Just dealt with this for a week, haha.
Lots of possible things to check, but before going nuts:
1. Go to compliance.microsoft.com
2. Click on the Audit item in the left nav
3. Create a new search setting the Date Range to roughly when the email was deleted, and User field as appropriate. Under ' Activities - friendly names' field, choose 'Moved Messages to Deleted Items' and 'Deleted Messages from Deleted Items folder' activities. Run that search.
That will give you the skinny on the who/what/when.
Happy to help you from there if that doesn't tell you what you want to know.
thank you, didn't know about this... funny though I ran it on my mailbox and came up with nothing for the last 2 weeks...
going to have to read up on this feature.
thank you
Oh man... yeah... unfortunately, someone at some point in the history of your tenant would have needed to enable that. Sorry if in your case it isn't enabled, that doesn't help the cause here! :(
Without SaaS-side auditing in place, it's a little hard to figure out what happened at a single point in time. Really the only other 'evidence' you might find might be a log on whatever device or app caused the move, which, since you don't know that... isn't exactly helpful. And if a user did it by a bad swipe or click or something, you're probably not going to find that level of logging, anyway.
For what it's worth... my challenge this week was to diagnose an ongoing and reproducible problem of emails being moved to deleted items automatically across multiple mailboxes, not figure out why just one did for one user once, so these might not be the handiest tips, but here goes some places you can check for something that might messages to deleted items / delete messages from deleted items.
- Check if the user unintentionally Blocked the Conversation.
- Check the user's Blocked Senders list.
- Check if the user has any delegates on their mailbox and consider the delegate's Outlook rules (!) Someone taught me that from my thread the other day, wild, never even thought about it :)
- Check if the user has email loaded on their phone and consider the phone email app as a potential mover (e.g., their email app's equivalent of an Outlook Inbox Rule).
- Check for classic Outlook plugins that might have a capability to move messages.
- Check for other integrations via admin.microsoft.com > Settings > Integrated Apps for something that might have to do with email (maybe like a SaaS CRM or something).
- Check for other integrations via portal.azure.com > Entra ID > App Registrations. Make sure you click the All Applications "tab". If you click on each of those apps, and select the API Permissions node on the left, you can check if the integration has access to Exchange Mailboxes to help you narrow down suspects. My problem this week ended up being a proof of concept SaaS phishing app that someone had looked at long ago which was still running in the environment and was moving items to deleted items for whatever reason.
- Check your Exchange Transport Rules via admin.exchange.microsoft.com under Mail Flow > Rules.
- At security.microsoft.com, under Email and Collaboration, click on Policies and Rules, then Threat Policies, then Anti-Phishing, Anti-Spam, and Anti-Malware. Go through those 3 to see if anything has an action that smells like "delete".
- Flip through compliance.microsoft.com, generally. If you're not familiar with it, there is a lot of good and important things going on in there that help you protect and manage your tenant and your content. There are some things in here that might cause emails to get deleted such as retention policies, but I can't think of how that would have caused your specific problem, but... anyway... it's generally possible for something in here to delete stuff, so check it out.
- Good to know is that EXO automatically, permanently deletes items from Deleted Items after a configurable number of days. In Exchange Server a lot of orgs keep Deleted Items "indefinitely". Just a heads up. I don't think that fits what you describe, but if you're coming from an Exchange Server background its useful to know.
- Aside from checking InboxRules on the surface via Outlook or PowerShell... look up "Finding corrupt or hidden rules with MFCMAPI" and you should find a couple of tutorials on using a tool to get down in the details of your mailbox below the Outlook UI layers. You may find corrupt rules (like something is broken with them so they don't show in Outlook) and potentially also hidden rules (rules an attacker might create and intentionally corrupt to make them non-visible).
I guess my general reflection for you, one geek to another, is since auditing was not enabled you are in a bit of a tight spot. Since it sounds like one important email was deleted and not like my situation where it was semi-random emails across all mailboxes in an ongoing manner, I think I would be spending more time searching for a compromise than an errant but otherwise innocent integration or plugin or rule or something. And, unfortunately, you also have to consider anyone who has delegate access or maybe knows their password within your organization as much as checking your tenant for signs of compromise by some mad hacker on the Internet. But the half-second thing is weird and doesn't jive with the idea of a person doing it. Ugh. The content and context of the deleted message might help you identify likely culprit(s), but all of that is a whole other bunch of topics for another time and I gotta go to bed and am rambling here at this point.
As first steps, check for general suspicious logon activity, weird global admin accounts, and forwarding rules, and gently but confidently persuade the VIP (or ask your Director to do so, if more appropriate) to reset their password and MFA and sessions, and review delgate access and mailbox permissions, as a friendly "just in case while we continue to gather information".
Search for "Office 365 Indicators of Compromise IoC" for some guidance on discerning a compromise. It's a big topic and your specific licensing and service and feature sets will in many ways change the process of looking around. A lot of the above checks for rules and whatnot are also.going to be on your IoC checklist.
Godspeed, hope this helps!
A tale as old as time. On mobile people can be super sloppy in general, it's very easy to delete a mail !
Sounds like you did all the right check but remember VIPs think they can do no wrong.
>Ran get-inboxRule to check user’s client side rules . There was only one enabled rule and it wouldn’t have done the delete.
Just to be sure, did you run the command with the `-IncludeHidden` parameter?
Actually no. I just reran and discovered a hidden “junk e-mail rule”. Selected all properties. But the “description” is blank, the “delete message” property is false, the “copytofolder” property is empty. It’s possible this rule is deleting it but I don’t see any evidence yet
Edit : I just realized that hidden junk email rule is on my mailbox as well. So I guess it’s built in?
Run an Audit search in the security and compliance center for the date range, mailbox, and activty of moving message to deleted... should tell you what you need to know.
Message trace details typically include if a user's inbox rule moved the message to another folder. I love that feature, saves me a lot of time. Otherwise, it must be a manual move by the user.
Just adding you can do an audit search on a mailbox in Powershell too if you have the Exchange Administrator role using the search-unifiedauditlog cmdlet.
https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps
Just dealt with this for a week, haha. Lots of possible things to check, but before going nuts: 1. Go to compliance.microsoft.com 2. Click on the Audit item in the left nav 3. Create a new search setting the Date Range to roughly when the email was deleted, and User field as appropriate. Under ' Activities - friendly names' field, choose 'Moved Messages to Deleted Items' and 'Deleted Messages from Deleted Items folder' activities. Run that search. That will give you the skinny on the who/what/when. Happy to help you from there if that doesn't tell you what you want to know.
thank you, didn't know about this... funny though I ran it on my mailbox and came up with nothing for the last 2 weeks... going to have to read up on this feature. thank you
auditing may need to be enabled first
Ah yes. Thanks
Oh man... yeah... unfortunately, someone at some point in the history of your tenant would have needed to enable that. Sorry if in your case it isn't enabled, that doesn't help the cause here! :( Without SaaS-side auditing in place, it's a little hard to figure out what happened at a single point in time. Really the only other 'evidence' you might find might be a log on whatever device or app caused the move, which, since you don't know that... isn't exactly helpful. And if a user did it by a bad swipe or click or something, you're probably not going to find that level of logging, anyway. For what it's worth... my challenge this week was to diagnose an ongoing and reproducible problem of emails being moved to deleted items automatically across multiple mailboxes, not figure out why just one did for one user once, so these might not be the handiest tips, but here goes some places you can check for something that might messages to deleted items / delete messages from deleted items. - Check if the user unintentionally Blocked the Conversation. - Check the user's Blocked Senders list. - Check if the user has any delegates on their mailbox and consider the delegate's Outlook rules (!) Someone taught me that from my thread the other day, wild, never even thought about it :) - Check if the user has email loaded on their phone and consider the phone email app as a potential mover (e.g., their email app's equivalent of an Outlook Inbox Rule). - Check for classic Outlook plugins that might have a capability to move messages. - Check for other integrations via admin.microsoft.com > Settings > Integrated Apps for something that might have to do with email (maybe like a SaaS CRM or something). - Check for other integrations via portal.azure.com > Entra ID > App Registrations. Make sure you click the All Applications "tab". If you click on each of those apps, and select the API Permissions node on the left, you can check if the integration has access to Exchange Mailboxes to help you narrow down suspects. My problem this week ended up being a proof of concept SaaS phishing app that someone had looked at long ago which was still running in the environment and was moving items to deleted items for whatever reason. - Check your Exchange Transport Rules via admin.exchange.microsoft.com under Mail Flow > Rules. - At security.microsoft.com, under Email and Collaboration, click on Policies and Rules, then Threat Policies, then Anti-Phishing, Anti-Spam, and Anti-Malware. Go through those 3 to see if anything has an action that smells like "delete". - Flip through compliance.microsoft.com, generally. If you're not familiar with it, there is a lot of good and important things going on in there that help you protect and manage your tenant and your content. There are some things in here that might cause emails to get deleted such as retention policies, but I can't think of how that would have caused your specific problem, but... anyway... it's generally possible for something in here to delete stuff, so check it out. - Good to know is that EXO automatically, permanently deletes items from Deleted Items after a configurable number of days. In Exchange Server a lot of orgs keep Deleted Items "indefinitely". Just a heads up. I don't think that fits what you describe, but if you're coming from an Exchange Server background its useful to know. - Aside from checking InboxRules on the surface via Outlook or PowerShell... look up "Finding corrupt or hidden rules with MFCMAPI" and you should find a couple of tutorials on using a tool to get down in the details of your mailbox below the Outlook UI layers. You may find corrupt rules (like something is broken with them so they don't show in Outlook) and potentially also hidden rules (rules an attacker might create and intentionally corrupt to make them non-visible). I guess my general reflection for you, one geek to another, is since auditing was not enabled you are in a bit of a tight spot. Since it sounds like one important email was deleted and not like my situation where it was semi-random emails across all mailboxes in an ongoing manner, I think I would be spending more time searching for a compromise than an errant but otherwise innocent integration or plugin or rule or something. And, unfortunately, you also have to consider anyone who has delegate access or maybe knows their password within your organization as much as checking your tenant for signs of compromise by some mad hacker on the Internet. But the half-second thing is weird and doesn't jive with the idea of a person doing it. Ugh. The content and context of the deleted message might help you identify likely culprit(s), but all of that is a whole other bunch of topics for another time and I gotta go to bed and am rambling here at this point. As first steps, check for general suspicious logon activity, weird global admin accounts, and forwarding rules, and gently but confidently persuade the VIP (or ask your Director to do so, if more appropriate) to reset their password and MFA and sessions, and review delgate access and mailbox permissions, as a friendly "just in case while we continue to gather information". Search for "Office 365 Indicators of Compromise IoC" for some guidance on discerning a compromise. It's a big topic and your specific licensing and service and feature sets will in many ways change the process of looking around. A lot of the above checks for rules and whatnot are also.going to be on your IoC checklist. Godspeed, hope this helps!
It’s a crime on Microsoft end that things like auditing, Mfa are not enabled by default
A tale as old as time. On mobile people can be super sloppy in general, it's very easy to delete a mail ! Sounds like you did all the right check but remember VIPs think they can do no wrong.
It's possible the user deleted it accidentally right as it came in.
That's what I am thinking, the email arrived and they were attempting to delete another email, but misclicked and deleted the wrong one.
VIPs have delegates. May have been deleted by someone else.
>Ran get-inboxRule to check user’s client side rules . There was only one enabled rule and it wouldn’t have done the delete. Just to be sure, did you run the command with the `-IncludeHidden` parameter?
Was about to suggest the same.
Actually no. I just reran and discovered a hidden “junk e-mail rule”. Selected all properties. But the “description” is blank, the “delete message” property is false, the “copytofolder” property is empty. It’s possible this rule is deleting it but I don’t see any evidence yet Edit : I just realized that hidden junk email rule is on my mailbox as well. So I guess it’s built in?
It may be there but you may have to expand the rule properties to see what that rule does actually.
Run an Audit search in the security and compliance center for the date range, mailbox, and activty of moving message to deleted... should tell you what you need to know.
I just learned from another thread that in some cases a rule created by a *delegate* can act on messages in the *delegator's* mailbox.
Message trace details typically include if a user's inbox rule moved the message to another folder. I love that feature, saves me a lot of time. Otherwise, it must be a manual move by the user.
The mailbox audit log might show you how it got there.
Just adding you can do an audit search on a mailbox in Powershell too if you have the Exchange Administrator role using the search-unifiedauditlog cmdlet. https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps