One of my users found a message in his Sent Items folder and claims he has not written it. The (external) recipient address exists and is knwon to us (though said user doesn't know it and had no contact so far), the subject is appropriate and very specific to that recipient address (and to no other recipient), the mail body contains a single word "Einverstanden" (German for "agreed"), which looks like a rply to something, but isn't. This looks a bit strange (though not strange enough to suspect malware)
Is there any way to find out in greater detail how the mail was actually produced? (Which Client on which computer / OWA / smart phone with ActiveSync / other user with "Send As" privileges / ...) While "internet headrs" are very informative for inbound mail, the corresponding field is (logically) empty for this outbound mail ...,
EDIT: Thanks to hints in the comments I found more logs than I knew before. Here's what I found:
- In RPC ClientAccess Logging I found my user was active from 13:45:07.137 until 13:45:51.270 (this was really him and his PC, according to the IP logged with the first of these lines)
- In Connectivity Log, I found an entry MapiSubmission at 13:45:51.504, followed by entries related to SMTP forwarding starting at 13:45:51.878
I assume that the sequence of events logged herein, including the time deltas of about 0.3 seconds between steps, is in fact "normal" and contarry to what the user claims, this looks extremely as if he had sent the mail by Outlook?
You can send messages that have "Voting Buttons" attached and when you click them a reply is generated based on what you have selected. New Mail > OPTIONS (tab) > Use Voting Buttons.
This sounds to me like the user has clicked a voting button from an external mail and it has sent the reply to the originator.