How to find when rule was created in Office 365 Outlook

Michael Smith 0 Reputation points
2024-04-17T17:23:05.5966667+00:00

One of my clients email was compromised and a rule was created. Want to find out where the user was located when accessing the account and when the rule was created.

Outlook
Outlook
A family of Microsoft email and calendar products.
4,045 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,608 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Q&A Assist
    2024-04-17T17:23:05.61+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To find when a rule was created in Office 365 Outlook, you can perform an audit log search in the Microsoft 365 security & compliance center. Look for new rules, or rules that have been modified to redirect the mail to external domains. The number of rules should be known and relatively small. You can do an audit log search to determine who created the rule and from where they created it. If you see something unusual, contact the creator to determine if it is legitimate. Additionally, you can use the Search-Mailbox cmdlet in Exchange Online PowerShell to do a specific search query against a target mailbox of interest and copy the results to an unrelated destination mailbox.

    To determine where the user was located when accessing the account, you can check the unified audit log in the Microsoft 365 security & compliance center. The report shows activities that could indicate a mailbox is being accessed illicitly. It includes date, IP address, user, activity performed, the item affected, and any extended details.


    References:


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.