I’m analyzing a PST exported from a user’s mailbox in Company A’s M365 tenant.
I’m seeing a pattern where:
-
The display name in Outlook shows the mailbox owner (Custodian A).
-
But when I click the name, Outlook resolves it to different email addresses from Company B’s domain.
-
The message body also matches those Company B individuals (e.g., “Hi [First Name]” aligns with the resolved address).
-
These are not the same address each time — multiple different Company B users.
What I see in MAPI (OutlookSpy)
For these messages:
-
PR_RECEIVED_BY_EMAIL_ADDRESS_Wshows an X.500 address for Custodian A (mailbox owner). -
I do not see Company B SMTP addresses in the obvious recipient fields at the message level.
-
However, in the recipient table, I do see:
-
PR_SMTP_ADDRESS_W= user@companyB.com -
PR_SEARCH_KEY= Exchange directory DN (EX:/O=…/CN=Recipients/…)
-
-
In
PR_TRANSPORT_MESSAGE_HEADERS, the SMTP headers show:-
To: user@companyB.com -
Message originated from the internet and passed through Exchange Online Protection.
-
Headers include
X-MS-Exchange-ForwardingLoop: ForwardingHandled.
-
When replying in Outlook, the To field auto-populates with the Company B user’s address, not Custodian A.
Is this some sort of mailbox-level forwarding or redirect rules caused copies to be delivered into Custodian A’s mailbox?
Specifically, is it expected that:
-
PR_RECEIVED_BY_*reflects the storage mailbox, -
while
PR_SMTP_ADDRESS(recipient row) and transport headers preserve the original intended recipient?