We had a user's mailbox get compromised via webmail, and in our Administrative log we could basically see everything that user did with messages -- including sending the BEC emails, then deleting them, then deleting them from the deleted items folder. Granted, it's not the most complete - but it does show quite a bit.
Our administrative log is set to detailed --
[day-1]
12:26:51.437 [169.150.224.147] Webmail Attempting to login user: frank@targeted-domain.com
12:26:51.437 [169.150.224.147] Webmail Login successful: With user frank@targeted-domain.com
13:59:38.263 [102.129.153.89] User frank@targeted-domain.com calling send message, subject: FWD: Revised Wiring instructions
14:00:24.084 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: sent items, owner: frank@targeted-domain.com, all: , count: 1
14:00:31.463 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: sent items, owner: frank@targeted-domain.com, all: , count: 1
14:02:10.855 [102.129.153.89] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: deleted items, newOwner: frank@targeted-domain.com, new folder: sent items, count: 1
14:02:28.943 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
14:17:36.329 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
14:17:58.263 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
14:19:07.234 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
14:19:48.614 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
14:22:53.258 [102.129.153.89] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 2
14:36:04.842 [102.129.153.89] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: Junk E-Mail
[day-2]
14:35:54.083 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: junk e-mail
14:39:39.158 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
14:39:56.136 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
15:25:40.372 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
15:25:42.123 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
15:26:26.442 [102.129.153.168] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: sent items
15:30:28.531 [102.129.153.168] User frank@targeted-domain.com calling send message, subject: RE: Fwd: Wiring instructions and vehicle info
15:44:08.680 [102.129.153.168] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: sent items, newOwner: frank@targeted-domain.com, new folder: archive\inbox (2015), count: 1
15:58:18.596 [102.129.153.168] User frank@targeted-domain.com calling delete messages, folder: archive\inbox (2015), owner: frank@targeted-domain.com, all: , count: 1
15:59:11.013 [102.129.153.168] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
17:43:43.141 [102.129.153.168] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: archive, newOwner: frank@targeted-domain.com, new folder: archive\inbox (2020), count: 1
19:11:02.883 [102.129.153.168] Webmail Attempting to login user: Carmen@targeted-domain.com
19:11:02.883 [102.129.153.168] Webmail Login successful: With user carmen@targeted-domain.com
20:00:50.103 [102.129.153.168] User carmen@targeted-domain.com calling patch message, owner: carmen@targeted-domain.com, count: 1, folder: inbox
20:01:00.483 [102.129.153.168] User carmen@targeted-domain.com calling patch message, owner: carmen@targeted-domain.com, count: 1, folder: inbox
22:34:11.118 [198.134.109.100] Webmail Login failed: Invalid username (wade. shows@targeted-domain.com) and password combination.
[day-3]
03:30:32.961 [50.78.214.57] Webmail Attempting to login user: wade.shows@targeted-domain.com
03:30:32.961 [50.78.214.57] Webmail Login successful: With user wade.shows@targeted-domain.com
03:36:21.735 [50.78.214.57] User wade.shows@targeted-domain.com logging out
03:37:10.883 [50.78.214.57] Webmail Attempting to login user: mike@targeted-domain.com
03:37:10.883 [50.78.214.57] Webmail Login successful: With user mike@targeted-domain.com
03:37:45.558 [50.78.214.57] User mike@targeted-domain.com calling set mail settings
03:39:52.212 [50.78.214.57] User mike@targeted-domain.com calling patch message, owner: mike@targeted-domain.com, count: 1, folder: drafts
03:40:18.615 [50.78.214.57] User mike@targeted-domain.com calling patch message, owner: mike@targeted-domain.com, count: 1, folder: inbox
03:40:24.149 [50.78.214.57] User mike@targeted-domain.com logging out
03:42:42.983 [50.78.214.57] Webmail Attempting to login user: marina@targeted-domain.com
03:42:42.983 [50.78.214.57] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
03:42:42.983 [50.78.214.57] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
04:02:12.137 [50.78.214.57] Webmail Attempting to login user: marina@targeted-domain.com
04:02:12.137 [50.78.214.57] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
04:02:12.137 [50.78.214.57] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
04:02:16.951 [50.78.214.57] Webmail Attempting to login user: marina@targeted-domain.com
04:02:16.951 [50.78.214.57] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
04:02:16.951 [50.78.214.57] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
04:02:34.209 [50.78.214.57] Webmail Attempting to login user: melissa@targeted-domain.com
04:02:34.209 [50.78.214.57] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
04:02:34.209 [50.78.214.57] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
04:02:53.609 [50.78.214.57] Webmail Attempting to login user: michelle@targeted-domain.com
04:02:53.609 [50.78.214.57] Webmail Login successful: With user michelle@targeted-domain.com
04:03:12.823 [50.78.214.57] User michelle@targeted-domain.com calling patch message, owner: michelle@targeted-domain.com, count: 1, folder: inbox
04:04:11.982 [50.78.214.57] User michelle@targeted-domain.com logging out
04:04:41.609 [50.78.214.57] Webmail Attempting to login user: todd@targeted-domain.com
04:04:41.609 [50.78.214.57] Webmail Login successful: With user todd@targeted-domain.com
04:55:53.201 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: drafts
05:14:17.788 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:25:07.275 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:25:27.284 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:26:50.200 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:27:22.778 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:39:01.331 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:39:19.966 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:45:09.907 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:45:54.165 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:45:57.573 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:46:04.467 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
05:56:06.122 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: drafts
05:56:48.047 [185.197.192.19] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: junk e-mail
05:56:50.627 [185.197.192.19] User todd@targeted-domain.com logging out
05:57:27.854 [185.197.192.19] Webmail Attempting to login user: melissa@targeted-domain.com
05:57:27.854 [185.197.192.19] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
05:57:27.854 [185.197.192.19] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
06:07:23.786 [185.197.192.19] Webmail Attempting to login user: todd@targeted-domain.com
06:07:23.786 [185.197.192.19] Webmail Login successful: With user todd@targeted-domain.com
06:10:50.556 [185.197.192.19] Webmail Attempting to login user: todd@targeted-domain.com
06:10:50.556 [185.197.192.19] Webmail Login successful: With user todd@targeted-domain.com
06:15:29.338 [185.197.192.19] User todd@targeted-domain.com calling move messages, owner: todd@targeted-domain.com, folder: inbox, newOwner: todd@targeted-domain.com, new folder: archive\inbox - 2019, count: 1
06:18:50.798 [185.197.192.19] Webmail Attempting to login user: todd@targeted-domain.com
06:18:50.798 [185.197.192.19] Webmail Login successful: With user todd@targeted-domain.com
06:32:33.983 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:32:53.633 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:33:05.607 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:33:07.295 [86.38.32.254] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
06:33:15.753 [86.38.32.254] User todd@targeted-domain.com calling move messages, owner: todd@targeted-domain.com, folder: inbox, newOwner: todd@targeted-domain.com, new folder: archive\inbox - 2019, count: 1
06:36:34.126 [86.38.32.254] User todd@targeted-domain.com calling delete messages, folder: archive\inbox - 2019, owner: todd@targeted-domain.com, all: , count: 2
06:36:47.758 [86.38.32.254] User todd@targeted-domain.com calling delete messages, folder: deleted items, owner: todd@targeted-domain.com, all: , count: 2
07:00:13.346 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: archive\inbox (2020), owner: frank@targeted-domain.com, all: , count: 1
07:00:33.215 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
07:05:07.201 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
07:05:19.535 [86.38.32.254] User frank@targeted-domain.com calling delete messages, folder: deleted items, owner: frank@targeted-domain.com, all: , count: 1
07:17:07.328 [86.38.32.254] Webmail Attempting to login user: alex@targeted-domain.com
07:17:07.328 [86.38.32.254] Webmail Login successful: With user alex@targeted-domain.com
07:18:07.280 [86.38.32.254] Autodiscover NtlmAuthenticate Login failed: Authenticate parse failed for <frank@targeted-domain.com>.
07:20:49.493 [86.38.32.254] User alex@targeted-domain.com logging out
07:27:01.525 [86.38.32.254] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
07:27:35.995 [86.38.32.254] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
07:28:13.825 [86.38.32.254] Webmail Attempting to login user: gary@targeted-domain.com
07:28:13.825 [86.38.32.254] Webmail Login successful: With user gary@targeted-domain.com
07:28:48.075 [86.38.32.254] User gary@targeted-domain.com logging out
07:29:06.897 [86.38.32.254] Webmail Attempting to login user: gene@targeted-domain.com
07:29:06.897 [86.38.32.254] Webmail Login failed: Incorrect password for user [gene@targeted-domain.com]
07:29:06.897 [86.38.32.254] Webmail Login failed: Invalid username (gene@targeted-domain.com) and password combination.
07:29:11.120 [86.38.32.254] Webmail Attempting to login user: gene@targeted-domain.com
07:29:11.120 [86.38.32.254] Webmail Login failed: Incorrect password for user [gene@targeted-domain.com]
07:29:11.120 [86.38.32.254] Webmail Login failed: Invalid username (gene@targeted-domain.com) and password combination.
07:29:37.993 [86.38.32.254] Webmail Attempting to login user: gene@targeted-domain.com
07:29:37.993 [86.38.32.254] Webmail Login successful: With user gene@targeted-domain.com
07:29:45.685 [86.38.32.254] User gene@targeted-domain.com calling set mail settings
07:29:46.325 [86.38.32.254] User gene@targeted-domain.com calling set mail settings
07:33:41.268 [86.38.32.254] User gene@targeted-domain.com logging out
07:34:38.241 [86.38.32.254] Webmail Attempting to login user: jay@targeted-domain.com
07:34:38.241 [86.38.32.254] Webmail Login successful: With user jay@targeted-domain.com
07:34:44.682 [86.38.32.254] User jay@targeted-domain.com calling set mail settings
07:35:06.067 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:20.246 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:22.873 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:26.062 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:35.755 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:36.396 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:44.635 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: inbox
07:35:55.906 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:10.054 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:15.181 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:17.167 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:25.640 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:29.908 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:36:32.566 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2022
07:37:03.407 [86.38.32.254] User jay@targeted-domain.com calling patch message, owner: jay@targeted-domain.com, count: 1, folder: archive\inbox - 2021 and 2020
07:37:58.481 [86.38.32.254] User jay@targeted-domain.com logging out
07:38:23.353 [86.38.32.254] Webmail Attempting to login user: jimmy@targeted-domain.com
07:38:23.353 [86.38.32.254] Webmail Login successful: With user jimmy@targeted-domain.com
07:39:05.781 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:09.266 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:11.048 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:11.579 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:39:19.662 [86.38.32.254] User jimmy@targeted-domain.com calling patch message, owner: jimmy@targeted-domain.com, count: 1, folder: inbox
07:40:32.855 [86.38.32.254] User jimmy@targeted-domain.com logging out
07:41:32.901 [86.38.32.254] Webmail Attempting to login user: joanna@targeted-domain.com
07:41:32.901 [86.38.32.254] Webmail Login successful: With user joanna@targeted-domain.com
07:41:41.952 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:42:08.416 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:42:11.527 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:42:16.889 [86.38.32.254] User joanna@targeted-domain.com calling patch message, owner: joanna@targeted-domain.com, count: 1, folder: inbox
07:43:39.679 [86.38.32.254] User joanna@targeted-domain.com logging out
07:44:12.542 [86.38.32.254] Webmail Attempting to login user: johan@targeted-domain.com
07:44:12.542 [86.38.32.254] Webmail Login failed: Incorrect password for user [johan@targeted-domain.com]
07:44:12.542 [86.38.32.254] Webmail Login failed: Invalid username (johan@targeted-domain.com) and password combination.
07:44:43.795 [86.38.32.254] Webmail Attempting to login user: johan@targeted-domain.com
07:44:43.795 [86.38.32.254] Webmail Login failed: Incorrect password for user [johan@targeted-domain.com]
07:44:43.795 [86.38.32.254] Webmail Login failed: Invalid username (johan@targeted-domain.com) and password combination.
07:47:52.450 [86.38.32.254] User frank@targeted-domain.com logging out
07:53:41.194 [185.243.57.228] Webmail Attempting to login user: stephanie@targeted-domain.com
07:53:41.194 [185.243.57.228] Webmail Login failed: Incorrect password for user [stephanie@targeted-domain.com]
07:53:41.194 [185.243.57.228] Webmail Login failed: Invalid username (stephanie@targeted-domain.com) and password combination.
08:29:18.535 [185.243.57.228] Webmail Attempting to login user: shop@targeted-domain.com
08:29:18.535 [185.243.57.228] Webmail Login successful: With user shop@targeted-domain.com
08:29:27.446 [185.243.57.228] User shop@targeted-domain.com calling set mail settings
08:29:34.919 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:29:44.237 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:29:45.081 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:30:05.482 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: inbox
08:31:01.495 [185.243.57.228] User shop@targeted-domain.com calling patch message, owner: shop@targeted-domain.com, count: 1, folder: archive\inbox - 2022
08:31:12.860 [185.243.57.228] User shop@targeted-domain.com logging out
08:31:30.212 [185.243.57.228] Webmail Attempting to login user: ron@targeted-domain.com
08:31:30.212 [185.243.57.228] Webmail Login successful: With user ron@targeted-domain.com
08:33:11.323 [185.243.57.228] User ron@targeted-domain.com logging out
08:33:30.472 [185.243.57.228] Webmail Attempting to login user: red@targeted-domain.com
08:33:30.472 [185.243.57.228] Webmail Login failed: Incorrect password for user [red@targeted-domain.com]
08:33:30.472 [185.243.57.228] Webmail Login failed: Invalid username (red@targeted-domain.com) and password combination.
08:33:40.133 [185.243.57.228] Webmail Attempting to login user: red@targeted-domain.com
08:33:40.133 [185.243.57.228] Webmail Login successful: With user red@targeted-domain.com
08:33:42.682 [185.243.57.228] User red@targeted-domain.com calling set mail settings
08:36:08.606 [185.243.57.228] User red@targeted-domain.com logging out
08:36:31.226 [185.243.57.228] Webmail Attempting to login user: peggy@targeted-domain.com
08:36:31.226 [185.243.57.228] Webmail Login successful: With user peggy@targeted-domain.com
08:38:34.178 [185.243.57.228] User peggy@targeted-domain.com logging out
08:39:19.639 [185.243.57.228] Webmail Attempting to login user: michelle@targeted-domain.com
08:39:19.639 [185.243.57.228] Webmail Login successful: With user michelle@targeted-domain.com
08:43:21.496 [185.243.57.228] Webmail Attempting to login user: frank@targeted-domain.com
08:43:21.496 [185.243.57.228] Webmail Login successful: With user frank@targeted-domain.com
08:44:23.144 [185.243.57.228] User frank@targeted-domain.com calling delete messages, folder: archive, owner: frank@targeted-domain.com, all: , count: 1
08:55:37.161 [185.243.57.228] User michelle@targeted-domain.com logging out
08:55:55.482 [185.243.57.228] Webmail Attempting to login user: melissa@targeted-domain.com
08:55:55.482 [185.243.57.228] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
08:55:55.482 [185.243.57.228] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
08:56:03.564 [185.243.57.228] Webmail Attempting to login user: melissa@targeted-domain.com
08:56:03.564 [185.243.57.228] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
08:56:03.564 [185.243.57.228] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
08:56:18.869 [185.243.57.228] Webmail Attempting to login user: melissa@targeted-domain.com
08:56:18.869 [185.243.57.228] Webmail Login failed: Incorrect password for user [melissa@targeted-domain.com]
08:56:18.869 [185.243.57.228] Webmail Login failed: Invalid username (melissa@targeted-domain.com) and password combination.
08:56:57.138 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:56:57.138 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:56:57.138 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
08:57:16.897 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:57:16.897 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:57:16.897 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
08:58:24.477 [69.67.150.205] Webmail Attempting to login user: todd@targeted-domain.com
08:58:24.477 [69.67.150.205] Webmail Login successful: With user todd@targeted-domain.com
08:58:55.022 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:58:55.022 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:58:55.022 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
08:58:59.276 [69.67.150.205] Webmail Attempting to login user: marina@targeted-domain.com
08:58:59.276 [69.67.150.205] Webmail Login failed: Incorrect password for user [marina@targeted-domain.com]
08:58:59.276 [69.67.150.205] Webmail Login failed: Invalid username (marina@targeted-domain.com) and password combination.
09:00:12.547 [69.67.150.205] User todd@targeted-domain.com calling move messages, owner: todd@targeted-domain.com, folder: inbox, newOwner: todd@targeted-domain.com, new folder: archive\inbox - 2019, count: 1
09:09:24.295 [69.67.150.205] User todd@targeted-domain.com calling get user app passwords for email , setupGuid: false isImpersonating: False
09:10:47.677 [69.67.150.205] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 2, folder: inbox
09:18:30.394 [69.67.150.205] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
09:18:47.559 [69.67.150.205] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
09:24:05.462 [69.67.150.205] User todd@targeted-domain.com logging out
09:24:48.911 [69.67.150.205] Webmail Attempting to login user: April@targeted-domain.com
09:24:48.911 [69.67.150.205] Webmail Login failed: Incorrect password for user [april@targeted-domain.com]
09:24:48.911 [69.67.150.205] Webmail Login failed: Invalid username (April@targeted-domain.com) and password combination.
09:27:20.879 [67.219.147.12] Webmail Attempting to login user: todd@targeted-domain.com
09:27:20.879 [67.219.147.12] Webmail Login successful: With user todd@targeted-domain.com
10:57:53.955 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
10:58:04.679 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
10:58:23.501 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 1, folder: inbox
10:58:43.885 [67.219.147.12] User todd@targeted-domain.com calling patch message, owner: todd@targeted-domain.com, count: 3, folder: inbox
11:03:48.462 [67.219.147.12] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: archive
11:03:49.837 [67.219.147.12] User frank@targeted-domain.com calling move messages, owner: frank@targeted-domain.com, folder: archive, newOwner: frank@targeted-domain.com, new folder: inbox, count: 1
11:18:31.633 [67.219.147.12] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
11:18:36.792 [67.219.147.12] User frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: inbox
16:14:32.276 [74.95.13.185] SMTP Attempting to login user: jay@targeted-domain.com
16:14:32.276 [74.95.13.185] SMTP Login failed: Incorrect password for user [jay@targeted-domain.com]
16:14:32.276 [74.95.13.185] SMTP Login failed: Invalid username (jay@targeted-domain.com) and password combination.
17:14:09.528 [50.78.214.57] Webmail Attempting to login user: frank@targeted-domain.com
17:14:09.528 [50.78.214.57] Webmail Login successful: With user frank@targeted-domain.com
--> ADMINISTRATOR LOGIN FOR DOMAIN <-- THIS IS AN AUTHORIZED LOGIN TO RESET PASSWORDS
17:20:32.092 [172.11.79.203] User [xxxxx-admin] as targeted-domain-admin@targeted-domain.com calling protocol usage and limits info
17:20:33.561 Attempt to show password for account: todd@targeted-domain.com made by: targeted-domain-admin@targeted-domain.com. Impersonating: False, Result: True
17:50:08.583 [172.11.79.203] User [xxxxx-admin] calling impersonate user, email: frank@targeted-domain.com, isImpersonating: False, adminId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
17:51:49.460 [172.11.79.203] User [xxxxx-admin] as frank@targeted-domain.com calling patch message, owner: frank@targeted-domain.com, count: 1, folder: junk e-mail
17:51:54.790 [172.11.79.203] User [xxxxx-admin] as frank@targeted-domain.com calling Trust Senders, owner: frank@targeted-domain.com, count: 1, folder: junk e-mail
17:52:56.100 [172.11.79.203] User [xxxxx-admin] as frank@targeted-domain.com calling edit folder, folder: archive, new folder: Archive Folder, parent folder: , new parent:
--> END ADMINISTRATOR LOGIN FOR DOMAIN <-- THIS IS AN AUTHORIZED LOGIN TO RESET PASSWORDS
Another time, we had a user delete their entire inbox via webmail but we were able to show that the IP that called the delete command was the same IP the user connected via for over a month with normal activity.
Having said all this, there really should be a separate webmail log in the system just like the other "protocols" and "modules" have rather than having to grep out the data from the admin log.
Another "concept" would be to be able to turn an "audit log" for a particular user or domain that would just be a literal "verbose activity log, regardless of protocol - able to be dumped into one file for that domain or user. Have the ability to automatically turn it off after a set period even for those who forget.