Hi everyone! I've run into a bit of a challenge. Let's say a user's email account has been compromised, and after an audit with Purview, I've identified some mail that was accessed. The only clue I have is the InternetMessageID. I know I can trace emails within the past 90 days, but I'm struggling to figure out how to identify emails that are older than that. I've attempted to set up a rule in the inbox using the ID to search the headers, but that hasn't worked out. Does anyone have suggestions for additional methods I might be missing? I appreciate any advice!
3 Answers
You might want to consider using the Mailbox Access Log (MAL). What I typically do for investigation purposes is create a PST of the mailbox and then load that into some analysis tools where you can search by the InternetMessageID. Also, it could be beneficial to consult an incident response firm or get in touch with your legal or cyber insurance team for assistance.
I've encountered this issue several times, and without utilizing any third-party or specialized tools, it’s almost impossible to trace emails older than 90 days. I've spent a lot of time trying with Graph API, but the inconsistency in how emails are stored makes it quite challenging to search effectively. I usually advise clients to treat all mailbox information as potentially accessed and act on that assumption.
One approach I've found useful is to filter based on the IP address from which the hacker accessed the mailbox. However, in your case, since you’ve noted the events show only 'MailItemsAccessed,' it might limit that technique.
That makes sense! In my case, I'm more concerned with what information might have been seen during the breach. We’re trying to be thorough but it sounds like it’s safer to assume everything was compromised. I'm also looking into purchasing some tools for better future tracking.