{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLtyAAAJ", "InternetMessageId": "<0100019309a1aab5-95864cc5-4c1c-48aa-b3cc-b37bb00a20e0-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " Profile Update Notification"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLtzAAAJ", "InternetMessageId": "<0100019309a0398e-62735e6e-dad4-43ec-883d-c24928f73406-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " OTP Notification"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt0AAAJ", "InternetMessageId": "<01000193099f76f3-cef1c8ce-93f7-457d-a6ae-0891a911cafd-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " Password Change Notification"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt1AAAJ", "InternetMessageId": "<01000193099ddd0d-6bb4da1d-4d21-4836-9e22-82f3a863f9b1-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " Account Recovery Notification"}, {"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt2AAAJ", "InternetMessageId": "<1477756244.25206.1731032231259@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident receipt confirmation"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T03:41:38", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "ea2d5719-049c-45da-d3cc-08dcffa74029", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58877b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt3AAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident  reported by you has been resolved"}, {"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt4AAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident receipt confirmation"}, {"Attachments": "image (58879b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt5AAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident reported by you has been resolved"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt6AAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T03:41:38", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "ee6a54bf-49c5-476b-d3cc-08dcffa74029", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58877b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt3AAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident  reported by you has been resolved"}, {"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt4AAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident receipt confirmation"}, {"Attachments": "image (58879b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt5AAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident reported by you has been resolved"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt6AAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T03:41:38", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "ee6a54bf-49c5-476b-d3cc-08dcffa74029", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLtyAAAJ", "InternetMessageId": "<0100019309a1aab5-95864cc5-4c1c-48aa-b3cc-b37bb00a20e0-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Profile Update Notification"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLtzAAAJ", "InternetMessageId": "<0100019309a0398e-62735e6e-dad4-43ec-883d-c24928f73406-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " OTP Notification"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt0AAAJ", "InternetMessageId": "<01000193099f76f3-cef1c8ce-93f7-457d-a6ae-0891a911cafd-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " Password Change Notification"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt1AAAJ", "InternetMessageId": "<01000193099ddd0d-6bb4da1d-4d21-4836-9e22-82f3a863f9b1-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": " Account Recovery Notification"}, {"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt2AAAJ", "InternetMessageId": "<1477756244.25206.1731032231259@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident receipt confirmation"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T03:41:38", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "ea2d5719-049c-45da-d3cc-08dcffa74029", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbqAAAJ", "InternetMessageId": "<0100019309a0398e-62735e6e-dad4-43ec-883d-c24928f73406-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "OTP Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "518f278c-0698-4dda-645f-08dcffa73316", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58877b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJblAAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident reported by you has been resolved"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "0a853b81-b596-433f-d841-08dcffa7334a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbsAAAJ", "InternetMessageId": "<01000193099ddd0d-6bb4da1d-4d21-4836-9e22-82f3a863f9b1-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Account Recovery Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "73ceb287-7975-4dfe-3bf7-08dcffa7332e", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58879b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbnAAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident reported by you has been resolved"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "1c6c03c9-8f08-4237-122f-08dcffa73365", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbrAAAJ", "InternetMessageId": "<01000193099f76f3-cef1c8ce-93f7-457d-a6ae-0891a911cafd-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Password Change Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "cc7a7885-bde6-4b2b-5017-08dcffa73322", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbkAAAJ", "InternetMessageId": "<1477756244.25206.1731032231259@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident receipt confirmation"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "61e72d80-2e65-4c52-ec87-08dcffa7333e", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJboAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "d139efeb-9557-48ac-6067-08dcffa73373", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbpAAAJ", "InternetMessageId": "<0100019309a1aab5-95864cc5-4c1c-48aa-b3cc-b37bb00a20e0-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Profile Update Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "44f7d2f3-29c0-4d59-5189-08dcffa73303", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbmAAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident receipt confirmation"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "7adf1ea7-64ad-4c15-c44b-08dcffa73356", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbrAAAJ", "InternetMessageId": "<01000193099f76f3-cef1c8ce-93f7-457d-a6ae-0891a911cafd-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Password Change Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "cc7a7885-bde6-4b2b-5017-08dcffa73322", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbkAAAJ", "InternetMessageId": "<1477756244.25206.1731032231259@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident receipt confirmation"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "61e72d80-2e65-4c52-ec87-08dcffa7333e", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJboAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "d139efeb-9557-48ac-6067-08dcffa73373", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbpAAAJ", "InternetMessageId": "<0100019309a1aab5-95864cc5-4c1c-48aa-b3cc-b37bb00a20e0-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Profile Update Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "44f7d2f3-29c0-4d59-5189-08dcffa73303", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbmAAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident receipt confirmation"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "7adf1ea7-64ad-4c15-c44b-08dcffa73356", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbqAAAJ", "InternetMessageId": "<0100019309a0398e-62735e6e-dad4-43ec-883d-c24928f73406-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "OTP Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "518f278c-0698-4dda-645f-08dcffa73316", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58877b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJblAAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident reported by you has been resolved"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "0a853b81-b596-433f-d841-08dcffa7334a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbsAAAJ", "InternetMessageId": "<01000193099ddd0d-6bb4da1d-4d21-4836-9e22-82f3a863f9b1-000000@email.amazonses.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Account Recovery Notification"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "73ceb287-7975-4dfe-3bf7-08dcffa7332e", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58879b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJbnAAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Incident reported by you has been resolved"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "1c6c03c9-8f08-4237-122f-08dcffa73365", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXHrhjyAAAJ", "InternetMessageId": "<SN6PR08MB4638A4D6E73D29D8CE16AD29DD512@SN6PR08MB4638.namprd08.prod.outlook.com>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}, "Subject": "Outlook Rules Organizer"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T02:31:47", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}, "Id": "692d31eb-e020-40bd-ee30-08dcff9d7e7a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "AppPoolName": "MSExchangeOWAAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:26386", "CorrelationID": "", "CreationTime": "2025-01-16T02:32:33", "ExternalAccess": false, "Id": "f23b11d6-9703-439d-59aa-08dcff9d9a13", "ObjectId": "NAMPR08A009.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/attack_range.onmicrosoft.com/User, Victim\\clear category", "Operation": "New-InboxRule", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.8137.018)", "Parameters": [{"Name": "AlwaysDeleteOutlookRulesBlob", "Value": "False"}, {"Name": "Force", "Value": "False"}, {"Name": "MoveToFolder", "Value": "RSS Subscriptions"}, {"Name": "Name", "Value": "clear category"}, {"Name": "SubjectOrBodyContainsWords", "Value": "nctracks"}, {"Name": "StopProcessingRules", "Value": "True"}], "RecordType": 1, "RequestId": "a0b0f6fe-c913-9673-e9aa-6b09da8c01e5", "ResultStatus": "True", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "victim_1@attack_range.lan", "UserType": 2, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "AppPoolName": "MSExchangeOWAAppPool", "ClientAppId": "", "ClientIP": "189.135.168.197:26386", "CorrelationID": "", "CreationTime": "2025-01-16T02:31:47", "ExternalAccess": false, "Id": "19f2738e-4683-49eb-153a-08dcff9d7e82", "ObjectId": "NAMPR08A009.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/attack_range.onmicrosoft.com/User, Victim\\prcdnt.", "Operation": "New-InboxRule", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.8137.018)", "Parameters": [{"Name": "AlwaysDeleteOutlookRulesBlob", "Value": "False"}, {"Name": "Force", "Value": "False"}, {"Name": "MoveToFolder", "Value": "RSS Subscriptions"}, {"Name": "Name", "Value": "prcdnt."}, {"Name": "SubjectOrBodyContainsWords", "Value": "ncid"}, {"Name": "MarkAsRead", "Value": "True"}, {"Name": "StopProcessingRules", "Value": "True"}], "RecordType": 1, "RequestId": "385856b1-cfc0-5d99-66ea-2e2d310ad1c5", "ResultStatus": "True", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "victim_1@attack_range.lan", "UserType": 2, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NoiAAAJ", "InternetMessageId": "<bd818c50-7925-4664-82c6-f8eb626d4c2f@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Paycheck Manager \u2014 Your direct deposit request has been submitted."}], "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T02:59:24", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "a9d4defe-038e-4d36-399a-08dc6f027c5d", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxGuid": "d0a780c1-ee6a-40fa-8a79-f8fd26623101", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8678 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "9e669482-3aad-4ec8-97e8-433ac3058560", "UserId": "victim_1@attack_range.lan", "UserKey": "10033FFF8E154F12", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZUAACZTxmXAtpnR51JdZTRzLefAAVh4HUIAAAJ", "InternetMessageId": "<bd818c50-7925-4664-82c6-f8eb626d4c2f@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZUAAAB", "Path": "\\Deleted Items"}, "Subject": "Paycheck Manager \u2014 Your direct deposit request has been submitted."}], "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T02:58:49", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZUAAAB", "Path": "\\Deleted Items"}, "Id": "9c20f55e-15c0-4ff3-f800-08dc6f02673f", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxGuid": "d0a780c1-ee6a-40fa-8a79-f8fd26623101", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8678 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "9e669482-3aad-4ec8-97e8-433ac3058560", "UserId": "victim_1@attack_range.lan", "UserKey": "10033FFF8E154F12", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T02:58:30", "ExternalAccess": false, "Folders": [{"FolderItems": [{"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NaWAAAJ", "InternetMessageId": "<28924597.92267.1715108242528@app134012.sjc201.ticketing-system.local>", "SizeInBytes": 144569}, {"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NaXAAAJ", "InternetMessageId": "<139bd8e4-159e-4b18-9874-fb582d691b60@mailserver1000.attack_range.lan>", "SizeInBytes": 51527}, {"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NaYAAAJ", "InternetMessageId": "<1a13909b-a6b4-4c28-bb41-dd134a6e60ee@mailserver1003.attack_range.lan>", "SizeInBytes": 38184}, {"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NaZAAAJ", "InternetMessageId": "<79ea9b50-3fc6-4ee8-bd1a-35743e7620a1@mailserver1003.attack_range.lan>", "SizeInBytes": 38541}, {"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NaaAAAJ", "InternetMessageId": "<7987848.81728.1715104905218@app131147.sjc201.ticketing-system.local>", "SizeInBytes": 131807}, {"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NabAAAJ", "InternetMessageId": "<1712578.87687.1715104349270@app131162.sjc201.ticketing-system.local>", "SizeInBytes": 140533}, {"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AACZTxmXAtpnR51JdZTRzLefAAVh4NalAAAJ", "InternetMessageId": "<816fc8fd-b0ee-4bc7-b2e3-242045d3d048@mailserver1000.attack_range.lan>", "SizeInBytes": 50529}], "Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZ8AAAB", "Path": "\\Recoverable Items\\Deletions"}, {"FolderItems": [{"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZUAACZTxmXAtpnR51JdZTRzLefAAVh4HUIAAAJ", "InternetMessageId": "<bd818c50-7925-4664-82c6-f8eb626d4c2f@mailserver2001.attack_range.lan>", "SizeInBytes": 42104}], "Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZUAAAB", "Path": "\\Deleted Items"}], "Id": "7d640b91-8052-415d-8bd9-62b72e4c4edc", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxGuid": "d0a780c1-ee6a-40fa-8a79-f8fd26623101", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 8, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8678 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "SessionId": "9e669482-3aad-4ec8-97e8-433ac3058560", "UserId": "victim_1@attack_range.lan", "UserKey": "10033FFF8E154F12", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAABco9FYUqHuQZVRAzYb+LpbBwAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZRAACZTxmXAtpnR51JdZTRzLefAAVh4Ee/AAAJ", "InternetMessageId": "<bd818c50-7925-4664-82c6-f8eb626d4c2f@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZRAAAB", "Path": "\\Inbox"}, "Subject": "Paycheck Manager \u2014 Your direct deposit request has been submitted."}], "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T02:58:27", "CrossMailboxOperation": false, "DestFolder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZUAAAB", "Path": "\\Deleted Items"}, "ExternalAccess": false, "Folder": {"Id": "LgAAAABco9FYUqHuQZVRAzYb+LpbAQAHj9Rt7xu3T6AFnLCa5YFsAAAAlbZRAAAB", "Path": "\\Inbox"}, "Id": "e0f6a82a-4c02-4687-3a32-08dc6f025a06", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxGuid": "d0a780c1-ee6a-40fa-8a79-f8fd26623101", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5957393", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MoveToDeletedItems", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8678 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "9e669482-3aad-4ec8-97e8-433ac3058560", "UserId": "victim_1@attack_range.lan", "UserKey": "10033FFF8E154F12", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"IssuedAtTime": "2025-01-16T13:12:35", "UniqueTokenId": "51413587-2e65-4863-bba1-b1daddacf310"}, "AppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientAppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientIPAddress": "2603:10b6:806:f8::16", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "CreationTime": "2025-01-16T13:19:44", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "8dcbe1be-f3d7-4e13-8d04-62276c7e60d7", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52486}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLwAAAB", "Path": "\\Recoverable Items\\Purges"}, {"FolderItems": [{"ClientRequestId": "f5c066c8-a871-4bbf-ae9d-3ba5f2fedb3b", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHY4HAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHY4HAAAJ", "InternetMessageId": "<VFAX2000q6DqaJY4kJS000000b4@vfax2000.attack_range.lan>", "SizeInBytes": 141737}, {"ClientRequestId": "84cb94ae-4aa5-424e-8b74-b54de7d112bc", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHYY5AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHYY5AAAJ", "InternetMessageId": "<VFAX20002fPmsSVhGOD0001510d@vfax2000.attack_range.lan>", "SizeInBytes": 70793}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}], "Id": "bcf3bd47-f4ad-4cea-9f3f-77cf0aa7b186", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 3, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "UserId": "victim_1@attack_range.lan", "UserKey": "13937bba-652e-4c46-b222-3003f4d1ff97", "UserType": 5, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58877b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt3AAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident reported by you has been resolved"}, {"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt4AAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident receipt confirmation"}, {"Attachments": "image (58879b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt5AAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident reported by you has been resolved"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt6AAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T03:41:38", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "ee6a54bf-49c5-476b-d3cc-08dcffa74029", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Attachments": "image (58877b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt3AAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident reported by you has been resolved"}, {"Attachments": "image (3540b); image (63465b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt4AAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident receipt confirmation"}, {"Attachments": "image (58879b)", "Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt5AAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Incident reported by you has been resolved"}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt6AAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0;", "CreationTime": "2025-01-16T03:41:38", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "ee6a54bf-49c5-476b-d3cc-08dcffa74029", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:20", "ExternalAccess": false, "Folders": [{"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAFzIXi2IUPRISo8vEZM/upAAUs99IiAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXDtfTnAAAJ", "InternetMessageId": "<SN6PR08MB4638D3748A18C209BFF11980DD4B2@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 54792}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAFzIXi2IUPRISo8vEZM/upAAUs99HbAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAW/IxRFAAAJ", "InternetMessageId": "<SN6PR08MB4638F9923C6B358A4B4B1875DD4F2@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 181958}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAFzIXi2IUPRISo8vEZM/upAAUs973IAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAWw3ZNaAAAJ", "InternetMessageId": "<SN6PR08MB4638221F1017210FE738EA21DD762@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 176243}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAB", "Path": "\\Sent Items"}, {"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt4AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHpAAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 139023}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt5AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHjAAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 133986}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt6AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52486}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLtxAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHLs9AAAJ", "InternetMessageId": "<SN6PR08MB463829AF57A4E1461F810123DD532@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 778894}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXHr0cjAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXHsgllAAAJ", "InternetMessageId": "<SN6PR08MB4638E15186C6CE60FFD902EEDD522@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 65207}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, {"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbMdE/GEqTQpr8KvAJXyDbAAAFh0iLAAAFzIXi2IUPRISo8vEZM/upAAQ/eakDAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAW/Iqz/AAAJ", "InternetMessageId": "<SN6PR08MB4638AE6EAFB11D68B135FCABDD4E2@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 85981}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbMdE/GEqTQpr8KvAJXyDbAAAFh0iLAAAB", "Path": "\\Southpark"}], "Id": "f02c9e9d-f9e4-41f5-b57f-ecf60f00788a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 9, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:20", "ExternalAccess": false, "Folders": [{"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAFzIXi2IUPRISo8vEZM/upAAUs99IiAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXDtfTnAAAJ", "InternetMessageId": "<SN6PR08MB4638D3748A18C209BFF11980DD4B2@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 54792}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAFzIXi2IUPRISo8vEZM/upAAUs99HbAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAW/IxRFAAAJ", "InternetMessageId": "<SN6PR08MB4638F9923C6B358A4B4B1875DD4F2@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 181958}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAFzIXi2IUPRISo8vEZM/upAAUs973IAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAWw3ZNaAAAJ", "InternetMessageId": "<SN6PR08MB4638221F1017210FE738EA21DD762@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 176243}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX2AAAB", "Path": "\\Sent Items"}, {"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt4AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHpAAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 139023}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt5AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHjAAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 133986}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLt6AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52486}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXJHLtxAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHLs9AAAJ", "InternetMessageId": "<SN6PR08MB463829AF57A4E1461F810123DD532@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 778894}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAFzIXi2IUPRISo8vEZM/upAAXHr0cjAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXHsgllAAAJ", "InternetMessageId": "<SN6PR08MB4638E15186C6CE60FFD902EEDD522@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 65207}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQBGbZqJmK0XS6cbI8Sqvv4UAAAAAfLmAAAB", "Path": "\\Recoverable Items\\Deletions"}, {"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbMdE/GEqTQpr8KvAJXyDbAAAFh0iLAAAFzIXi2IUPRISo8vEZM/upAAQ/eakDAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAW/Iqz/AAAJ", "InternetMessageId": "<SN6PR08MB4638AE6EAFB11D68B135FCABDD4E2@SN6PR08MB4638.namprd08.prod.outlook.com>", "SizeInBytes": 85981}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbMdE/GEqTQpr8KvAJXyDbAAAFh0iLAAAB", "Path": "\\Southpark"}], "Id": "f02c9e9d-f9e4-41f5-b57f-ecf60f00788a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 9, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJboAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "d139efeb-9557-48ac-6067-08dcffa73373", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAFzIXi2IUPRISo8vEZM/upAAXJHJboAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T03:41:16", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "Id": "d139efeb-9557-48ac-6067-08dcffa73373", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5PAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "ParentFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}, "Subject": "Password Manager \u2014 Passcode was Reset"}], "AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T02:23:49", "CrossMailboxOperation": false, "DestFolder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX3AAAB", "Path": "\\Deleted Items"}, "ExternalAccess": false, "Folder": {"Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}, "Id": "3ef46160-658d-49bf-d4ce-08dcff9c618e", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MoveToDeletedItems", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"AADSessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "IssuedAtTime": "1970-01-01T00:00:00", "UniqueTokenId": "eRFzqIsx-0mF9YdN0DHVAA"}, "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientAppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=OWA;Action=ViaProxy", "CreationTime": "2025-01-16T02:21:51", "ExternalAccess": false, "Folders": [{"FolderItems": [{"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5SAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHwAAAJ", "InternetMessageId": "<267242656.25203.1731032230949@app131010.sjc201.ticketing-system.local>", "SizeInBytes": 130509}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5RAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHpAAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 139000}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5QAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHjAAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 133963}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5LAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHY33AAAJ", "InternetMessageId": "<CH3PR08MB91169A5AC0B6610AFEE22CDAED5D2@CH3PR08MB9116.namprd08.prod.outlook.com>", "SizeInBytes": 46506}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/4LAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHVZkAAAJ", "InternetMessageId": "<Share-4b9461a1-70b0-0000-42ed-ab3e4ffa1f03-06aa376c-6d87-4a45-adb7-097a86c82760-SendEmail-PreprocessPayload@odspnotify>", "SizeInBytes": 128561}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5PAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52463}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/2YAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHHodAAAJ", "InternetMessageId": "<MN2PR08MB6432C34CD63865210D255A81A5532@MN2PR08MB6432.namprd08.prod.outlook.com>", "SizeInBytes": 144799}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5OAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHY/rAAAJ", "InternetMessageId": "<a5b00be5-c0d6-4e29-8692-957196afe2e0@atl1s11mta403.xt.local>", "SizeInBytes": 124180}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/3TAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHPzWAAAJ", "InternetMessageId": "<BN0PR08MB7357EBE2829BCE67FDD2798DBD532@BN0PR08MB7357.namprd08.prod.outlook.com>", "SizeInBytes": 203625}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/5IAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHYo+AAAJ", "InternetMessageId": "<545819841.462286.1731022743197@lva1-app79780.prod.linkedin.com>", "SizeInBytes": 288905}, {"Id": "RgAAAAA+yhqHkUHNQrg0+gADdFUvBwCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAFzIXi2IUPRISo8vEZM/upAAXJG/4gAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHWZuAAAJ", "InternetMessageId": "<3b306a1e-389d-42f4-add9-bffe7438284b@CO1PEPF000044F9.namprd21.prod.outlook.com>", "SizeInBytes": 292455}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}], "Id": "aea17a01-0ee8-4f43-a871-333e6c7edfa2", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 11, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "SessionId": "710d7677-bff8-4d01-ad48-824db2a6ffec", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"AADSessionId": "81424701-dbe7-4aa5-9c42-278a70c05705", "IssuedAtTime": "2024-11-07T21:15:28", "UniqueTokenId": "lXfKrAXfn0SkIt2ZgNOpAA"}, "AppId": "27922004-5251-4030-b22d-91ecd9a37ea4", "ClientAppId": "27922004-5251-4030-b22d-91ecd9a37ea4", "ClientIPAddress": "2603:6080:ea03:d300:bd07:3a3c:f9d3:b87c", "ClientInfoString": "Client=OutlookService;Outlook-iOS/2.0;", "CreationTime": "2025-01-16T02:17:26", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "142", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHpAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHpAAAJ", "InternetMessageId": "<104042946.22658.1731032209807@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 139000}, {"ClientRequestId": "142", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHjAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHjAAAJ", "InternetMessageId": "<593972805.22655.1731032209520@app131163.sjc201.ticketing-system.local>", "SizeInBytes": 133963}, {"ClientRequestId": "142", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52463}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}], "Id": "3e8a0218-359f-4478-8d8e-12eb157af873", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 3, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "SessionId": "81424701-dbe7-4aa5-9c42-278a70c05705", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {}, "ClientIPAddress": "2603:6080:ea03:d300:bd07:3a3c:f9d3:b87c", "ClientInfoString": "Client=OutlookService;Outlook-iOS/2.0;", "CreationTime": "2025-01-16T02:12:15", "ExternalAccess": false, "Folders": [{"FolderItems": [{"Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52025}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}], "Id": "10076304-a0d2-417e-a17a-b0d31efd3f1a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 1, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {}, "ClientIPAddress": "2603:6080:ea03:d300:bd07:3a3c:f9d3:b87c", "ClientInfoString": "Client=OutlookService;Outlook-iOS/2.0;", "CreationTime": "2025-01-16T02:12:15", "ExternalAccess": false, "Folders": [{"FolderItems": [{"Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQAFzIXi2IUPRISo8vEZM/upAAXJHZHeAAAJ", "InternetMessageId": "<beee425e-de47-490c-aae9-dae74de48442@mailserver2001.attack_range.lan>", "SizeInBytes": 52025}], "Id": "LgAAAAA+yhqHkUHNQrg0+gADdFUvAQCbnyV1WEjoRJdRRXwsvZWeAAANmwX0AAAB", "Path": "\\Inbox"}], "Id": "10076304-a0d2-417e-a17a-b0d31efd3f1a", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxGuid": "51eb74b6-8b5e-4d97-a051-b69bd0b2cb77", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5038053", "MailboxOwnerUPN": "victim_1@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 1, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "SN6PR08MB4638 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "UserId": "victim_1@attack_range.lan", "UserKey": "10037FFE8CCD1F10", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-16T20:24:30", "UniqueTokenId": "wRP2r3pltEG_9lkkY1duAA"}, "CreationTime": "2025-01-16T21:07:17", "Id": "042fbb95-7a7a-4d8b-842e-02c5f9e6dc0d", "Operation": "MailItemsAccessed", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange", "UserId": "victim_3@attack_range.lan", "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "40.126.24.24", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxGuid": "b6624cbb-80eb-4e13-b72c-3620f89ebc97", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxOwnerUPN": "victim_3@attack_range.lan", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8979 (15.20.4200.000)\r\n", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Folders": [{"FolderItems": [{"ClientRequestId": "3dbb5104-1c1e-49c3-84c5-b9669b98ccbb", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "InternetMessageId": "<DS0PR08MB89798AAA7A4C27A90036C56BC01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "SizeInBytes": 35275330}], "Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD46AAAB", "Path": "\\Sent Items"}], "OperationCount": 1}
{"AppAccessContext": {"APIId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientAppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "IssuedAtTime": "2025-01-16T21:06:47", "UniqueTokenId": "97f15ff5-d528-48bc-9b5a-fef1b1654ae2"}, "CreationTime": "2025-01-16T21:06:55", "Id": "2abefdeb-6811-4957-8730-9e37a29f19f7", "Operation": "MailItemsAccessed", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "13937bba-652e-4c46-b222-3003f4d1ff97", "UserType": 5, "Version": 1, "Workload": "Exchange", "UserId": "victim_3@attack_range.lan", "AppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientAppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientIPAddress": "2603:10b6:5:1ee::8", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxGuid": "b6624cbb-80eb-4e13-b72c-3620f89ebc97", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxOwnerUPN": "victim_3@attack_range.lan", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8979 (15.20.4200.000)\r\n", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Folders": [{"FolderItems": [{"ClientRequestId": "6aeb562e-5bc3-42ef-a594-967480e53dc3", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "InternetMessageId": "<DS0PR08MB89798AAA7A4C27A90036C56BC01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "SizeInBytes": 35275399}], "Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AAAB", "Path": "\\Outbox"}], "OperationCount": 1}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-16T20:24:30", "UniqueTokenId": "wRP2r3pltEG_9lkkY1duAA"}, "CreationTime": "2025-01-16T21:06:47", "Id": "deb65c00-3b05-4b75-8834-01a278c8a15b", "Operation": "MailItemsAccessed", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange", "UserId": "victim_3@attack_range.lan", "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "40.126.23.96", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxGuid": "b6624cbb-80eb-4e13-b72c-3620f89ebc97", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxOwnerUPN": "victim_3@attack_range.lan", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8979 (15.20.4200.000)\r\n", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Folders": [{"FolderItems": [{"ClientRequestId": "35b01795-dc7c-407d-b597-9ca4fbfe78a2", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "InternetMessageId": "<DS0PR08MB89798AAA7A4C27A90036C56BC01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "SizeInBytes": 35275398}], "Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AAAB", "Path": "\\Outbox"}], "OperationCount": 1}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-16T20:24:30", "UniqueTokenId": "wRP2r3pltEG_9lkkY1duAA"}, "CreationTime": "2025-01-16T21:06:47", "Id": "a5be78b9-19fb-4e77-bc85-b9197cdbee35", "Operation": "MailItemsAccessed", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange", "UserId": "victim_3@attack_range.lan", "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "40.126.23.162", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxGuid": "b6624cbb-80eb-4e13-b72c-3620f89ebc97", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxOwnerUPN": "victim_3@attack_range.lan", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8979 (15.20.4200.000)\r\n", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "Folders": [{"FolderItems": [{"ClientRequestId": "d570def5-63d6-47b7-a795-b6b756f096e1", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZsfAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZsfAAAJ", "InternetMessageId": "<DS0PR08MB89798AAA7A4C27A90036C56BC01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "SizeInBytes": 35275407}], "Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AAAB", "Path": "\\Outbox"}], "OperationCount": 1}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-16T21:06:03", "Id": "8a93eaf0-ca83-429a-96a0-1cb32948089e", "Operation": "MailItemsAccessed", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "10037FFE8CCD2298", "UserType": 0, "Version": 1, "Workload": "Exchange", "UserId": "victim_3@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxGuid": "b6624cbb-80eb-4e13-b72c-3620f89ebc97", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxOwnerUPN": "victim_3@attack_range.lan", "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8979 (15.20.4200.000)\r\n", "SessionId": "850fa0b9-148b-4b33-b686-c0aefff21494", "Folders": [{"FolderItems": [{"ClientRequestId": "{42D17463-82FE-49E3-89BB-A3E029125B0A}", "Id": "RgAAAAC2YfXak2mZSKO3fe3DmmH0BwCMDaqa0MLKSpsbc+F3Z8xWAAAAAD46AABgHWcbazwIS4pt0zKwi5adAAKOdauGAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZrBAAAJ", "InternetMessageId": "<DS0PR08MB8979BBDBB98E02AFE47BFD74C01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "SizeInBytes": 35430425}], "Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD46AAAB", "Path": "\\Sent Items"}, {"FolderItems": [{"ClientRequestId": "{100F0321-58EC-497E-BDA7-AC59CA5BFEE2}", "Id": "RgAAAAC2YfXak2mZSKO3fe3DmmH0BwCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AABgHWcbazwIS4pt0zKwi5adAAKOdbWKAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZsfAAAJ", "InternetMessageId": "<DS0PR08MB89798AAA7A4C27A90036C56BC01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "SizeInBytes": 35275407}], "Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AAAB", "Path": "\\Outbox"}], "OperationCount": 2}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-16T21:06:46", "Id": "8688cb5d-d5a1-4fd1-a5d5-08dd3671b009", "Operation": "Send", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10037FFE8CCD2298", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "victim_3@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientRequestId": "{6CD07038-3CAE-4E61-8C59-87F8B6568837}", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxGuid": "b6624cbb-80eb-4e13-b72c-3620f89ebc97", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-5160183", "MailboxOwnerUPN": "victim_3@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DS0PR08MB8979 (15.20.4200.000)\r\n", "SessionId": "850fa0b9-148b-4b33-b686-c0aefff21494", "Item": {"Attachments": "Important Information.docx (278942b); Organizational Charts.pdf (780310b); Setting up MFA.pdf (135906b); Executive Payroll Info.pdf (6281815b); Internal Contact Sheet.docx (22576b); Internal Contact Sheet (002).docx (19010b); bloodhound.zip (296308b); kerberoast_results.txt (927960b); domaincontroller_names.txt (1910854b); virtual machine configuration.docx (278185b); employee contact info.xlxs (333006b); Internal Memo.pdf (76787b); Shill Corporate and You.pdf (520205b); Shill Corp Support Group (002).pdf (308947b); Shill Corp Flyer.pdf (309057b); Remote Access Guidelines.pdf (489780b); Employee Resources.pdf (869692b); Emergency User Credentials.pdf (516381b); Network Diagram 2025.pdf (630509b); Contacting Customer Support.pdf (1561238b); Support.pdf (1035236b); Cooperative Planning.pdf (1889402b); Confidential Memo.pdf (1900791b); Buyout plans.docx (27656b); Server domination.exe (3815555b); IT Resources.pdf (1076397b); test.txt (1253587b); passwords.pdf (1016605b); bank account info.pdf (1545088b); CEO personal info.pdf (79182b); key financials.pdf (1864099b); doc2.pdf (1053990b); doc1.pdf (1477906b); image001.png (7006b)", "Id": "RgAAAAC2YfXak2mZSKO3fe3DmmH0BwCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AABgHWcbazwIS4pt0zKwi5adAAX50V8wAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQBgHWcbazwIS4pt0zKwi5adAAX50ZseAAAJ", "InternetMessageId": "<DS0PR08MB89798AAA7A4C27A90036C56BC01A2@DS0PR08MB8979.namprd08.prod.outlook.com>", "ParentFolder": {"Id": "LgAAAAC2YfXak2mZSKO3fe3DmmH0AQCMDaqa0MLKSpsbc+F3Z8xWAAAAAD45AAAB", "Path": "\\Outbox"}, "SizeInBytes": 35275398, "Subject": "FW: Sensitive documents for review"}, "SaveToSentItems": true}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-10T09:55:28", "UniqueTokenId": "d9Q512PhKEeHwp2zhyYgAA"}, "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "20.190.152.24", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "CreationTime": "2025-01-10T10:39:51", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "b9ba4597-5c4f-4a45-958a-432990431b06", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK+PAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK+PAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 12138}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAAB", "Path": "\\Deleted Items"}], "Id": "309d48c7-efa4-4440-b6ea-047f185c8d2b", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 1, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "victim_2@attack_range.lan", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwDLwv8prJIzQZrSLsAn7VgcAAAAAFD4AAD3UwlJ8MYoQJKI7G+PZ8IXAAX3jEr3AAAA", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "ParentFolder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQDLwv8prJIzQZrSLsAn7VgcAAAAAFD4AAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Accounts and Passwords"}], "AppAccessContext": {"APIId": ""}, "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "CreationTime": "2025-01-10T10:39:50", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQDLwv8prJIzQZrSLsAn7VgcAAAAAFD4AAAB", "Path": "\\Recoverable Items\\Deletions"}, "Id": "81bf9c6c-d758-4f74-6710-08dd31631c8e", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "UserId": "victim_2@attack_range.lan", "UserKey": "10033FFF8E162CDB", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAD3UwlJ8MYoQJKI7G+PZ8IXAARihmuwAAAA", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "ParentFolder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAAB", "Path": "\\Deleted Items"}, "Subject": "Accounts and Passwords"}], "AppAccessContext": {"APIId": ""}, "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientRequestId": "{E639C263-580D-4E25-9E12-620F3815ACDF}", "ClientVersion": "16.0.18129.20030", "CreationTime": "2025-01-10T10:34:10", "CrossMailboxOperation": false, "ExternalAccess": false, "Folder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAAB", "Path": "\\Deleted Items"}, "Id": "861e0809-a72f-4212-bf9e-08dd316251e2", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "SoftDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "1f5274ec-3665-4dd8-a76f-893c406f9ec6", "UserId": "victim_2@attack_range.lan", "UserKey": "10033FFF8E162CDB", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-10T09:55:28", "UniqueTokenId": "d9Q512PhKEeHwp2zhyYgAA"}, "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "20.190.152.153", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "CreationTime": "2025-01-10T10:32:59", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "1bbb1b63-9965-4f98-807f-08b07faf2549", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 12151}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAAB", "Path": "\\Deleted Items"}], "Id": "cc9b20b3-9016-4995-bdca-7ba0bcf1b9d8", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 1, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "victim_2@attack_range.lan", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange"}
{"AffectedItems": [{"Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwBqN5tcIJVhRoQWdFaIz0mGAAAAXtdoAAD3UwlJ8MYoQJKI7G+PZ8IXAARihm43AAAA", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "ParentFolder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdoAAAB", "Path": "\\Sent Items"}, "Subject": "Accounts and Passwords"}], "AppAccessContext": {"APIId": ""}, "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientRequestId": "{7B82E21C-D2BB-4F63-AA52-C89699735720}", "ClientVersion": "16.0.18129.20030", "CreationTime": "2025-01-10T10:32:59", "CrossMailboxOperation": false, "DestFolder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAAB", "Path": "\\Deleted Items"}, "ExternalAccess": false, "Folder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdoAAAB", "Path": "\\Sent Items"}, "Id": "04bafb7b-a79e-40a2-b2bf-08dd31622759", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MoveToDeletedItems", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 3, "ResultStatus": "Succeeded", "SessionId": "1f5274ec-3665-4dd8-a76f-893c406f9ec6", "UserId": "victim_2@attack_range.lan", "UserKey": "10033FFF8E162CDB", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientAppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "IssuedAtTime": "2025-01-10T10:31:09", "UniqueTokenId": "0eb07ce2-ce9d-4956-b481-0d193256e755"}, "AppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientAppId": "13937bba-652e-4c46-b222-3003f4d1ff97", "ClientIPAddress": "2603:10b6:a03:2d2::10", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "CreationTime": "2025-01-10T10:31:17", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "605b3694-be0e-45b3-b2d8-2bb3fc23911d", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 12107}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdoAAAB", "Path": "\\Sent Items"}], "Id": "cb6ac638-738c-431d-a6a5-6975135b53cc", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 1, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "victim_2@attack_range.lan", "UserKey": "13937bba-652e-4c46-b222-3003f4d1ff97", "UserType": 5, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-10T10:25:28", "UniqueTokenId": "CBKB2mOmyEmKvYFGPBcXAA"}, "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "40.126.23.162", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "CreationTime": "2025-01-10T10:31:09", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "0b7a9e08-d58c-454e-968a-ef16abac0c76", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 5080}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdoAAAB", "Path": "\\Sent Items"}], "Id": "7f63c6d0-e959-49a7-a505-1c96e731bbf2", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 1, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "victim_2@attack_range.lan", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": ""}, "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "CreationTime": "2025-01-10T10:31:08", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "{C892BDE3-6C85-4CA6-A172-E060DC049D0C}", "Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwBqN5tcIJVhRoQWdFaIz0mGAAAAXtdnAAD3UwlJ8MYoQJKI7G+PZ8IXAARihmw3AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9wAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 5146}, {"ClientRequestId": "{520AF4F9-A248-4B38-987D-F168A950BD6C}", "Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwBqN5tcIJVhRoQWdFaIz0mGAAAAXtdnAAD3UwlJ8MYoQJKI7G+PZ8IXAARihmw4AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK96AAAJ", "InternetMessageId": "<BY5PR08MB62302AB1FB3C403D412C5EB8DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 10302}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdnAAAB", "Path": "\\Outbox"}, {"FolderItems": [{"ClientRequestId": "{2E072E8B-F3D4-4F6C-B02B-8468023A99E4}", "Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAD3UwlJ8MYoQJKI7G+PZ8IXAARihmuvAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9oAAAJ", "InternetMessageId": "<CAD01re65eNeQKyY4YOq+ag31QJf4QJegzC5Q63DHDGjJjAVwew@mail.gmail.com>", "SizeInBytes": 85593}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdpAAAB", "Path": "\\Deleted Items"}], "Id": "f24571cd-dab9-4135-a43a-9e06adca07d3", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 3, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "SessionId": "1f5274ec-3665-4dd8-a76f-893c406f9ec6", "UserId": "victim_2@attack_range.lan", "UserKey": "10033FFF8E162CDB", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": ""}, "ClientIP": "189.135.168.197", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientRequestId": "{7D8D6BCA-8C33-406D-A9D5-C0018133E6A9}", "ClientVersion": "16.0.18129.20030", "CreationTime": "2025-01-10T10:31:08", "ExternalAccess": false, "Id": "6c58d52f-89e3-4d82-7b06-08dd3161e501", "InternalLogonType": 0, "Item": {"Id": "RgAAAAAlR3EsmVRiRLGkHbIwhGSzBwBqN5tcIJVhRoQWdFaIz0mGAAAAXtdnAAD3UwlJ8MYoQJKI7G+PZ8IXAAX3jEMjAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "ParentFolder": {"Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdnAAAB", "Path": "\\Outbox"}, "SizeInBytes": 5137, "Subject": "Accounts and Passwords"}, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "Send", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 2, "ResultStatus": "Succeeded", "SaveToSentItems": true, "SessionId": "1f5274ec-3665-4dd8-a76f-893c406f9ec6", "UserId": "victim_2@attack_range.lan", "UserKey": "10033FFF8E162CDB", "UserType": 0, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "IssuedAtTime": "2025-01-10T09:55:28", "UniqueTokenId": "d9Q512PhKEeHwp2zhyYgAA"}, "AppId": "00000003-0000-0000-c000-000000000000", "ClientAppId": "337de3fb-6595-47d4-9b68-c931077f5611", "ClientIPAddress": "40.126.24.24", "ClientInfoString": "Client=REST;Client=RESTSystem;;", "CreationTime": "2025-01-10T10:31:08", "ExternalAccess": false, "Folders": [{"FolderItems": [{"ClientRequestId": "953447c2-9a10-449f-a593-f63568773e63", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK9vAAAJ", "InternetMessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 5137}, {"ClientRequestId": "d5e7e626-5b86-4387-9e52-c471a6bd19d6", "Id": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK95AAAJ", "ImmutableId": "LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQD3UwlJ8MYoQJKI7G+PZ8IXAAX3jK95AAAJ", "InternetMessageId": "<BY5PR08MB62302AB1FB3C403D412C5EB8DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "SizeInBytes": 10293}], "Id": "LgAAAAAlR3EsmVRiRLGkHbIwhGSzAQBqN5tcIJVhRoQWdFaIz0mGAAAAXtdnAAAB", "Path": "\\Outbox"}], "Id": "672b438e-b36d-42a4-80ad-1827b674948c", "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxGuid": "dacf4de7-2578-4c74-bbe2-bcbd2725f819", "MailboxOwnerSid": "S-1-5-21-7359471512-368169602-535915189-6228241", "MailboxOwnerUPN": "victim_2@attack_range.lan", "Operation": "MailItemsAccessed", "OperationCount": 2, "OperationProperties": [{"Name": "MailAccessType", "Value": "Bind"}, {"Name": "IsThrottled", "Value": "False"}], "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "BY5PR08MB6230 (15.20.4200.000)\r\n", "RecordType": 50, "ResultStatus": "Succeeded", "TokenObjectId": "89cd49b8-4a01-41f6-b541-0159afb1f84b", "TokenTenantId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "UserId": "victim_2@attack_range.lan", "UserKey": "337de3fb-6595-47d4-9b68-c931077f5611", "UserType": 5, "Version": 1, "Workload": "Exchange"}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:36", "Id": "c326c224-a8dd-4759-27c0-08dd37024025", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.org", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr3AAAA", "InternetMessageId": "<1737082859919.205093160.18650366.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Loaded Smashed Taters"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr4AAAA", "InternetMessageId": "<1737086436979.205088140.18650706.1722356604@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Mexican Chorizo And Corn Soup"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr5AAAA", "InternetMessageId": "<1737093880065.205087185.18651271.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Chile Lasagna"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr6AAAA", "InternetMessageId": "<1737093694483.205087035.18651268.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Creamy Sun-Dried Tomato Spread"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr7AAAA", "InternetMessageId": "<1737093628611.205093165.18651264.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Creamy Sun-Dried Tomato Spread"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:36", "Id": "fd426afa-7f0d-4be2-2f22-08dd37024025", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr8AAAA", "InternetMessageId": "<1737097482480.205087695.18651567.1637449122@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Cream Cheese Chicken Soup"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr9AAAA", "InternetMessageId": "<1737079481351.205086615.18650099.1500219417@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Herbed Dumplings"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr+AAAA", "InternetMessageId": "<1737101078771.205088470.18651807.1433846730@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Homemade Nutella"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr/AAAA", "InternetMessageId": "<1737104451321.205093170.18652105.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Rosemary Sweet Potato Fries"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsAAAAA", "InternetMessageId": "<1737104732129.205087195.18652109.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Nutty Barley Bake"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:36", "Id": "f7bced5b-2470-4289-35f5-08dd37024025", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsGAAAA", "InternetMessageId": "<1737115827915.205087200.18653154.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Roast Beef With Chive Roasted Potatoes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsHAAAA", "InternetMessageId": "<1737115868342.205093175.18653126.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Cheesy Spaghetti Bake"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsIAAAA", "InternetMessageId": "<1737116874022.205086460.18653156.1565904085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "White Chocolate Holiday Bark"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:36", "Id": "0fbd5af9-56a8-48c8-32bc-08dd37024025", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsBAAAA", "InternetMessageId": "<1737104934442.205086245.18652135.1565904085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Paprikash"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsCAAAA", "InternetMessageId": "<1737110097267.aa4bc516-7c92-4859-830d-9d83afe9b8ea@bf03.hubspotemail.net>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Webinar | 2025 Commodity Outlook - Understanding the Impact of Tariffs and Supply-Demand Dynamics on Commodities"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsDAAAA", "InternetMessageId": "<1737101209635.205086625.18651808.1500219417@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken And Dumplings With Vegetables"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsEAAAA", "InternetMessageId": "<1737115826296.205095015.18653145.1723408398@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Beef Onion in Gravy"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YsFAAAA", "InternetMessageId": "<1737115723789.205087045.18653155.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Cheesy Spaghetti Bake"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "7de4f543-91f9-445e-34ef-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrZAAAA", "InternetMessageId": "<1737040468867.205087010.18639220.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Garlic Pizza"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YraAAAA", "InternetMessageId": "<rJdEnWS8QkaNf_-H3CIfuA@geopod-ismtpd-3>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Good news! Your products are back in stock 😃"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrbAAAA", "InternetMessageId": "<A4.D9.57389.B1B29876@i-04fb414914a849f43.mta1vrest.sd.prd.sparkpost>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Wendy Williams insists she's not cognitively impaired and is trapped in a conservatorship: ‘I feel like I am in prison’"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrcAAAA", "InternetMessageId": "<325a8b2caafa4e2688b1e0bb80c7fba8@2175572>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Submit your entry: MM+M Agency 100 opens for medical marketing agencies"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrdAAAA", "InternetMessageId": "<0B.48.64701.F8E29876@i-09ee8bdffc3a869cb.mta1vrest.sd.prd.sparkpost>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "The Best Drink for Weight Loss"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "e222f951-cdac-4a6f-4263-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrtAAAA", "InternetMessageId": "<1737043235612.205088015.18639685.1722356604@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Lemony Chicken With Broccoli"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YruAAAA", "InternetMessageId": "<1737037305824.205088425.18638622.1433846730@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Blueberry Kale Smoothie"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrvAAAA", "InternetMessageId": "<1737029794852.205088500.18637386.1498162330@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Blackberry Buttermilk Cake"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrwAAAA", "InternetMessageId": "<1737072366562.205088540.18649143.1498162330@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Corn Pasta Salad"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrxAAAA", "InternetMessageId": "<1737073177075.205087025.18649161.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Spinach Quesadillas"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "e622d65b-f3d0-493d-30f9-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrUAAAA", "InternetMessageId": "<cMNavvNjSYOLa8l58FE0ZA@geopod-ismtpd-36>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Live – Medicare Provider Enrollment 101: Complete Enrollment and Credentialing Process for Providers"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrVAAAA", "InternetMessageId": "<0.0.1A.32.1DB68178FC6E2A6.0@omp.hcpconnects5.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "January Medical Affairs Newsletter"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrWAAAA", "InternetMessageId": "<1737038264039.171df773-20d6-4ef6-8860-ff94394f138b@bf58x.hubspotemail.net>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Special Savings Ends Soon"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrXAAAA", "InternetMessageId": "<1737040387171.205093140.18639234.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Garlic Pizza"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrYAAAA", "InternetMessageId": "<1737040641218.205087160.18639222.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Beef In Onion Gravy"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "e7636618-8571-4f40-3c3d-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrjAAAA", "InternetMessageId": "<1737051865284.205093145.18640718.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Zucchini Tomato Casserole"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrkAAAA", "InternetMessageId": "<4B.B5.49468.6C459876@i-0949cefa11d696291.mta1vrest.sd.prd.sparkpost>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "David Lynch, 'Twin Peaks' creator and 'Mulholland Drive' director, dies at 78"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrlAAAA", "InternetMessageId": "<1737058267590.205088435.18644045.1433846730@uk.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Mint Chocolate Chip Cookies"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrmAAAA", "InternetMessageId": "<1737061415658.205093150.18644377.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Turkey Tetrazzini"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrnAAAA", "InternetMessageId": "<1737061512154.205087020.18644394.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Turkey Tetrazzini"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "5ba9ccb8-eb50-4803-3f5b-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YroAAAA", "InternetMessageId": "<1737062198180.205087170.18644395.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Southwestern Pineapple Pork Chops"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrpAAAA", "InternetMessageId": "<1737061539666.205089350.18644376.1723408398@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Apple And Onion Beef Pot Roast"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrqAAAA", "InternetMessageId": "<1737032846851.205087640.18638118.1637449122@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Pierogi Chicken Supper"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrrAAAA", "InternetMessageId": "<1737051355914.205089345.18640740.1723408398@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Skillet-Roasted Lemon Chicken With Potatoes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrsAAAA", "InternetMessageId": "<1737055722857.205088125.18643625.1722356604@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Slow-Roasted Lemon Dill Chicken"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "74a440e8-437e-4048-28eb-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrPAAAA", "InternetMessageId": "<97782fe781774f50b7e2099402e36d3f@slgnt.us>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "[PODCAST] Obesity Forum® FAQs: Beyond Weight – Addressing Patient-Centered Issues"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrQAAAA", "InternetMessageId": "<1737029743552.205087135.18637387.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Spicy Chicken Breasts"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrRAAAA", "InternetMessageId": "<1737028930342.205089500.18637384.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Picante"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrSAAAA", "InternetMessageId": "<1737029640747.205086970.18637385.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Slow-Cooked Moroccan Chicken"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrTAAAA", "InternetMessageId": "<kbkjzmkYSLyikT7-QrFpBA@geopod-ismtpd-13>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Let's Find the Parts You Need"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "c5038ae6-38e4-4e8a-38e1-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YreAAAA", "InternetMessageId": "<aJ5ppq8dTS-1dOkyOj1A7A@geopod-ismtpd-25>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Ready to EARN your results?"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrfAAAA", "InternetMessageId": "<bdeabcd24cc94685b942318497c07db8@2175572>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "[Read now] Leveraging AI to enhance omnichannel marketing"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrgAAAA", "InternetMessageId": "<1737048626089.205093010.18640145.1724968237@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Meatball Hash Brown Bake"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrhAAAA", "InternetMessageId": "<f663f5ebdfa9402bab87361802c74634@2175572>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "MM+M's Career and Salary Survey Premium Edition - Available for purchase now"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YriAAAA", "InternetMessageId": "<1737051926704.205087015.18640741.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Zucchini Tomato Casserole"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:35", "Id": "8afcc162-72ef-429b-4567-08dd37023fa3", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YryAAAA", "InternetMessageId": "<1737073651716.205086240.18649162.1565904085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Nutella Stuffed Chocolate Chip Cookies"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrzAAAA", "InternetMessageId": "<1737052819944.205088510.18640737.1498162330@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "3-ingredient Pancakes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr0AAAA", "InternetMessageId": "<1737079763402.205088460.18650102.1433846730@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Dark Chocolate Truffles"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr1AAAA", "InternetMessageId": "<1737082944732.205088545.18650361.1498162330@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Eggnog Cheesecake"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yr2AAAA", "InternetMessageId": "<1737084037480.205087180.18650362.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Black Bean Tamale Pie"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:33", "Id": "4f60de5b-235e-4dee-ed6f-08dd37023ebb", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqsAAAA", "InternetMessageId": "<1736953364988.205089295.18612884.1723408398@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Hungarian Pork Goulash"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqtAAAA", "InternetMessageId": "<1736939149051.205081095.18610636.1500219417@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "BBQ Chicken Baked Potatoes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YquAAAA", "InternetMessageId": "<1736962793761.205089380.18618070.1724968237@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Rice-Stuffed Peppers"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqvAAAA", "InternetMessageId": "<1736975848993.205083175.18625594.1498162330@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Reese’s Peanut Butter Cookies"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqwAAAA", "InternetMessageId": "<1736954005514.205083350.18612878.1565904085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Vanilla Chia Seed Pudding"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:33", "Id": "bac65be5-687d-4742-f768-08dd37023ebb", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq7AAAA", "InternetMessageId": "<1736990808106.205089435.18633630.1731653085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Pork Chops With Honey-Balsamic Glaze"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq8AAAA", "InternetMessageId": "<1736975603164.205089305.18625407.1723408398@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Spaghetti Squash With Meat Sauce"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq9AAAA", "InternetMessageId": "<1736989804499.205087985.18633660.1722356604@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Fried Bacon"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq+AAAA", "InternetMessageId": "<1736996436453.205089485.18634476.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Bacon-Topped Meat Loaf"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq/AAAA", "InternetMessageId": "<1736996698730.205086955.18634477.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Gnocchi With White Beans"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:33", "Id": "338d9663-e396-4fc6-f45f-08dd37023ebb", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq2AAAA", "InternetMessageId": "<1736972668020.205086540.18622428.1500219417@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Bavarian Pot Roast"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq3AAAA", "InternetMessageId": "<1736985630278.205089310.18633267.1723408398@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Parmigiana"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq4AAAA", "InternetMessageId": "<1736965786556.205083360.18618413.1565904085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Brownie Sundaes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq5AAAA", "InternetMessageId": "<1736982041275.205086545.18629886.1500219417@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Stovetop Goulash"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq6AAAA", "InternetMessageId": "<1736989625456.205087620.18633661.1637449122@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Three-Cheese Spaghetti Bake"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:33", "Id": "335ddaa9-8965-4d83-fd4f-08dd37023ebb", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrFAAAA", "InternetMessageId": "<1737007318667.205086960.18635398.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Chicken Florentine Pizza"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrGAAAA", "InternetMessageId": "<1737007541159.205089490.18635400.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Hasselback Potatoes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrHAAAA", "InternetMessageId": "<1737014627620.205086560.18636074.1500219417@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Cream Cheese Chicken Soup"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrIAAAA", "InternetMessageId": "<1737018030073.205089495.18636397.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Lemony Chicken With Broccoli"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YrJAAAA", "InternetMessageId": "<1737018072433.205087130.18636398.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Slow Cooker Balsamic Chicken"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:33", "Id": "8db0ed98-63cd-4a97-e143-08dd37023ebb", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqnAAAA", "InternetMessageId": "<1736975624022.205087110.18625412.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Kentucky Style Fried Green Tomatoes"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqoAAAA", "InternetMessageId": "<1736965770270.205083170.18618457.1498162330@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Lemon Sandwich Cookies"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqpAAAA", "InternetMessageId": "<1736956833963.205084000.18615125.1722356604@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Skillet Pork Chops With Potatoes And Onion"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqqAAAA", "InternetMessageId": "<1736946046770.205084305.18611889.1731653085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Smoked Salmon Bites With Shallot Sauce"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqrAAAA", "InternetMessageId": "<1736946192397.205083995.18611896.1722356604@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Pork Chops With Apple Cider Glaze"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}
{"AppAccessContext": {"APIId": ""}, "CreationTime": "2025-01-17T14:21:33", "Id": "5d5e9a4b-3e78-4762-f13a-08dd37023ebb", "Operation": "HardDelete", "OrganizationId": "6915b1e0-b081-4829-8866-f1a3e883a9ae", "RecordType": 3, "ResultStatus": "Succeeded", "UserKey": "100300008CCE2A7B", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "189.135.168.197", "UserId": "attacker@attack_range.lan", "ClientIPAddress": "189.135.168.197", "ClientInfoString": "Client=MSExchangeRPC", "ClientProcessName": "OUTLOOK.EXE", "ClientVersion": "16.0.18129.20030", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxGuid": "1bc714f7-9bc0-4a0a-a3b7-8e9d4c536b5e", "MailboxOwnerSid": "S-1-5-21-3559471557-378169607-535915189-6443227", "MailboxOwnerUPN": "attacker@attack_range.lan", "OrganizationName": "attack_range.onmicrosoft.com", "OriginatingServer": "DM6PR08MB5260 (15.20.4200.000)\r\n", "AffectedItems": [{"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqxAAAA", "InternetMessageId": "<1736982326781.205089390.18629888.1724968237@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Cantonese Beef"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqyAAAA", "InternetMessageId": "<1736986012390.205086950.18633266.1449112866@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Apple And Onion Beef Pot Roast"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07YqzAAAA", "InternetMessageId": "<1736986296261.205089480.18633264.1731449414@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Sauteed Pork Chops With Garlic Spinach"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq0AAAA", "InternetMessageId": "<1736986505718.205087115.18633263.1526363704@cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Ultimate Gulf Coast Gumbo"}, {"Id": "RgAAAADcAfEW9CNoTIZvuoFIil0/BwDGw0AwdTkHTpTEabe6U2AvAAAAAItxAADeKTR13rcDQp4nrjqo0nWuAAX07Yq1AAAA", "InternetMessageId": "<1736975999520.205083365.18625490.1565904085@backend.cp20.com>", "ParentFolder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}, "Subject": "Red Velvet Cheesecake Swirl Brownies"}], "CrossMailboxOperation": false, "Folder": {"Id": "LgAAAADcAfEW9CNoTIZvuoFIil0/AQDGw0AwdTkHTpTEabe6U2AvAAAAAItxAAAB", "Path": "\\Recoverable Items\\Deletions"}}