With brute force attack in today’s time, mailboxes are no longer safe with an average password. When you have a hunch that your mailbox may have been compromised, firstly reset the password to the mailbox. Secondly, you may want to obtain the client IP connecting to the mailbox. How to achieve getting that information. NOTE: If you are using a Load Balancer, the client IP may not reflect due to NAT policies being applied.
You will need to run the command in Exchange Management Shell.
The Get-LogonStatistics provides the following logon-related information:
The two main attributes you going to need is the Identity and Client IP. You can run the following for a single user mailbox information:
Get-LogonStatistics -Identity email@example.com | Select Identity,ClientIP
Run the above and it should display the information.
The command is when you’d like to connect a specific mailbox database
(Get-LogonStatistics -Database “MyDatabase” | fl)
To get information based on a mailbox server
(get-logonstatistics -Server “MyServer”)
Here is another variance of a script line to get the Client IP;
get-logonstatistics <firstname.lastname@example.org> | sort-object clientipaddress | format-table username,clientipaddress,logontime,clientversion</email@example.com>
NOTE: If you are using Exchange 2010, the client IP maybe blank. You will then have to look through the following logs:
\Program Files\Microsoft\Exchange Server\v14\Logging\RPC Client Access
For these logs, you may want to use the log parser which can downloaded from the Microsoft Center:
While looking for mailbox information, you can use Get-MailboxStatistics User@domain.com and get the following attributes:
The attributes to locate the amount of data in a mailbox is TotalItemsize.
You can then run Get-MailboxStatistics <User@domain.com>