Does anyone know how to find the authenticated user account in Exchange 2013 that is sending emails? We believe an account has been compromised but can't find the compromised account. Using SMTP an email client or malware application can be setup to connect to Exchange with a valid email account and a bogus email address. I need to find the way to associate the bogus address with the actual authentication account being used. In older versions of Exchange you could just add the username column to the logs but Exchange 2013 does not appear to have this option.
An example is salepersonjoe has account salespersonjoe@somedomain.com and logs in to Exchange using the domain name and password for salespersonjoe. salespersonjoe's account password has been stolen is now being used to send bogus/spam/virus email. This stolen account is then used to send email from aslkjdf1324asdf@somedomain.com using salespersonjoe's info. Exchange unfortunately will still send emails with the bogus email account when using SMTP. There is no way to relate aslkjdf1324asdf@somedomain.com to salepersonjoe's account in the logs and I need a way or some other solution to find the hacked account.
The emails don't end up in any sent items folder so logging into every mailbox and looking for sent items isn't going to work..
Using the IP address is a temporary work around but we've blocked a couple subnets entirely due to they just keep using a different IP address but want to find the compromised account.
Thanks