A Brief Guide to Perform Email Forensics in Office 365

Anuraag Singh | October 9th, 2017 | Forensics

This article is written to perform email forensics in Office 365. As you might know that Microsoft Office 365 is a package of software provided as a cloud service. In today’s time many organization prefer using Office 365 for their daily business requirements. The platform altogether promotes new methods for availing the applications of Office suite as services. Office 365 comes with PowerPoint, Excel, Exchange Online, Office Online apps, Email, SharePoint Online, etc., along with some features that enable the integrated forensic analysis. Despite that, Office 365 features a great email filter that works well on spam mails to avoid a situation of investigation.

What is Spam Mail in Office 365?

Email spam is a subset of Electronic Spam whereby single unsolicited message is sent by the email. These spam emails are generally commercial by nature and these spams may lead to phishing website or websites with some malware. There are many filtering techniques to get rid of spam mails, but somehow they get into our profiles.
Therefore, Office 365 is currently working on the spam mail issue.

How to Track Down Spam Mails in O365?

In order to track down spam mails following procedures need to be followed:

  • First, look into the email header of the suspected message received
  • Second, follow the flow of received headers in backwards with your ISP
  • Third, identify the sender of the last verifiable email handling server
  • Fourth, look for all possible URL’s & email addresses in context with the spam

How to Resolve Email Headers of Spammer in Office 365?

When an email is sent, it moves through other systems and certain header information is added from every system until it is received by the recipient. It is an important thing for the investigator to identify the email headers by performing email forensics in Office 365 in order to identify the spammers and distinguish them from the safe senders. To find the header of an email in Office 365, user must select the particular message, which has to be checked. On the system, click on the view message details in order to view the details of that email.
The following procedures must be followed to identify spams in Office 365:

  • First, DKIM verification should be done for a particular message i.e., to find out the digital signature in the message and to check whether that signature is valid or not
  • Second, enable DKIM signings in Office 365 that will help user track down the email
  • Third, is by increasing URL filtering coverage When Exchange Online Protection (EOP) scans an email message

Office 365 Forensics – In-Place eDiscovery

Stages of eDiscovery:

  • Select the preferred mailbox
  • Specific search criteria must be followed:
    1. Dates
    2. Keywords
    3. Addresses of both sender and recipient
    4. Categories of message and its type
  • After completing the search the user can perform one of the following methods:
    1. Estimate: An estimated value of the item along with number of items needed to perform the search
    2. Preview: Offers a preview of the result of the message that is examined
    3. Copy: Enables copying the message to the discovery mailbox on Office 365
    4. Export: After copying the mail from discovery mailbox, export the mailbox as PST

Receiving False Headers

During such investigative procedures for Office 365 email forensics, there is a high chance of receiving false positives. This happens and makes it difficult for the user to trace the spammer. In this, a typical process is carried out in a tree-format structure. The headers received are then analyzed.
Email Forensics in Office 365
In the above figure, it is shows the tree out of email headers arriving at The pattern of this tree clearly shows that the message is received by The message by could have been sent through different locations by using different servers.

How Spammers Can Be Investigated?

The spammers can easily be caught through email forensics in Office 365, if the user gets complete access to the header information of the respective mail. It is clear evidence for investigation of an email and is applicable for Office 365 email forensics as well.

For instance, if you have been sent the mail header of a spam mail, it will look like the following:

Received: from [] (port=4637 helo=User)
by your.server.example with esmtpa (Exim 4.82)
(envelope-from <spammer@domain.example>)
id 2XFVHL-100459-5R; Fri, 15 Aug 2014 07:31:07 +1000


So, you have read about how to perform email forensics in Office 365 in this article. Using the defined way, the users can easily investigate spammers and it will not be difficult to track the spammer. Certain things and procedures must be followed by users to detect the spammer. The segment also tried to cover how the authenticity of an email can be checked with the help of digital signatures. Doing this will also increase the URL filtering coverage so that spam mail does not trouble the users who are using Office 365 email services. User must export their email to PST files so that the data in mailbox does not get lost because of the spam mails.  The mailbox holds sensitive corporate storage in Office 365, which turns out to be a critical element during investigative procedures carried out on cloud.