Hello everyone! -----------Forwarded Message------------ From:"Scott LAQUAGLIA" <IMCEAEX-O=COMPANY_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=SCOTTLAQUAGLIA@investigation.com> To: "PINO ABETE" <p.abete@googleaccount.ext> <> I need to understand why CN=RECIPIENTS_CN points to SCOTTLAQUAGLIA@investigation.com Some details: - scott la quaglia is an authorized exchange user at scotlaquaglia@company.com - investigation.com is investigation company (scott la quaglia doesn't know them and even does't know about the address on their domain I'm doing this simulation for my accademy and I have to prove the espionage from this header. Maybe a forwarding rules in Echange? (or in outlook mailbox?) Maybe a fake user on the server? thank you

Hello, Where did you get the information, form Message Header or get by any other ways? Does this “CN=RECIPIENTS_CN points to SCOTTLAQUAGLIA@investigation.com” included in all the emails Scott LAQUAGLIA send? Is there any related information in Message Header? Please help me to collect more information that I can try to help you more efficiently. Thanks, Evan

Well, The simple answer is that it doesn't. You see Exchange was unable to look up the sender in your directory (one SCOTTLAQUAGLIA@investigation.com) so it has IMCEA encapsulated the address. The message is going to p.abete@googleaccount.ext whick looks like it's probably a contact in your directory. It could be an altrernate recipient on a mailbox (in this case the alternate recipient would be p.abete@googleaccount.ext). In that case, you should see some message redirect or resolve events in the message tracking logs. It could be a from line from an authorized user, or someone may have found a way to relay through you, or someone just faked the replyto so it looks like it's coming from your Scott when it is really coming from external. Nefarious noe the less. Now if p.abete#googleaccount.ext replies to that email, then the Scott in your org won't get the reply, Scott over at investigation.com will. Where did this fragment come from? Do you have the message itself? You might try converting it to EML format, then examining the enire RFC 822 format test message to see what's there to be seen. I usually just find the easist way to start the troubleshooting process is to forward the problem message to my windows live mail account. From there, open the message. Click file - save. This will save the file as a .EML file. You can then open it with notepad... J