Dear all:

I am currently using the MS Exchange 2013 eDiscovery feature with the objective to identify which of my users have received emails containing specific hyperlinks (e.g. http://website1/webroot/file.zip, http://website2/webroot/file.zip, etc.) from an unknown sender.

To this end, I have been creating an eDiscovery on-hold case looking for a specific search criteria in all mailboxes.

As the search criteria, I have tried many options but was unable to obtain satisfying results: I know I am missing some e-mails from this specific search (I checked manually). I have notably tried the following search queries (with and without the body: search operator, with and without double quotes, etc.)

body:http://website1/* OR body:http://website2/*

body:"http://website1/*" OR body:"http://website2/*"

body:"website1*" OR body:"website2*"

body:"*website1*" OR body:"*website2*"

[...]

When replaying these queries on my local Outlook client, everything works fine and I get results as expected.

However, when going through the ECP eDiscovery feature, I am missing some results.

Therefore, I am looking for any advice on what Exchange eDiscovery KQL query I should use to identify all emails containing, in their message body, a list of specific hyperlinks/URLs.

Many thanks in advance for your help.

S.

Alas I do not know the answer to resolution via ECP and like you I have found it to be a bit maddening to use ECP for discovery tests Ive done when comparing results with our DigiScope product.  I know we can accomplish what your looking to do via Regular Expression but again that's with a 3rd party tool. 

One thought is I suppose it could be an indexing issue with the DB, so perhaps rebuilding the index would help?

If you do get it working I would love to know the resolution since many of my tests with ECP have left me yelling at the screen.  When its works its cool when not w