If the person reading your email is doing so with Outlook Web Access (OWA), then it is much harder to track. All communications can be tracked, but you will need to capture the traffic with a network monitoring tool (e.g., NetMon, Wireshark, etc.) during the time frame that the incident occurs. Reviewing the capture log could reveal the source IP address of your hacker.
The IP address is really only of value to you if it is coming from within your organization. If the connection is being established externally, then you will not be able to rely on the IP address in the capture as it will probably be coming from the external interface of a firewall that is performing network address translation (NAT).
Do you have comments on this Ask the Expert Q&A? Let us know.
Ask an Exchange Server question in our forum.
Dig Deeper on Exchange Server setup and troubleshooting
Related Q&A from Richard Luckett
Some folders in a mailbox on Exchange Server 2013 are not showing up on the folder list in the OWA virtual directory but do appear in other views. Continue Reading
We have a Client Access Server and Mailbox Server on Exchange 2013 and we want to install an Edge Transport role on another machine. I joined the ... Continue Reading
How can I enable Outlook Anywhere to allow internal use for all users and external use for only some users in Exchange 2013? Continue Reading