Home » Email Forensics » A Brief Guide to Perform Email Forensics in Microsoft Office 365

A Brief Guide to Perform Email Forensics in Microsoft Office 365

Anuraag Singh | Modified: April 18, 2022|Email Forensics | 5 Minutes Reading

This article is written to perform email forensics in Microsoft Office 365. As you might know that Microsoft Office 365 is a package of software provided as a cloud service. In today’s time, many organizations prefer using Office 365 for their daily business requirements. The platform altogether promotes new methods for availing the applications of Office suite as services. Office 365 comes with PowerPoint, Excel, Exchange Online, Office Online apps, Email, SharePoint Online, etc., along with some features that enable the integrated forensic analysis. Despite that, Office 365 features a great email filter that works well on spam emails to avoid a situation of investigation.

What is Spam Mail in Office 365?

Email spam is a subset of Electronic Spam whereby a single unsolicited message is sent by email. These spam emails are generally commercial by nature and these spam may lead to phishing websites or websites with some malware. There are many filtering techniques to get rid of spam mails, but somehow they get into our profiles.
Therefore, Office 365 is currently working on the spam mail issue.

How to Track Down Spam Mails in O365?

In order to track down spam mails following procedures need to be followed:

  • First, look into the email header of the suspected message received
  • Second, follow the flow of received headers backwards with your ISP
  • Third, identify the sender of the last verifiable email handling server
  • Fourth, look for all possible URLs & email addresses in context with the spam

How to Resolve Email Headers of Spammer in Office 365?

When an email is sent, it moves through other systems and certain header information is added from every system until it is received by the recipient. It is important thing for the investigator to identify the email headers. By performing email forensics in Microsoft Office 365 in order to identify the spammers and distinguish them from the safe senders. To find the header of an email in Office 365, the user must select the particular message, which has to be checked. On the system, click on the view message details in order to view the details of that email.
The following procedures must be followed to identify spam in Office 365:

  • First, DKIM verification should be done for a particular message i.e., to find out the digital signature in the message and to check whether that signature is valid or not
  • Second, enable DKIM signings in Office 365 that will help users track down the email
  • The third is by increasing URL filtering coverage When Exchange Online Protection (EOP) scans an email message

Email Forensics in Microsft Office 365  – In-Place eDiscovery

Stages of eDiscovery:

  • Select the preferred mailbox
  • Specific search criteria must be followed:
    1. Dates
    2. Keywords
    3. Addresses of both sender and recipient
    4. Categories of the message and their type
  • After completing the search the user can perform one of the following methods:
    1. Estimate: An estimated value of the item along with a number of items needed to perform the search
    2. Preview: Offers a preview of the result of the message that is examined
    3. Copy: Enables copying the message to the discovery mailbox on Office 365
    4. Export: After copying the mail from the discovery mailbox, export the mailbox as PST

Receiving False Headers

During such investigative procedures for Office 365 email forensics, there is a high chance of receiving false positives. This happens and makes it difficult for the user to trace the spammer. In this, a typical process is carried out in a tree-format structure. The headers received are then analyzed.
Email Forensics in Office 365
The above figure shows the tree out of email headers arriving at B.net. The pattern of this tree clearly shows that the message is received by R.com. The message by R.com could have been sent through different locations by using different servers.

How Spammers Can Be Investigated?

The spammers can easily be caught through email forensics in Microsoft Office 365 if the user gets complete access to the header information of the respective mail. It is clear evidence for the investigation of an email and is applicable for Office 365 email forensics as well.

For instance, if you have been sent the mail header of a spam mail, it will look like the following:

Received: from [] (port=4637 helo=User)
by your.server.example with esmtpa (Exim 4.82)
(envelope-from <spammer@domain.example>)
id 2XFVHL-100459-5R; Fri, 15 Aug 2014 07:31:07 +1000


So, you have read about how to perform email forensics in Microsoft Office 365 in this article. Using the defined way, the users can easily investigate spammers and it will not be difficult to track the spammer. Certain things and procedures must be followed by users to detect the spammer. The segment also tried to cover how the authenticity of an email can be checked with the help of digital signatures. Doing this will also increase the URL filtering coverage so that spam mail does not trouble the users who are using Office 365 email services. User must export their email to PST files so that the data in the mailbox does not get lost because of the spam mails.  The mailbox holds sensitive corporate storage in Office 365, which turns out to be a critical element during investigative procedures carried out on the cloud.