We run Exchange 2010. An email was auto-sent from one of our user's accounts a couple of hours ago. It was one of those Google Docs phishing scams. I know it came from his account, but I can't find the source, and it was only the one message.
Exchange message tracking shows the message originating internally (not SMTP), and the message ID is not constistent with his iphone. That leaves Outlook and OWA as the possible culprits. He was at lunch at the time and his Outlook was closed, so my best guess at the moment is that he got hit with an OWA account hijack.
Does anyone else have suggestions on where to look or how to track this further?
TY!