Added account in ou...
 
Notifications
Clear all

Added account in outlook

1 Posts
1 Users
0 Reactions
500 Views
(@davieboy27)
Active Member
Joined: 11 years ago
Posts: 9
Topic starter  

Hi Guys,

I am trying to identify who addded a group in outlook.

Background

This is an exchange environment. The user (victim) first stated that in there mailbox under outlook - permissions, an account was added (by someone else) with permission level set at Reviewer. This group is a distribution group which is known to us, where there are a number of users in this group. I assume this means the user can read any mails coming from this group and send messages under this groups name.

This group (supposedly added by someone else) has appeared twice now. The first time the group appeared back in December. Addtionally back in 2013 someone sent a mail on behalf of the user from there mailbox to an unintended viewer, this is what kicked started an investigation. The message is not available. Also i don't see this related to the group.

The user checks the permissions frequently and did not see the group appear anymore. But in the last few weeks it has appeared again. Second time, group appeared again exactly the same, but no malicious behaviour has taken place.

Tasks

My task is to try and understand who added the outlook group and how it is appearing without the user adding this themselves.

I assumed the best evidence for this would be in the exchange logs. Where there are items such as sendas which can be logged along with others. Unfortunently there is nothing logged. Also from the exchange side they are telling me that the group is not visible from there side. Therefore it would not be available in exchange logs, but must have been added from the user side.

I have a new image of the laptop. In the registry there are some outlook keys, but last time i checked they didnt provide much information. Addtionally there are the computer logs but i don't believe this will give me anything.

If anyone has any experience of something like this or some advice i would be very grateful.

Kind Regards,

David


   
Quote
Share: