We run Exchange 2010/Outlook 2013, and today a number of our users received an email with an attachment that contained malware. Our current anti-malware product didn't detect the malware, but I found out by manually running it through an online multi-vendor scanner. Before I could reach all my users, one of them thinks he might have opened the attachment.
Is there any definitive way for me to know whether or not this user opened the email attachment in question? Does Outlook or Exchange or something in the OS (we're on Win10 Enterprise) provide any way of knowing? All my internet searches found were people trying to determine if external users had opened email attachments they had sent to them (something akin to a read receipt), so that was of no use to me.
UPDATE: I'm not looking for answers relating only to the malware part of this issue. E.g., I'm not looking for advice on how to detect a possible malware infection on the user's computer, how to reformat the computer, etc.
As far as I know, there is no way of telling if a attachment has been opened. That is, unless Mailbox audit logging has been activated.
I would suggest to scan the computer of that user with one or more of the anti-virus products which has successfully detected the virus. If the virus is then not detected, then you may conclude tentatively that there is no infection.
If you have any doubts, the only sure solution is to reformat the user's computer and reinstall everything, but this is a bit heavy.
For more information see :
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?.
I'm not sure it is possible, but I think you can quickly validate it. Use a similar computer for testing, and reproduce the scenario. Look at an email with an attachment and review the mail's extended MAPI properties, then open the attachment and review the properties again to see if any property has changed accordingly.
You can view the extended MAPI properties using different mail-forensics tool (for example, Kernel OST Viewer).
I know you specifically asked for ways to review outlook/exchange to answer your question, but I would also use other mechanisms to check if the attachment was ever saved to disk and/or opened by the end user. If you need recommendations on how to do that - let me know.