Exchange Best Practices: How to Detect Who Accessed Another User’s Mailbox

Using shared mailboxes in Office 365 can facilitate communication in team projects. However, giving multiple users access permissions for the same mailbox increases the risk of security incidents and leaks of sensitive data. Non-owners with access rights can, unintentionally or maliciously, forward a message, move an e-mail with sensitive content to another location, or — even worse — delete something important from an Exchange Online shared mailbox.

1. Open PowerShell -> Run the following command to connect with Exchange Online instance and enter your credentials in the pop-up window:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

 2. To enable mailbox auditing run:

  • For a single mailbox:
Set-Mailbox –Identity "TestUser" -AuditEnabled $true
  • For all mailboxes:
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
  • To check what mailboxes have auditing enabled run:
Get-Mailbox  | FL Name,AuditEnabled

3. Open Exchange Administration Center -> Navigate to “Compliance Management” Auditing.

4. Click “Run a non-owner mailbox access report”. You will get the report on non-owner access to all mailboxes with enabled auditing over the past two weeks.

5. To view non-owner access to a specific mailbox Click on a mailbox to view all non-owner access events with the details.

With Netwrix Auditor for Office 365 you can monitor non-owner mailbox access simply by running a special predefined report “All Exchange Non-Owner Mailbox Access Events”:

Learn more about Netwrix Auditor for Office 365

Danny is a former Senior Sales Engineer at Netwrix, a blogger and a presenter with over 10 years of experience in IT.