In a world where email is one of our main methods of communication for business use, having the ability to send emails as a “generic user” or shared mailbox helps us hide behind a proxy when needed. While this is great in most cases, sometimes we need to know who is the actual person that is sending emails as the shared mailbox. Today we’re going to go over the method on how to find the account that sent emails from shared mailbox.
Table Of Contents
Requirements
In order to have successful results, you will need the following.
- Exchange Administrator Permissions -or Global Administrator Permissions
- Audit Logs Enabled. Specifically Mailbox Audit logs
- Exchange Online Management PowerShell Module
Get Recipient Permissions to See Who Has Access
Before we dive deep into the logs, I always like to narrow down my search by simply seeing who has access to send as that specific account. If there are only 1-2 users who have access, this narrows things down pretty well. If there are a dozen or more, then things might get a little tricky and we’ll need to go into logs.
Let’s check to see who has permissions and see if we get lucky. To find this, we’re going to use the Get-RecipientPermission cmdlet from the ExchageOnlineManagement module.
Get-RecipientPermission testmailbox -AccessRights SendAs | Where-Object {$_.Trustee -ne 'NT AUTHORITY\SELF'}
Identity Trustee AccessControlType AccessRights Inherited
-------- ------- ----------------- ------------ ---------
Test Mailbox [email protected] Allow {SendAs} False
In some scenarios it very well may be possible that the account itself sent the email, but for the sake of this article we’re going to assume someone sent an email with the sendas permissions. Therefore we added the where clause to not include SELF.
Find Account That Sent Emails From Shared Mailbox
In the example above, we can see that only one account has access to send as the shared mailbox so it’s pretty much a no brainer in this scenario. However, as I mentioned before, some shared mailboxes (or regular mailboxes for that matter) can have multiple people with this access right.
In order to find the exact user, let’s look to the logs and see what they say. Logs never lie!
$SendAs = Search-MailboxAuditLog -Identity testmailbox -Operations SendAs -ShowDetails $Sendas | select LogonUserDisplayName, ClientProcessName, ItemSubject, OperationResult, LastAccessed LogonUserDisplayName : Paul Contreras ClientProcessName : ItemSubject : The Force OperationResult : Succeeded LastAccessed : 9/14/2023 8:37:38 PM
Conclusion
In this case the recipient permissions pretty much gave it away as I was the only one with permissions. However, being able to search in the mailbox audit logs will show us EXACTLY which was the account that sent this email. Hopefully this was informative for you and you’re able to find out who sent emails from shared mailbox.
