ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Office 365 Moving Emails to Deleted Items

    IT Discussion
    office 365 outlook exchange email smtp o365
    4
    13
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @dbeato
      last edited by

      @dbeato said in Office 365 Moving Emails to Deleted Items:

      @dafyre said in Office 365 Moving Emails to Deleted Items:

      e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
      The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
      What am I not looking at that could be causing this?

      They got hacked though
      https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
      https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account

      Sometimes the rule is a dot on the name....

      Yeah, assume that this is a hack. It's almost certain.

      1 Reply Last reply Reply Quote 0
      • dafyreD
        dafyre @scottalanmiller
        last edited by

        @scottalanmiller said in Office 365 Moving Emails to Deleted Items:

        Outlook might not have the rules, Exchange might. We've seen this a lot and it is caused when users use Outlook rather than OWA and don't know that they have client rules that they normally play with and more important server side rules that Outlook doesn't show you. That's how they get hidden.

        I've gone through the rules with both PowerShell from the admin side, and both Outlook and OWA in the User's account side. The only rule that deletes items is working fine.

        Pretty commonly it is a "password reset" attack vector, and this is to hide the password reset emails being received.

        By this, you mean the rule is hiding "we're attempting to change your password" type emails?

        If those emails were set to be permanently deleted, they could still be recovered form the "Recover deleted items" section in the Deleted Items folder. The only thing we're finding there is the messages that have been deleted.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @dafyre
          last edited by

          @dafyre said in Office 365 Moving Emails to Deleted Items:

          By this, you mean the rule is hiding "we're attempting to change your password" type emails?

          Precisely

          dafyreD 1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre @scottalanmiller
            last edited by

            @scottalanmiller said in Office 365 Moving Emails to Deleted Items:

            @dafyre said in Office 365 Moving Emails to Deleted Items:

            By this, you mean the rule is hiding "we're attempting to change your password" type emails?

            Precisely

            Yeah, we're not finding those anywhere, unless they purge them from the deleted items "Recover deleted items" section... but the telltale sign there would be nothing in the Recover deleted items (but there's plenty of deleted items we need to restore, lol.)

            As for the Office 365 Remediation stuff, we've already changed their passwords and such. We're also going live with MFA on Office 365 next week, lol.

            1 Reply Last reply Reply Quote 0
            • dafyreD
              dafyre
              last edited by dafyre

              Just to be safe though, I did turn on User auditing. So we'll see what that reveals in a few hours...

              Edit: or not. Apparently, my admin account doesn't have privileges to actually use the audit stuff, lol.

              wrx7mW 1 Reply Last reply Reply Quote 0
              • wrx7mW
                wrx7m @dafyre
                last edited by

                @dafyre said in Office 365 Moving Emails to Deleted Items:

                Just to be safe though, I did turn on User auditing. So we'll see what that reveals in a few hours...

                Edit: or not. Apparently, my admin account doesn't have privileges to actually use the audit stuff, lol.

                Yeah, you have to go in and add those permissions separately. Global admin is not global enough.

                dafyreD 1 Reply Last reply Reply Quote 1
                • dafyreD
                  dafyre @wrx7m
                  last edited by

                  @wrx7m said in Office 365 Moving Emails to Deleted Items:

                  @dafyre said in Office 365 Moving Emails to Deleted Items:

                  Just to be safe though, I did turn on User auditing. So we'll see what that reveals in a few hours...

                  Edit: or not. Apparently, my admin account doesn't have privileges to actually use the audit stuff, lol.

                  Yeah, you have to go in and add those permissions separately. Global admin is not global enough.

                  Apparently so. But I see no signs of another user in their account.

                  1 Reply Last reply Reply Quote 0
                  • dafyreD
                    dafyre
                    last edited by

                    @dbeato said in Office 365 Moving Emails to Deleted Items:

                    @dafyre said in Office 365 Moving Emails to Deleted Items:

                    e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
                    The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
                    What am I not looking at that could be causing this?

                    They got hacked though
                    https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
                    https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account

                    Sometimes the rule is a dot on the name....

                    I am assuming it's a hacked account, but we changed the password to a new one. I disconnected all of her sessions from Office 365.

                    Still happening. I see no rules with a dot in the name... or spaces or foreign characters. I see exactly the number of rules on my CLI as I do in Outlook and OWA.

                    dbeatoD 1 Reply Last reply Reply Quote 0
                    • dbeatoD
                      dbeato @dafyre
                      last edited by

                      @dafyre said in Office 365 Moving Emails to Deleted Items:

                      @dbeato said in Office 365 Moving Emails to Deleted Items:

                      @dafyre said in Office 365 Moving Emails to Deleted Items:

                      e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
                      The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
                      What am I not looking at that could be causing this?

                      They got hacked though
                      https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
                      https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account

                      Sometimes the rule is a dot on the name....

                      I am assuming it's a hacked account, but we changed the password to a new one. I disconnected all of her sessions from Office 365.

                      Still happening. I see no rules with a dot in the name... or spaces or foreign characters. I see exactly the number of rules on my CLI as I do in Outlook and OWA.

                      Can you clear them all ? Take a screenshot of the settings and then remove them and see what changes. The rules run autonomously and is not someone running them.

                      dafyreD 1 Reply Last reply Reply Quote 0
                      • dafyreD
                        dafyre @dbeato
                        last edited by

                        @dbeato said in Office 365 Moving Emails to Deleted Items:

                        @dafyre said in Office 365 Moving Emails to Deleted Items:

                        @dbeato said in Office 365 Moving Emails to Deleted Items:

                        @dafyre said in Office 365 Moving Emails to Deleted Items:

                        e got a strange one... I have a user here whose Emails go from whatever folder they are in to the Deleted Items folder after being read... Sometimes. Sometimes it doesn't happen for several minutes, and other times it happens right away.
                        The user hasn't been phished that we can tell. No bogus rules in Outlook forwarding things to the deleted items. Check both Web and Outlook 2016.
                        What am I not looking at that could be causing this?

                        They got hacked though
                        https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
                        https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account

                        Sometimes the rule is a dot on the name....

                        I am assuming it's a hacked account, but we changed the password to a new one. I disconnected all of her sessions from Office 365.

                        Still happening. I see no rules with a dot in the name... or spaces or foreign characters. I see exactly the number of rules on my CLI as I do in Outlook and OWA.

                        Can you clear them all ? Take a screenshot of the settings and then remove them and see what changes. The rules run autonomously and is not someone running them.

                        That's what we've done now. All of the rules are disabled. End-user is turning them back on one at a time now.

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post