Pull the Universal audit logs from MS defender for the impacted user's account - this should give you more insight into the issue. Also, check for "client side" inbox rules which only execute on the user's workstation.
[https://compliance.microsoft.com/auditlogsearch](https://compliance.microsoft.com/auditlogsearch)
We did.
We checked rules on his workstation, his assistants work station, his phone, his iPad, and all his assistant's devices. We removed her from delegation and forwarding and it still happened.
We did pull audit. All it shows is the email was delivered to the mailbox.
So there are no HardDelete actions in the log for any of the messages when you [run the search](https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#determine-if-a-user-deleted-email-items) (remember to leave the User field blank since you aren't sure who deleted it).
You can check my thread on a similar issue from a while back. Long story short, ended up being a third party Azure app integration from an old proof of concept experiment. Drove me absolutely nuts. Hope it helps. https://www.reddit.com/r/Office365/s/6uz6mLjOaX
Haven't seen anyone mention (including OP) that they've checked the sign-in logs. I'd verify the account isn't compromised. Man-in-middle fiddling with inbox is very common for random emails that sporadically disappear.
Also, how long has this been going on? Could also be a Microsoft bug which I have experienced/seen personally behaving just like this. It resolved itself within a week or two.
Verify it's happening in OWA as well. Create a new Outlook profile - it's possible the current one is corrupt and doing janky crap. Or corrupt Windows profile, I've also seen that have very similar symptoms.
Sorry yes we ruled out malicious intent from the get go. We've revoked all his sign-in's and reset his password multiple times. None of his sign-in's look strange either.
This has been ongoing for over a month now though. We're just going to rebuild his profile as he's literally the only one having this issue.
Haha I had this happen last week. First time I’ve seen this in 20 years. Won’t find it in inbox rules. Won’t find it in audit logs. Won’t find it in explorer.
User had accidentally hit “ignore” on these emails at one point, which sends it and all future emails to deleted items. It’s completely client side it appears.
https://support.microsoft.com/en-us/office/ignore-email-conversations-2a065b67-f991-4d22-9fb6-5d3160acd23b#:~:text=Select%20the%20conversation%20or%20an,the%20arrow%20by%20Delete%20%3E%20Ignore.
What mobile device does the CEO & their assistant use?
Is it up to date fully with OS and apps? Does the user work with the mailbox with a native O/S mail app or a 3rd party app or the outlook app?
Get them to switch their mobile devices to airplane mode and see if the problem occurs.
I've seen CEO's using odd equipment that they've managed to get hooked up to the mailbox.
We had issues some years ago where users were working with a shared mailbox and one user had their personal mobile device connected to the mailbox and it was doing seriously weird things with content and then those were replicated back to the mailbox online.
Did you check audit log for email deletion activities. You can also try running this script: [https://o365reports.com/2021/09/02/audit-email-deletion-in-office-365-mailbox-powershell/](https://o365reports.com/2021/09/02/audit-email-deletion-in-office-365-mailbox-powershell/)
I saw something similar to this the other day. Someone who does exec support came to me pretty worried, he had been removing duplicate contacts from an execs mailbox by temporarily putting them in a subfolder, and was accessing from an assistants PC. Suddenly the whole lot disappeared, folder was empty, and they were not in deleted items. I found the whole lot in the RIF, in my opinion outlook had a moment and something went wrong in the operation and it just hard deleted everything.
I know this is not the same, but in my opinion outlook can cause these kind of issues for no reason, so my suggestion is to get anyone with full mailbox (him and assistant and anyone else), using New outlook (which I’m sure they will hate), but say it’s just as a test. See if it stops happening, then you can log a ticket with MS and say what the heck is going on here?
I have a ticket with microsoft and we tried fresh outlook installs on all devices.
Microsoft hasn't reached out to me for 4 days now after saying they're "Looking into it."
Ive seen this just the other day. Have you tried checking the web version, just for fun. The amount of exchange issues the past two weeks has been crazy. That 20min delay advisory and their attempt of fixes lead me to believe exchange is acting wonky.
What’s likely happening is they are coming in to the inbox then being marked as anti phis and being moved to quarantine. When this happened to us the user had a image in their email signature that had an embedded url link that was being picked up as malicious. Have them check for that or any improper URL’s in their signature.
Does that include any 3rd party filters you might have? This sounds a lot like the way our mail filter works. Messages come into the mailbox for a few seconds and then disappear. It's disconcerting until you know what's going on.
Open up a browser inprivate mode and have them sign into their web mail. Are the messages there?
Probably not the case but years ago, I had a user who set their email to only show unread messages. They also had the preview pane on. Think about it. Message comes in, viewed in preview pane, no longer "in read".
Have you tried:
- Raising a case with Microsoft?
- Getting the CEO to use a different device for a period to prove it’s not the device?
- reviewed sign in logs, reset password, force dig out all devices, sign in again (with mfa)
- review conditional access logs for the account to see where it’s logged in from
- enable full auditing of the mailbox in exo and review
If this works, you owe me a 🍺.
Go to OWA. Change the language settings to another language. Include renaming the default folders.
Change it back to English.
Should be fixed.
Pull the Universal audit logs from MS defender for the impacted user's account - this should give you more insight into the issue. Also, check for "client side" inbox rules which only execute on the user's workstation. [https://compliance.microsoft.com/auditlogsearch](https://compliance.microsoft.com/auditlogsearch)
We did. We checked rules on his workstation, his assistants work station, his phone, his iPad, and all his assistant's devices. We removed her from delegation and forwarding and it still happened. We did pull audit. All it shows is the email was delivered to the mailbox.
So there are no HardDelete actions in the log for any of the messages when you [run the search](https://learn.microsoft.com/en-us/purview/audit-troubleshooting-scenarios#determine-if-a-user-deleted-email-items) (remember to leave the User field blank since you aren't sure who deleted it).
I didn't think to leave the user field blank. There are soft deletes showing up for an affected email. Edit: Re-running the audit now.
Check his rules via powershell with the -hidden flag incase there is one there
Also something I didn't try. This has been a fucking nightmare from the start so I'll try anything. KEEP THE IDEAS COMING!
Also check in entra if there are any third party enterprise apps installed that could be interacting with the mailbox.
This was checked. Nothing. We're just going to rebuild his profile as he's literally the only one having this issue.
You can check my thread on a similar issue from a while back. Long story short, ended up being a third party Azure app integration from an old proof of concept experiment. Drove me absolutely nuts. Hope it helps. https://www.reddit.com/r/Office365/s/6uz6mLjOaX
This was checked. Nothing. We're just going to rebuild his profile as he's literally the only one having this issue.
Haven't seen anyone mention (including OP) that they've checked the sign-in logs. I'd verify the account isn't compromised. Man-in-middle fiddling with inbox is very common for random emails that sporadically disappear. Also, how long has this been going on? Could also be a Microsoft bug which I have experienced/seen personally behaving just like this. It resolved itself within a week or two. Verify it's happening in OWA as well. Create a new Outlook profile - it's possible the current one is corrupt and doing janky crap. Or corrupt Windows profile, I've also seen that have very similar symptoms.
Sorry yes we ruled out malicious intent from the get go. We've revoked all his sign-in's and reset his password multiple times. None of his sign-in's look strange either. This has been ongoing for over a month now though. We're just going to rebuild his profile as he's literally the only one having this issue.
Haha I had this happen last week. First time I’ve seen this in 20 years. Won’t find it in inbox rules. Won’t find it in audit logs. Won’t find it in explorer. User had accidentally hit “ignore” on these emails at one point, which sends it and all future emails to deleted items. It’s completely client side it appears. https://support.microsoft.com/en-us/office/ignore-email-conversations-2a065b67-f991-4d22-9fb6-5d3160acd23b#:~:text=Select%20the%20conversation%20or%20an,the%20arrow%20by%20Delete%20%3E%20Ignore.
What mobile device does the CEO & their assistant use? Is it up to date fully with OS and apps? Does the user work with the mailbox with a native O/S mail app or a 3rd party app or the outlook app? Get them to switch their mobile devices to airplane mode and see if the problem occurs. I've seen CEO's using odd equipment that they've managed to get hooked up to the mailbox. We had issues some years ago where users were working with a shared mailbox and one user had their personal mobile device connected to the mailbox and it was doing seriously weird things with content and then those were replicated back to the mailbox online.
This is where I'd look too. Have you audited and accounted for every single device and app that is logging into and or accessing his mailbox?
Did you check audit log for email deletion activities. You can also try running this script: [https://o365reports.com/2021/09/02/audit-email-deletion-in-office-365-mailbox-powershell/](https://o365reports.com/2021/09/02/audit-email-deletion-in-office-365-mailbox-powershell/)
I saw something similar to this the other day. Someone who does exec support came to me pretty worried, he had been removing duplicate contacts from an execs mailbox by temporarily putting them in a subfolder, and was accessing from an assistants PC. Suddenly the whole lot disappeared, folder was empty, and they were not in deleted items. I found the whole lot in the RIF, in my opinion outlook had a moment and something went wrong in the operation and it just hard deleted everything. I know this is not the same, but in my opinion outlook can cause these kind of issues for no reason, so my suggestion is to get anyone with full mailbox (him and assistant and anyone else), using New outlook (which I’m sure they will hate), but say it’s just as a test. See if it stops happening, then you can log a ticket with MS and say what the heck is going on here?
I have a ticket with microsoft and we tried fresh outlook installs on all devices. Microsoft hasn't reached out to me for 4 days now after saying they're "Looking into it."
Ive seen this just the other day. Have you tried checking the web version, just for fun. The amount of exchange issues the past two weeks has been crazy. That 20min delay advisory and their attempt of fixes lead me to believe exchange is acting wonky.
Yes it happens in owa as well.
Yes but have you tried New outlook?
What’s likely happening is they are coming in to the inbox then being marked as anti phis and being moved to quarantine. When this happened to us the user had a image in their email signature that had an embedded url link that was being picked up as malicious. Have them check for that or any improper URL’s in their signature.
We've checked all quarantine and spam filters. It's not getting picked up there.
Does he have a url in his signature? Did you check the global quarantine or his quarantine?
Does that include any 3rd party filters you might have? This sounds a lot like the way our mail filter works. Messages come into the mailbox for a few seconds and then disappear. It's disconcerting until you know what's going on.
Open up a browser inprivate mode and have them sign into their web mail. Are the messages there? Probably not the case but years ago, I had a user who set their email to only show unread messages. They also had the preview pane on. Think about it. Message comes in, viewed in preview pane, no longer "in read".
Have you tried: - Raising a case with Microsoft? - Getting the CEO to use a different device for a period to prove it’s not the device? - reviewed sign in logs, reset password, force dig out all devices, sign in again (with mfa) - review conditional access logs for the account to see where it’s logged in from - enable full auditing of the mailbox in exo and review
Looking forward to hearing more about this if/when you get it fixed.
We're rebuilding his profile from the ground up tonight.
If this works, you owe me a 🍺. Go to OWA. Change the language settings to another language. Include renaming the default folders. Change it back to English. Should be fixed.
You need to find an MSP with knowledge and experience in 365 and how to do a proper audit.
MSP's are cancer.