
If we’ve got too many results, or results that aren’t related to what we’re after we can switch to the data-grid view and filter the results further.
In the example above, we could filter for set-mailbox events and see when that has been done against John’s mailbox. This leads us to this screenshot
We can click on these individual rows and see what additional information the audit data has. From this we can see:
So there we have it, we know who set the forwarder, and when. Our next steps are to discuss this with the people involved and see what the reason was for setting the email forward, and whether it’s still needed.
If you think that this sort of activity would be helpful to you or your team why not sign up for a free trial?