Dear all:
I am currently using the MS Exchange 2013 eDiscovery feature with the objective to identify which of my users have received emails containing specific hyperlinks (e.g. http://website1/webroot/file.zip, http://website2/webroot/file.zip, etc.) from an unknown sender.
To this end, I have been creating an eDiscovery on-hold case looking for a specific search criteria in all mailboxes.
As the search criteria, I have tried many options but was unable to obtain satisfying results: I know I am missing some e-mails from this specific search (I checked manually). I have notably tried the following search queries (with and without the body: search operator, with and without double quotes, etc.)
body:http://website1/* OR body:http://website2/*
body:"http://website1/*" OR body:"http://website2/*"
body:"website1*" OR body:"website2*"
body:"*website1*" OR body:"*website2*"
[...]
When replaying these queries on my local Outlook client, everything works fine and I get results as expected.
However, when going through the ECP eDiscovery feature, I am missing some results.
Therefore, I am looking for any advice on what Exchange eDiscovery KQL query I should use to identify all emails containing, in their message body, a list of specific hyperlinks/URLs.
Many thanks in advance for your help.
S.