How to Monitor Who Accessed a Shared Mailbox


Native Auditing vs. Netwrix Auditor for Exchange

Native Auditing Netwrix Auditor for Exchange
Steps
  1. Run the following command in Exchange Management Shell to enable mailbox auditing in the mailbox where you want to track non-owner access:

    Set-Mailbox –Identity "TestUser" -AuditEnabled $true

  2. If you want to audit all mailboxes, enter this:

    $UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq 'UserMailbox')} 
    $UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true} 

  3. To check for what mailboxes have audit enabled, run the following:

    Get-Mailbox  | FL Name,AuditEnabled 

  4. Run the following command to retrieve audit log entries:

    Search-MailboxAuditLog -Identity "TestUser" -LogonTypes Admin,Delegate  -ShowDetails -StartDate 1/1/2014 -EndDate 12/31/ 

  5. This command will help you send mailbox audit log entries to a specified email address:

    New-MailboxAuditLogSearch "smtp.server.name" -Mailboxes "TestUser","TestUser1" -LogonTypes Admin,Delegate -StartDate 1/1/2014 -EndDate 12/31/2014 –ShowDetails -StatusMailRecipients auditors@test.local

          Report Sample: 

  1. Run Netwrix Auditor → Navigate to “Reports” → Exchange → select “All Exchange Server Non-Owner Mailbox Access Events”  → Click “View”.  
  2. To save the file, click the "Export" button → Select Excel format → Save as → Choose a location to save it. 

          Report Sample:

Regularly Review Shared Mailbox Access to Avoid Loss or Leakage of Business-Critical Data

Shared mailboxes are a great way for a specific group of people to perform certain tasks from a common account; at the same time, however, they introduce a high risk of security incidents. Non-owners with privileged rights can access shared mailboxes, and there’s always a chance that they might improperly handle email with sensitive information. Whether accidentally or maliciously, a message could be deleted, sent to a wrong recipient, or moved to another location, any of which may result in data loss or leaks. In order to avoid security incidents, it is highly recommended that users regularly monitor non-owner access to shared mailboxes.

Join the discussion