Shared mailboxes are an excellent way for a selected group of individuals to perform certain tasks from a standard account; at an equivalent time, however, they introduce a high risk of security incidents. Non-owners with privileged rights can access shared mailboxes, and there’s always an opportunity that they could improperly handle email with sensitive information. Whether accidentally or maliciously, a message might be deleted, sent to a wrong recipient, or moved to a different location, any of which can end in data loss or leaks. so as to avoid security incidents, it’s highly recommended that users regularly monitor non-owner access to shared mailboxes.
Native Auditing
1. Run the following command in Exchange Management Shell to enable mailbox auditing in the mailbox where you want to track non-owner access:
Set-Mailbox –Identity “TestUser” -AuditEnabled $true
2. If you want to audit all mailboxes, enter this:
$UserMailboxes = Get-mailbox -Filter {(RecipientTypeDetails -eq ‘UserMailbox’)}
$UserMailboxes | ForEach {Set-Mailbox $_.Identity -AuditEnabled $true}
3. To check for what mailboxes have audit enabled, run the following:
Get-Mailbox | FL Name,AuditEnabled
4. Run the following command to retrieve audit log entries:
Search-MailboxAuditLog -Identity “TestUser” -LogonTypes Admin,Delegate -ShowDetails -StartDate 1/1/2014 -EndDate 12/31/
5. This command will help you send mailbox audit log entries to a specified email address:
New-MailboxAuditLogSearch “smtp.server.name” -Mailboxes “TestUser”,”TestUser1″ -LogonTypes Admin,Delegate -StartDate 1/1/2014 -EndDate 12/31/2014 –ShowDetails -StatusMailRecipients auditors@test.local
Originally posted at: https://www.netwrix.com/how_to_monitor_who_accessed_shared_mailbox.html