eDiscovery search should include participants:email@example.com (for example) t
One of our users were recently compromised, and the attacker used Powershell to create Inbox Rules (which does not show as a login or show IP in audit logs) that would forward messages to an external email address - let's call it firstname.lastname@example.org. In an effort to discover what information was lost, I performed an eDiscovery search for participants:email@example.com. This resulted in 0 items found, but a search for the key words used in the Inbox Rules returned quite a few emails. After reviewing every email in the export, there were none that were sent to firstname.lastname@example.org. Later, I decided to do a detailed message trace (or historical search) which clearly showed emails were sent to email@example.com. I lost about a week or so going on the assumption that the rules had not worked since eDiscovery showed no results. Allowing people to search for this would save time and allow for more accurate reporting.
Allan Winter commented
We have also experienced this scenario and agree with the comments above. Looking at some of the information available on the web about organisations discovering they have been compromised investigations suggest that an organisation may not realise this for 150 days. The 90 day limit on eDiscovery then becomes a barrier to completing the investigation into when a forwarding rule was first active.