Find Account That Sent Emails From Shared Mailbox using PowerShell

Paul Contreras — Fri, 15 Sep 2023 00:50:54 +0000

In a world where email is one of our main methods of communication for business use, having the ability to send emails as a “generic user” or shared mailbox helps us hide behind a proxy when needed. While this is great in most cases, sometimes we need to know who is the actual person that is sending emails as the shared mailbox. Today we’re going to go over the method on how to find the account that sent emails from shared mailbox.

Requirements
Get Recipient Permissions to See Who Has Access
Find Account That Sent Emails From Shared Mailbox
Conclusion

Requirements

In order to have successful results, you will need the following.

Exchange Administrator Permissions -or Global Administrator Permissions
Audit Logs Enabled. Specifically Mailbox Audit logs
Exchange Online Management PowerShell Module

Get Recipient Permissions to See Who Has Access

Before we dive deep into the logs, I always like to narrow down my search by simply seeing who has access to send as that specific account. If there are only 1-2 users who have access, this narrows things down pretty well. If there are a dozen or more, then things might get a little tricky and we’ll need to go into logs.

Let’s check to see who has permissions and see if we get lucky. To find this, we’re going to use the Get-RecipientPermission cmdlet from the ExchageOnlineManagement module.

Get-RecipientPermission testmailbox -AccessRights SendAs | Where-Object {$_.Trustee -ne 'NT AUTHORITY\SELF'}

Identity     Trustee                     AccessControlType AccessRights Inherited
--------     -------                     ----------------- ------------ ---------
Test Mailbox paul@thesysadminchannel.com Allow             {SendAs}     False

In some scenarios it very well may be possible that the account itself sent the email, but for the sake of this article we’re going to assume someone sent an email with the sendas permissions. Therefore we added the where clause to not include SELF.

Find Account That Sent Emails From Shared Mailbox

In the example above, we can see that only one account has access to send as the shared mailbox so it’s pretty much a no brainer in this scenario. However, as I mentioned before, some shared mailboxes (or regular mailboxes for that matter) can have multiple people with this access right.

In order to find the exact user, let’s look to the logs and see what they say. Logs never lie!

$SendAs = Search-MailboxAuditLog -Identity testmailbox -Operations SendAs -ShowDetails
$Sendas | select LogonUserDisplayName, ClientProcessName, ItemSubject, OperationResult, LastAccessed


LogonUserDisplayName : Paul Contreras
ClientProcessName    :
ItemSubject          : The Force
OperationResult      : Succeeded
LastAccessed         : 9/14/2023 8:37:38 PM

Conclusion

In this case the recipient permissions pretty much gave it away as I was the only one with permissions. However, being able to search in the mailbox audit logs will show us EXACTLY which was the account that sent this email. Hopefully this was informative for you and you’re able to find out who sent emails from shared mailbox.

The post Find Account That Sent Emails From Shared Mailbox using PowerShell appeared first on the Sysadmin Channel.

shared mailbox sendas permission audit Archives - the Sysadmin Channel

Find Account That Sent Emails From Shared Mailbox using PowerShell

Table Of Contents

Requirements

Get Recipient Permissions to See Who Has Access

Find Account That Sent Emails From Shared Mailbox

Conclusion