question

ShabazAhmed-5117 avatar image
0 Votes"
ShabazAhmed-5117 asked ShabazAhmed-5117 commented

How to check mailbox user last five days IP details from where he has logged in?

Hi All,

Spam mail containing phishing link has been sent from one of our mailbox user to all of his contacts. We suspect his email id and password has been compromised. Kindly suggest how to check the IP address from where his account has been logged in for the past five days.

Regards,
Shabaz

@JeffYang-MSFT

office-exchange-server-administrationoffice-exchange-server-mailflowoffice-exchange-server-connectivity
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @ShabazAhmed-5117,

Sounds like what you need is more related to your server side operations. Please kindly understand that now I mainly focus on general issues about Outlook desktop client and know few about Exchange server. So I removed the Outlook tag here.

By the way, I noticed that you have already added Exchange tags within your post, experts of Exchange would offer some proper suggestions for you later. Thanks for your understanding and hope your issue could be resolved soon.

1 Vote 1 ·

Hi @JeffYang-MSFT ,

Thanks for your reply.

0 Votes 0 ·

1 Answer

LucasLiu-MSFT avatar image
0 Votes"
LucasLiu-MSFT answered ShabazAhmed-5117 commented

Hi @ShabazAhmed-5117 ,
What's version of Exchange server?
1.We could view the client IP from Mailbox audit log. But there are some restrictions:
1)Mailbox audit log is disable by default, so please run the following command to see if the user mailbox enable the mailbox audit log.

 Get-Mailbox -Identity <> | fl *audit*

2)Auditing for owner logins to a mailbox works only for POP3, IMAP4, or OAuth logins. It doesn't work for NTLM or Kerberos logins to the mailbox. You can log in to Outlook, right-click the small Outlook icon, select "Connection status", and check the authentication method in "Authn".
90173-1.png
3)If the mailbox audit log enabled and could record the mailbox logins, you could run the following command to search the mailbox audit log.

 Search-MailboxAuditLog -Identity <> -LogonTypes Admin,Delegate,Owner -StartDate <> -EndDate <> -ResultSize 2000 -ShowDetails

For more information you could refer to: Mailbox audit logging in Exchange Server and Search-MailboxAuditLog

2.Please run the following command to check the message tracking log and view the mail sent by the user through the log. Then check whether there is "Send/Sendexternal" under the event id parameter. Then run the second command to view the client IP.

 Get-Messagetrackinglog -Sender "<usermailbox>" -Start "<>" -End "<>" 
 Get-Messagetrackinglog -Sender "<usermailbox>" -Start "<>" -End "<>" -EventID <sendexternal or send> | fl *client*

90202-2.png
For more information you coudl refer to: Search Message Tracking Logs

3.According to I research on similar cases, we can also query the client IP of the login mailbox from the IIS log, but the process is very complicated. You can refer to the steps marked as answers in this similar case: Exchange 2016: How to audit mailbox user access to get their IP?
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.







1.png (2.1 KiB)
2.png (6.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LucasLiu-MSFT ,

Thanks for the answer!!!

Regards,
Shabaz

0 Votes 0 ·