the server side? The answer is unfortunately no! The Exchange server logs don’t contain any significant event for the detection. RPC event: 2021-05- 14T12:43:34.255Z,EXCHANGE,RpcHttp,S:Stage=EndRequest;S:UserName=LAB\user1;S:AuthType=NTLM;S:Status=200.0.OK;S:HttpVerb =RPC_IN_DATA;S:
[email protected]:6001;S:RequestId=8c2f7c07-11db-4ff6-838a- f84b61a8aea4;S:ClientIp= 172.21.194.203 MAPI event: 2021-05-14T12:16:28.480Z,1a5792de-6350-4d18-8259-067a2d465f29,{C715155F-2BE8-44E0-BD34- 2960065754C8}:3,<null>,Execute,200,0,0,0,27,Unknown,15,1,1591,10,LAB\user1,,,,43873a7d-0aac-45e5-b531-
[email protected],9a179873-e3e7-4408-838b- 54fb489dbd2c,
[email protected],172.21.194.203,EXCHANGE.LAB.LOCAL,<null>,,MAPIAAAAAOC4+7PyvPu+na+frZyxgbSZqJy8jLuBtYK4jL njwPHB8Mj6yf/L/M7JAQAAAAAAAA==,0-5QcQfg==,{2F94A2BF-A2E6-4CCC-BF98- B5F22C542226},,15.0.4815.1002,0,Negotiate,,,,,,,,,Anonymous,>[254]<[254],OwnerLogon;LogonId: 12;,cpn=M_ABR/RUM_ABR/RUM_ABRC/M_APAR/M_APRH/M_DTC/M_DTQ/M_DTE/M_RDE/M_RDrE/M_RDrEc/M_RDEc/M_DTEc/ M_APoRH/M_AER/;cpv=0/2/2/4/4/6/6/6/6/7/26/26/26/28/28/;Dbl:ST.T[exchange.9a179873-e3e7-4408-838b- 54fb489dbd2c]=1;Dbl:BudgUse.T[]=38.002799987793;Dbl:MAPI.T[exchange.9a179873-e3e7-4408-838b- 54fb489dbd2c]=7;Dbl:EXR.T[exchange.9a179873-e3e7-4408-838b- 54fb489dbd2c]=3;Dbl:VCGS.T[EXCHANGE]=1;I32:VCGS.C[EXCHANGE]=1;I32:ROP.C[exchange.9a179873-e3e7-4408-838b- 54fb489dbd2c]=1634283;I32:MAPI.C[exchange.9a179873-e3e7-4408-838b-54fb489dbd2c]=40;I32:RPC.C[exchange.9a179873-e3e7- 4408-838b-54fb489dbd2c]=3;Dbl:RPC.T[exchange.9a179873-e3e7-4408-838b-54fb489dbd2c]=6;I32:MB.C[exchange.9a179873-e3e7- 4408-838b-54fb489dbd2c]=3;F:MB.AL[exchange.9a179873-e3e7-4408-838b-54fb489dbd2c]=2,