With the introduction of Office 365 by Microsoft, it is often used by business users to meet their challenging communication comfortably. Office 365 is a line of subscription services that are incorporated with PowerPoint, Exchange Online, Office Online apps, SharePoint Online, etc.
As there is an increase in the number of organizations depending on Office 365 for their business requirements. Therefore, there is a requirement for bulk email investigation to produce it as evidence in the court of law. Such a need arises because of the large number of spam emails that get into the Office 365 profile. With this blog, we will shed light on the importance of Office 365 email forensics in a seamless way.
Spam emails are responsible for all kinds of attacks or infections that may occur in an organization. In order to deal wisely with spam emails in an Office 365 profile, it is important to analyze the email headers. The knowledge pertaining to email headers helps investigating officers to trace the origin of emails.
One can track the source of spam emails, which is also known as unsolicited commercial emails (UCE) by following the steps given below:
Once the email has been sent by the sender, it will traverse through a number of systems. As a result, header data is modified at every system whenever it migrates until the point it reaches the designated recipient. It is very important for the investigators to know about the details of email headers to clarify whether it is spoofed or not. To analyze the content of the message header in Office 365, the forensics experts have to select that particular message which he/she wants to examine. Following it, select the option “View message details” which reveals email header details of that specific message.
Sometimes message headers of the emails are forged in order to deceive users so that they are not able to trace the originality of the emails. Such types of forgeries are examined in the process of tree format as shown below. A typical email handling process is carried out in a tree-structured format. It is analyzed with the help of message headers and the various subfields that are essentially involved in the email migration.
The tree shown above illustrates that out of 325802 emails arriving at B.net. Most of the emails (325090) come through mail.R.com and the remaining come through mail.H.com. Here, a correlation can be established between B.net, mail.R.com, mail.H.com. It can be noticed that some of the emails which arrive at mail.R.com move via mail.H.com and then finally they again go back to mail.R.com prior to destination B.net. Based on the location of different servers involved, the convolution between the providers may act as evidence in the event of intentional forwarding of emails.
When Exchange Online Protection (EOP) scans an email message, it places the X-Forefront-Antispam-Report header into each email. These fields present in the header of messages can provide information about the message. Additionally, the X-Microsoft-Antispam header renders detailed information regarding bulk mail and phishing activities.
Microsoft Office 365 EOP employs the SCL (Spam Confidence Level) value to determine if a message should be categorized as spam or not. Email messages with SCL value less than 4 will be transferred to the designated recipient inbox. However, messages with SCL value more than 5 are considered as inherent spam and it gets transferred to the recipient’s Junk folder. Additionally, an SCL of 9 is regarded to be rigorous spam.
MailXaminer is one of the professional Email Analysis Software, which is induced with numerous advanced features. One can efficiently examine the spam emails from Office 365 using its multi-mode preview options. It is a user-friendly software that offers the best set of features in a simplified user interface. So, let’s have to look at the procedure to perform Office 365 email analysis using this remarkable software.
Step 1: Once the software gets launched on your system, click on the Add Evidence button as shown in the below image
Step 2: From the Add File wizard, go to Web >> Office 365 and input the credentials of the Office 365 account
Step 3: Once the file is loaded on the software panel, it provides a preview of all folders in a tree structure. Moreover, the emails can also be viewed by selecting the respective folders
Step 4: To preview the emails in different views such as Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, etc. Simply right-click the email to be viewed and select on the Preview option
Step 5: From the below image, investigators can examine the emails in different views in a thorough manner
Step 6: The software allows us to export emails in different file formats. For that, select the desired emails to export and click the Export option. One can also export bulk emails by selecting the respective folder to transfer from the software panel
Step 7: Under Export Options, one can choose the required file format wherein the emails will be converted into the chosen file format. The different file formats offered by the software include HTML, MSG, PDF, EML, CSV, etc.
With the advanced functionalities rendered by Office 365, a majority of the users prefer to avail the same. However, concerning the spam emails, it is important to perform an in-depth analysis using specialized email analysis software like MailXaminer. With its best-in-class features, one can smartly track the source behind the spam emails in a sophisticated way.