Certificate Attributes in Email Sender

Hi there,

I’m working a matter whereby I’m trying to tie the suspect to the keyboard for a BEC type case. I’ve located the suspicious emails being generated and sent in the Custodian’s OST file, however I am seeing a difference in the “from” field. Some emails generate the from field as :
“Suspect name” "
Whilst others look like
“Suspoect name” <“/o=organisation/ou=country/cn=recipients/cn=laptop user name”>

Does anyone have any ideas what the reason for the discrepancy would be? I understand that it’s certificate attributes in the field, but why would some contain it and some do not? Is it possible that the emails were generated off different devices?

Thanks

Sounds like X.500 addresses. This article should provide clarity:

https://www.meridiandiscovery.com/articles/why-we-see-strange-exchange-e-mail-addresses-in-e-discovery/