Does anyone have more information about the "Edb-Sender-Email-Address" email header field? I can't really seem to find any information on it, and I am seeing it in email headers I am analyzing with some interesting results that could be key.
- For the "Edb-Sender-Email-Address" email header field, if this field is tracking the sender address, I would expect this to match the FROM address/mailbox in a legitimate email.
- In many cases, I actually see that. The two fields align.
- However, for some confirmed spoofed emails (and even for some that are really not seemingly spoofed on the surface), the "Edb-Sender-Email-Address" field points to an INTERNAL company user. Keep in mind, this is an incoming email from an EXTERNAL DOMAIN, so I wouldn't expect to see the EDB sender email address be an internal email address. However, it does.
- The addresses are formatted as shown below or in some cases the user name is replaced with a group name: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIXXXXXXDLT)/CN=RECIPIENTS/CN=B738XXXXXXXXXXXXXXXXXXXXXE79-Doe, John
- Any thoughts as to what could cause this? We do have a potential for insider threat with this matter, so I am wondering if this field is actually telling me what I think it appears to be telling me.
Â
- Is the "X-Originating-Ip" always pointing to the external IP of the computer who sent the email? Or does it point to other locations in the chain (i.e. email server, AV, etc.).
- For some of the spoofed emails, we are not seeing an X-originating-IP, but we do see an "X-client-IP" populated. Are these basically the same? Is this literally the IP of the computer that sent the email?
And you are sure it hasn't to do anything along these lines?
Â
https://docs.microsoft.com/en-us/exchange/management/health/troubleshooting-mrs-health-set
Corrupt Migration Job
When a corrupted migration job occurs, you may receive an alert that resembles the following:
Notification thrown by MailboxMigration at 9/7/2012 9:08:32 PM. Details: Diagnostic Information: ProcessCacheEntry: First Organization :: /o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e80fc128879e452ebc882f6bca7007fa-Migration.8
Corruption occurs when the migration meta-data has encountered issues. Upon corruption, Microsoft will receive a Watson report that will be investigated. To recover from this issue, you must remove the migration batch, and then re-create the batch. To do this, follow these steps:
@trewmte Unsure, but it doesn't really seem relevant.Â
Â
The site above talks about the structure of the email address, but doesn't touch on the header field in question.
It doesn't answer the question as to why I would see the following in the email header:
From: bob@domain.comÂ
reply-to: bob@domain-fake.com (we know this is a spoofed email)
Sender-Email-Address: /O=EXAMPLE/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=B738XXXXXXXXXXXXXXXXXXXXXE79-Doe, John
(Note: We know John Doe is an employee of XYZ Corporation).Â
To: sally@xyzcorporation (legit company user)
Â
In the example above, is it telling me that John Doe's account (a company employee) - possible insider threat - sent this email? I'm still working with the company to confirm if the x-client-ip is theirs.Â
I am seeing the same situation above with some other emails that aren't seemingly spoofed as well. I wonder if perhaps emails sent "on behalf of" might fall under this bucket. Â
Â
Â
Â
Dug a little further. To provide some content, I processed these emails with NUIX. It appears NUIX was generating this EDB field, as when I went back to confirm this field in the source, I didn't see it in the header. Nuix may be pulling some other mapi field, but it doesn't appear to be in the header itself. I'm going to close this question out and ask my other header questions on another thread. Thanks!
Â
Â