Share via

User on exchange online did not send an email but somene received an email - is it hacked ?

Alex Rabbi 66 Reputation points
2024-12-17T12:46:39.1166667+00:00

Hi All,

In an enterprise exchange online environment, user A received an email from user B.

User B says never sent it and i system admin checked user B's sent box in outlook and i do not see that email in sent

I also did a message trace on exchange admin centre , i see a trace of user B sending email to User A.

I also have mail filtering tool and i dont see a trace there either.

Is it a spam or phish or a genuine hack ? how do i find out ? I have changed password of user B for now. what other steps should i take to make sure environment is safe

Thanks in advance

Alex

Microsoft Exchange Online
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,659 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Zhang-MSFT 3,155 Reputation points Microsoft Vendor
    2024-12-18T04:50:11.72+00:00

    Hello, @Alex Rabbi,

    Welcome to the Microsoft Q&A platform!

    According to your description , User A receives an email from User B without User B's knowledge, and email tracking finds the email but it is not visible in User B's sent mailbox.

    After my test, it is probably because a user has the “Send As” permission of user B, so it can send emails to user A with user B's email address.

    The following figure shows the description of the “Send As” permission for your reference.

    User's image

    Therefore, before suspecting whether the email is spam, phishing or a real hacker attack, please check whether other users have the “Send As” privilege of user B in the following two ways.

    1.Use the EAC to manage permissions according to the screenshot below. If other users do have “Send As” or higher privileges for user B, you can remove them as needed.User's image

    2.Use Exchange Online PowerShell to check or remove users who you do not want to assign "Send As" permission.

    Get-RecipientPermission -Identity userB@domain.com | Where-Object {$_.AccessRights -contains "SendAs"}

    Remove-RecipientPermission -Identity user1@example.com -Trustee user2@example.com -AccessRights SendAs

    User's image For more guidance, please click on https://zcusa.951200.xyz/en-us/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes for reference.

    Please try to check as above, if you can rule out the possibility of “Send As” privilege or if there is something else you don't understand, feel free to post back. 

    If the answer is helpful please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

    Thank you for your support and understanding.

    Best Wishes,

    Alex Zhang

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.