If the person reading your email is doing so with Outlook Web Access (OWA), then it is much harder to track. All communications can be tracked, but you will need to capture the traffic with a network monitoring tool (e.g., NetMon, Wireshark, etc.) during the time frame that the incident occurs. Reviewing the capture log could reveal the source IP address of your hacker.
The IP address is really only of value to you if it is coming from within your organization. If the connection is being established externally, then you will not be able to rely on the IP address in the capture as it will probably be coming from the external interface of a firewall that is performing network address translation (NAT).
Do you have comments on this Ask the Expert Q&A? Let us know.
Ask an Exchange Server question in our forum.
Dig Deeper on Microsoft Exchange Server Monitoring and Logging
Related Q&A from Richard Luckett
I have limited drive space on my Exchange Server but need to restore large mailboxes. Can I prevent mailbox restores from a recovery database by ...continue reading
I want to move from a single Exchange 2013 server to multiple servers, including multiple database and client access servers, for HA. What's the best...continue reading
My mailbox migration from Exchange 2010 to Exchange 2013 is moving very slowly. What might be causing this and how can I speed up the process?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.