We had a situation recently where somebody clicked on a link which turned out to be malware and which sent hundreds of unsolicited emails to email addresses that had been stored in the cache memory in the TO field. I opened the mailbox but the original email that was the culprit had been deleted.

I would have liked a simple way to audit the activity on the mailbox leading up to and after the malware attack to work out exactly what had happened but found the process extremely difficult for a novice and long-winded. In the end after getting advice from the forums I gave up.

It would be good for Global Admins to be able to easily audit all of the actions that are carried out on a specific mailbox.