I have a user who had a phishing email sent from their Exchange account to a bunch of people they know. I am not sure if it was to all of their contacts, or the email cache list, or something else. I did not receive the message, but it looks like it went out to a lot of people.
The email had the subject "Important Document" and had a link to, what I assume is a fake Google Docs login phishing page. Everything I search for talks about not clicking the phishing link, but I am trying to determine how the email was sent through their Exchange server. The email had their signature in it, which makes me think it was sent through Outlook instead of OWA.
My question is, is there any way to determine how the emails were sent (Outlook, OWA, mobile device, etc)? I see the emails sitting in the user's Sent Items folder, but I'm not sure how to...