100% Proven Solution to Perform Office 365 Email Forensics

MailXaminer | June 6th, 2020 | Forensics

With the introduction of Office 365 by Microsoft, it is often used by business users to meet their challenging communication comfortably. Office 365 is a line of subscription services that are incorporated with PowerPoint, Exchange Online, Office Online apps, SharePoint Online, etc.

As there is an increase in the number of organizations depending on Office 365 for their business requirements. Therefore, there is a requirement for bulk email investigation to produce it as evidence in the court of law. Such a need arises because of the large number of spam emails that get into the Office 365 profile. With this blog, we will shed light on the importance of Office 365 email forensics in a seamless way.

How to Track the Originality of Unsolicited Emails?

Spam emails are responsible for all kinds of attacks or infections that may occur in an organization. In order to deal wisely with spam emails in an Office 365 profile, it is important to analyze the email headers. The knowledge pertaining to email headers helps investigating officers to trace the origin of emails.

One can track the source of spam emails, which is also known as unsolicited commercial emails (UCE) by following the steps given below:

  • Analyze the email header of the suspected email message
  • Examine the received email headers in backward flow with your ISP
  • Detect the sender of the last verifiable email handling server
  • Check all URLs and email addresses which corresponds to the spam email

How Does Office 365 Email Forensics Help in Spam Emails Examination?

Once the email has been sent by the sender, it will traverse through a number of systems. As a result, header data is modified at every system whenever it migrates until the point it reaches the designated recipient. It is very important for the investigators to know about the details of email headers to clarify whether it is spoofed or not. To analyze the content of the message header in Office 365, the forensics experts have to select that particular message which he/she wants to examine. Following it, select the option “View message details” which reveals email header details of that specific message.

View Office 365 Email Header

  • DKIM Verification: DKIM (DomainKeys Identified Mail) verifies the digital signature of the suspected email message and checks whether the signature is valid or not. It helps to identify whether it is an original email or a spammed email.
  • DKIM Signing: O365 support DKIM signing for all outgoing emails that help to distinguish the fully hosted customers, hybrid customers, etc.
  • Increased URL Filtering Coverage: Currently Exchange Online Protection (EOP) uses 750,000 URLs in its antispam and anti-phishing detection. If the email message contains this URL, then it is considered as heavyweight in the spam filter.

Receiving False Email Message Header

Sometimes message headers of the emails are forged in order to deceive users so that they are not able to trace the originality of the emails. Such types of forgeries are examined in the process of tree format as shown below. A typical email handling process is carried out in a tree-structured format. It is analyzed with the help of message headers and the various subfields that are essentially involved in the email migration.

Office 365 Email Forensics

The tree shown above illustrates that out of 325802 emails arriving at B.net. Most of the emails (325090) come through mail.R.com and the remaining come through mail.H.com. Here, a correlation can be established between B.net, mail.R.com, mail.H.com. It can be noticed that some of the emails which arrive at mail.R.com move via mail.H.com and then finally they again go back to mail.R.com prior to destination B.net. Based on the location of different servers involved, the convolution between the providers may act as evidence in the event of intentional forwarding of emails.

Examining the Spam Header

When Exchange Online Protection (EOP) scans an email message, it places the X-Forefront-Antispam-Report header into each email. These fields present in the header of messages can provide information about the message. Additionally, the X-Microsoft-Antispam header renders detailed information regarding bulk mail and phishing activities.

Microsoft Office 365 EOP employs the SCL (Spam Confidence Level) value to determine if a message should be categorized as spam or not. Email messages with SCL value less than 4 will be transferred to the designated recipient inbox. However, messages with SCL value more than 5 are considered as inherent spam and it gets transferred to the recipient’s Junk folder. Additionally, an SCL of 9 is regarded to be rigorous spam.

Analyze Office 365 Email Headers Via Top-Notch Email Forensic Tool

MailXaminer is one of the professional Email Analysis Software, which is induced with numerous advanced features. One can efficiently examine the spam emails from Office 365 using its multi-mode preview options. It is a user-friendly software that offers the best set of features in a simplified user interface. So, let’s have to look at the procedure to perform Office 365 email analysis using this remarkable software.

Step 1: Once the software gets launched on your system, click on the Add Evidence button as shown in the below image

Add Evidence for Office 365 Email Forensics

Step 2: From the Add File wizard, go to Web >> Office 365 and input the credentials of the Office 365 account

Web-Office 365

Step 3: Once the file is loaded on the software panel, it provides a preview of all folders in a tree structure. Moreover, the emails can also be viewed by selecting the respective folders

Office 365 Email Forensics Process

Step 4: To preview the emails in different views such as Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, etc. Simply right-click the email to be viewed and select on the Preview option

Multiple Preview Mode

Step 5: From the below image, investigators can examine the emails in different views in a thorough manner

Investigate Office 365 Mailbox

Step 6: The software allows us to export emails in different file formats. For that, select the desired emails to export and click the Export option. One can also export bulk emails by selecting the respective folder to transfer from the software panel

Export Office 365 Evidences

Step 7: Under Export Options, one can choose the required file format wherein the emails will be converted into the chosen file format. The different file formats offered by the software include HTML, MSG, PDF, EML, CSV, etc.

Office 365 Email Forensics: Export Options

The Bottom Line

With the advanced functionalities rendered by Office 365, a majority of the users prefer to avail the same. However, concerning the spam emails, it is important to perform an in-depth analysis using specialized email analysis software like MailXaminer. With its best-in-class features, one can smartly track the source behind the spam emails in a sophisticated way.