Exhausted Everything - Mail Disappearing
Posted by AggravatingAmount438@reddit | sysadmin | View on Reddit | 34 comments
So we have one particular client that one of our teams is working with. This one user sending emails to and from one of our users was flagged for every email between them.
Weird part starts here: It's only between these two. The same exact email chain sent to anyone else doesn't get flagged.
But after confirming it's safe, I allowed it through proofpoint.
Now the problem is that the email gets delivered to the user's inbox (I've confirmed via both defender explorer and exchange mail trace) and then disappears. I confirmed through exchange online powershell that none of the user's rules are affecting this email. I've logged into the mailbox myself on outlook online to confirm that it is indeed missing.
I have allowed this person through our anti-phishing and anti-malware threat policies. I've done everything I can possibly think of. I reported all of the emails as confirmed safe to Microsoft.
In defender, for the hell of it, I moved the email to the inbox, and it says action completed. But when I try to move it again, it says remediation failed, and the only thing I can see as a problem is that the email cluster shows suspicious, even after allowing it through everything.
I'm completely at my wits end. AI keeps shouting about ZAP, but we don't have any ZAP policies that I've seen, and I've allowed them through everything else.
Short of completely nuking the mailbox and recreating it, I'm at a loss.
ITcurmudgeon@reddit
Did you check the quarantine in Microsoft Defender by chance?
AggravatingAmount438@reddit (OP)
I did, nothing in there.
ablege@reddit
Have seen this plenty of times with the Samsung mail client on phones. Swiping on a message the wrong way adds it to a client side spam list.
ApprehensiveToday525@reddit
If they use an Apple device, it could be because they have their mailbox synced using Apple Mail as well.
Saw this myself today.
AggravatingAmount438@reddit (OP)
So I terminated all mobiledevice ties in exchange online powershell, but it's still doing it and they're not using their phone anymore.
Smiling_Jack_@reddit
Check any Enterprise Apps that the user might have signed up for, if you don't have them blocked that is.
thegoobyking@reddit
I second this. I had this same issue recently with voicemails in outlook disappearing/moving to deleted. User had blocked one of those voicemails via apple mail but since it’s all linked back to noreply@skype.voicemail.microsoft.com it didn’t just block voicemails from that one person, but all voicemails from that email. Took forever to figure it out.
BlotchyBaboon@reddit
Smells like inbox rules. Could be another device.
AggravatingAmount438@reddit (OP)
That's a good lead. We're going to cut all links that aren't to her laptop and force re-authentication.
Scurvy-Jones@reddit
Check rules in OWA as well (if using Outlook (Classic).
I've seen rules created in OWA not show up in Classic and it took a while to track down where it was.
AggravatingAmount438@reddit (OP)
Checked them, they're disabled. Only ones active are on client side, and I audited them to make sure none of them would effect this email.
purplemonkeymad@reddit
I would check them via powershell, owa also hides "." and ".." rules.
angrydeuce@reddit
Almost everytime ive seen email doing weird shit, its because of a phone or tablet.
This is partly why we now mandate the outlook app for company email and dont roll stock. Its too easy in those stock apps to accidentally silence a sender entirely and then not know why those emails are being disappeared.
BrentNewland@reddit
Yes, OP said he checked the online rules, but not classic outlook rules.
Also, we had something similar, with some stupid enterprise app our MSP added to our tenant. It would decide something wasn't good and delete it. Tracked it down by using the purview mail trace, one of the items in the result was the application ID for the enterprise app.
notickeynoworky@reddit
If mail trace shows delivery to mailbox, I’d be willing to wager a large sum that it’s inbox rules.
jimicus@reddit
That's my thinking - it's happening from the client rather than the server side.
Forcibly sign all other devices out and see if it continues to happen.
ITcurmudgeon@reddit
Check for corrupt hidden rules.
Had an issue recently where there was a running thing between two internal users, where the senders email kept ending up in the recipients junk folder within Outlook. The sender kept getting on the users blocked senders list, I would remove them, and they would be added immediately.
Tried disabling the Junk folder and ran through a bunch of other things I can't remember... But in the end, there was an unrelated corrupted rule that was hidden, that was causing issues with this one single sender.
AggravatingAmount438@reddit (OP)
Only hidden rule is the standard junk email rule that I see.
ITcurmudgeon@reddit
Get-InboxRule -Mailbox "user@domain.com" -IncludeHidden
Not_Blake@reddit
Had a crazy issue similar to this a few months ago and I ultimately resolved by right clicking the email in their inbox and "Never block sender"
It wasn't in any of their email rules or on their blocked list and surprisingly it worked.
It must have been some odd issue with the Outlook desktop client bc the user could see the email notifications on their phone but would not be there when opened in Outlook
AggravatingAmount438@reddit (OP)
So I didn't try the 'never block sender' but went ahead and tacked that on just in case. Waiting to see if that fixed it and still doing some other changes as well.
Forsythe36@reddit
I know what this is. It’s probably an iPhone deleting the mail. Search in purview audit for what’s happens during the time the email is sent. You’ll find your culprit.
CunnyFunt_tehe@reddit
Sounds all too familiar, had this happening with a lady and turn out to be junk email settings (not rules) on the client side. Can’t remember if it was blocking anything that wasn’t marked as a safe sender or sending to junk instantly. From memory I think it would give the option for both.
https://images.wondershare.com/repairit/article/outlook-block-sender-1.jpg
Best photo I could find on my phone haha but you get the idea
ITcurmudgeon@reddit
Had a similar issue when trying to remove a corrupted hidden rule and where a single internal user was ending up in another users junk folder, but it was still server side. After far too long troubleshooting, the fix was to simply login to OWA > Settings > Mail > Junk email and toggle the switch for "Trust email from my contacts".
After that was able to also blow out any hidden rules.
Pristine_Curve@reddit
You mention looking at email traces, but have you checked the mailbox audit log (now it's unified audit log)? This is accessible via purview, but I've only ever used powershell.
Depending on your audit settings, it should give you the actual operations on the individual messages. Most critically what is deleting the messages. You'll probably find something like a mobile device's IP address in the log, and subsequently find a device running a local rule.
AggravatingAmount438@reddit (OP)
I did, yes. That's what I mean by there's no operator for that specific action. It's showing deleted, but there's no operator behind that action specifically. I didn't do by IP though, so that will be a good thing to check.
We just cut all ties to every device connected to the mailbox and are monitoring it now, so we'll see.
Excellent_Milk_3110@reddit
I had this wierd situation that a samsung phone was removing e-mail with rules or some anti spam filter, with the default samsung mail app.
Also check if it is not in spam.
Down_B_OP@reddit
Funnily enough, I've ran into the same thing on an Iphone using the built in mail app. Substituting the Outlook app took care of it for us.
19610taw3@reddit
I thought you could block non-outlook email clients from connecting in?
Down_B_OP@reddit
You can, we just didn't have that in place at the time. That incident was actually the impetus for us to get that configured.
stretchling@reddit
This, had the exact same issue years ago and it turned out to be a Samsung phone with the mail account on it deleting emails due to some auto sort or archive function.
Affectionate-Cat-975@reddit
Check their phones. I’ve seen where a person accidentally flagged an email on their phone and it keeps acting on the spam rule
StiuNu@reddit
Had something similar with the culprit being an phone /android with the built-in app, we suspect AI. Replaced it with Thunderbird and the issue stopped
shokzee@reddit
I’d stop looking at normal inbox rules and check the stuff that doesn’t show there: hidden mailbox rules, delegates, mobile sync clients, and any app with mailbox permissions.
If it lands and then gets deleted with no visible user operation, something automated is touching the mailbox after delivery.
Try disabling all connected clients/apps for that user during a test window, resend the same thread, then check recoverable items immediately.