{"id":28717,"date":"2026-01-07T10:47:27","date_gmt":"2026-01-07T09:47:27","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=28717"},"modified":"2026-01-07T10:47:31","modified_gmt":"2026-01-07T09:47:31","slug":"zimbra-mailbox-compromise-from-analysis-to-remediation-part-2","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/","title":{"rendered":"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2)"},"content":{"rendered":"\n<p style=\"text-align: justify;\">It&#8217;s time to begin the second part of our Zimbra investigation. If you haven&#8217;t read the first part yet, we strongly recommend starting <a href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/12\/zimbra-mailbox-compromise-from-analysis-to-remediation\/\"><span style=\"color: #000080;\">HERE<\/span> <\/a>before continuing.<br \/>In this second part, we&#8217;ll assume that an attacker has managed to compromise a Zimbra account and that we&#8217;ve already identified their entry point (initial access). We&#8217;ll now analyze how to leverage Zimbra logs to identify the malicious actions the attacker could have carried out from their access. We&#8217;ll then see what remediation measures to implement to prevent this type of incident and respond to it effectively.<br \/>Get comfortable (and make sure your coffee is still hot): let&#8217;s dive right into the heart of the matter!<\/p>\n<p>\u00a0<\/p>\n<h2>Investigating in a Zimbra Environment<\/h2>\n<p style=\"text-align: justify;\">Now that Zimbra\u2019s infrastructure and logs <strong>hold no secrets for you<\/strong>, it\u2019s time to get <strong>practical<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Imagine you\u2019re a forensic analyst, arriving early one morning, when suddenly: <strong>the phone rings.<\/strong> You\u2019re being called because several users are reporting that emails, <strong>they didn\u2019t send<\/strong> are appearing in their \u201cSent\u201d folder.<\/p>\n<p style=\"text-align: justify;\"><strong>Panic ensues<\/strong>! Users are afraid to log into their mailboxes, and some administrators start wondering whether the <strong>Zimbra infrastructure itself<\/strong> might be <strong>compromised<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Since you know Zimbra inside out, the team naturally turns to you to <strong>investigate this incident<\/strong>!<\/p>\n<p style=\"text-align: justify;\">As a forensic analyst, many questions come to mind:<\/p>\n<ul style=\"text-align: justify;\">\n<li><em>Have the accounts really been compromised? If so, how and since when?<\/em><\/li>\n<li><em>How many users are affected?<\/em><\/li>\n<li><em>What is the attacker\u2019s objective, and what malicious actions have been carried out from these accounts?<\/em><\/li>\n<li><em>Have the mail server or other Zimbra components been compromised?<\/em><\/li>\n<li><em>And, most importantly: do I have time for a coffee <\/em>&#x2615;&#xfe0f;<em> before the information hunt begins?<\/em><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">To help you in your investigation, we\u2019ll look at how to answer these questions through Zimbra log analysis. But first, here are some tips to guide your investigation.<\/p>\n<p style=\"text-align: justify;\">During incident response, it\u2019s easy to feel <strong>overwhelmed<\/strong> by the <strong>amount of logs<\/strong> <strong>and<\/strong> <strong>events<\/strong> <strong>to analyze<\/strong>. Keeping a clear line of reasoning is essential. A few simple practices can help maintain focus:<\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Confirm:<\/strong> Verify the information that triggered the incident. Before diving deeper, ensure the initial alert is accurate. This undeniable baseline will serve as the foundation for the entire investigation.<\/li>\n<li><strong>Correlate:<\/strong> Cross-check suspicious IP addresses and domains with other sources (proxy, VPN, EDR, online antivirus databases). This provides additional context related to the identified indicator.<\/li>\n<li><strong>Pivot:<\/strong> Use the collected information to expand your analysis. An attacker might reuse the same IP address or user-agent across multiple accounts. Conversely, a compromised account might be accessed from different IP addresses or user-agents. Pivoting can reveal other indicators that help identify the attacker.<\/li>\n<li><strong>Compare patterns:<\/strong> Even without direct access to email content or attachments, certain elements can reveal similarities (file size, identical filenames, repeated sequences of actions after account compromise). This behavioral analysis approach can help identify multiple users compromised by the same attacker. Such hypotheses should be formulated and handled cautiously, but they can be valuable for confirming intuition.<\/li>\n<li><strong>Ensure log preservation:<\/strong> This may seem obvious, but as soon as an incident is detected, securing the logs is critical. Collect logs immediately from the entire Zimbra infrastructure and extend their retention period to prevent automatic deletion. Because let\u2019s be honest: logs disappearing just as the forensic team arrives is a way too common scenario\u2026 one you definitely want to avoid.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">While these tips <strong>aren\u2019t exhaustive<\/strong>, they provide a solid foundation for conducting an analysis that is both <strong>fast<\/strong> and <strong>efficient<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<h2>Post-compromise activity<\/h2>\n<h3>Analysis of user activity \u00a0<\/h3>\n<p style=\"text-align: justify;\"><strong>What mastery<\/strong>! You have successfully traced back to the initial entry point used by the attacker to compromise user accounts. You have identified the malicious IP addresses, spotted the User-Agent used, and even uncovered other compromised accounts thanks to this information. In short, clean and efficient work. Impressive!<\/p>\n<p style=\"text-align: justify;\">But\u2026 we still haven\u2019t answered a crucial question: &#8220;<em>What was the attacker\u2019s objective, and what actions did they take from the compromised accounts?<\/em>&#8220;<\/p>\n<p style=\"text-align: justify;\">To find out, you now need to analyze the <strong>attacker\u2019s activity within the Zimbra infrastructure<\/strong>. Once authenticated, an attacker can indeed:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Launch an <strong>internal<\/strong> or <strong>external<\/strong> <strong>phishing<\/strong> <strong>campaign<\/strong><\/li>\n<li>Send messages aimed at tricking a colleague, partner, or client into taking action (CEO fraud, fictitious urgent requests, etc.)<\/li>\n<li><strong>Exfiltrate sensitive data<\/strong> from mailboxes<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">In this section, we will examine <strong>some examples of suspicious activities<\/strong> that can be identified from Zimbra logs.<\/p>\n<p>\u00a0<\/p>\n<h4>Sending a large number of emails in a short amount of time<\/h4>\n<p style=\"text-align: justify;\">You want to determine whether compromised accounts were used to co<strong>nduct additional phishing attempts<\/strong> by sending <strong>mass emails<\/strong> to <strong>internal<\/strong> or <strong>external<\/strong> <strong>recipients<\/strong>. Unfortunately, Zimbra does not provide a native event that allows you to retrieve this information directly. However, a simple <strong>grep<\/strong> command will get the job done.<\/p>\n<p style=\"text-align: justify;\">The command below extracts the <strong>number of messages sent by each user<\/strong> over a specific period (here, from <strong>November<\/strong> <strong>21 to November 27, 2025<\/strong>):<\/p>\n<figure id=\"attachment_28721\" aria-describedby=\"caption-attachment-28721\" style=\"width: 1377px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28721\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/1-Retrieving-the-number-of-emails-sent-per-user-mailbox.log_.png\" alt=\"Retrieving the number of emails sent per user (mailbox.log)\" width=\"1377\" height=\"444\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/1-Retrieving-the-number-of-emails-sent-per-user-mailbox.log_.png 1377w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/1-Retrieving-the-number-of-emails-sent-per-user-mailbox.log_-437x141.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/1-Retrieving-the-number-of-emails-sent-per-user-mailbox.log_-71x23.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/1-Retrieving-the-number-of-emails-sent-per-user-mailbox.log_-768x248.png 768w\" sizes=\"auto, (max-width: 1377px) 100vw, 1377px\" \/><figcaption id=\"caption-attachment-28721\" class=\"wp-caption-text\"><em>Retrieving the number of emails sent per user (mailbox.log)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">In this example, <strong>user25@wavestone.corp<\/strong> clearly <strong>stands out<\/strong> with a <strong>sending volume far above normal<\/strong>. An <strong>unusually high volume<\/strong> of emails sent from a mailbox <strong>over a short period<\/strong> constitutes <strong>suspicious activity<\/strong>.<\/p>\n<p style=\"text-align: justify;\">In legitimate use, mass email sending is relatively rare and is generally associated with <strong>generic addresses<\/strong> or <strong>internal communication systems<\/strong> (e.g., newsletters, HR announcements). When a standard user account exhibits this type of behavior, it is important to:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Determine whether this is normal, recurring activity for the user<\/li>\n<li>Check the sending time frame, IP address, and User-Agent<\/li>\n<li>Verify whether any suspicious attachments were associated with the emails<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">Mass email sending can <strong>trigger built-in protection mechanisms<\/strong> in Zimbra, including <strong>quota rules<\/strong>. These thresholds are designed to limit the volume of messages sent by an account over a given period to prevent abuse, spam, or phishing campaigns.<\/p>\n<p style=\"text-align: justify;\">The two commands below allow you to retrieve events related to quota exceedances:<\/p>\n<figure id=\"attachment_28723\" aria-describedby=\"caption-attachment-28723\" style=\"width: 1378px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28723\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/2-Retrieval-of-quota-overruns-mailbox.log_.png\" alt=\"Retrieval of quota overruns (mailbox.log)\" width=\"1378\" height=\"146\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/2-Retrieval-of-quota-overruns-mailbox.log_.png 1378w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/2-Retrieval-of-quota-overruns-mailbox.log_-437x46.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/2-Retrieval-of-quota-overruns-mailbox.log_-71x8.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/2-Retrieval-of-quota-overruns-mailbox.log_-768x81.png 768w\" sizes=\"auto, (max-width: 1378px) 100vw, 1378px\" \/><figcaption id=\"caption-attachment-28723\" class=\"wp-caption-text\"><em>Retrieval of quota overruns (mailbox.log)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_28727\" aria-describedby=\"caption-attachment-28727\" style=\"width: 1375px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28727\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/3-Retrieval-of-quota-overruns-mail.log_.png\" alt=\"Retrieval of quota overruns (mail.log)\" width=\"1375\" height=\"187\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/3-Retrieval-of-quota-overruns-mail.log_.png 1375w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/3-Retrieval-of-quota-overruns-mail.log_-437x59.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/3-Retrieval-of-quota-overruns-mail.log_-71x10.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/3-Retrieval-of-quota-overruns-mail.log_-768x104.png 768w\" sizes=\"auto, (max-width: 1375px) 100vw, 1375px\" \/><figcaption id=\"caption-attachment-28727\" class=\"wp-caption-text\"><em>Retrieval of quota overruns (mail.log)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">The appearance of error messages related to quota exceedances is a signal <strong>not to be ignored<\/strong>, because:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Either the legitimate user accidentally exceeded a quota<\/li>\n<li>Or the account is being used fraudulently to send mass emails<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">Since this indicator can generate a <strong>large number of false positives<\/strong>, it is recommended to <strong>correlate it with other information<\/strong> in order to draw meaningful conclusions.<\/p>\n<p>\u00a0<\/p>\n<h4>Sending an email to a large number of recipients<\/h4>\n<p style=\"text-align: justify;\">To avoid triggering a quota\u2011exceedance alert, a more seasoned attacker may adopt a more &#8220;<em>subtle<\/em>&#8221; strategy. Instead of sending <strong>dozens of individual<\/strong> emails (a noisy method), they may choose to send a <strong>single message<\/strong> addressed to a <strong>long list of recipients<\/strong>: an efficient way to optimize their phishing campaign.<\/p>\n<p style=\"text-align: justify;\">Fortunately for you, Zimbra logs make it possible to identify the <strong>number of recipients associated with each sent email<\/strong>, which makes this type of maneuver detectable without too much effort.<\/p>\n<p style=\"text-align: justify;\">The commands below allow you to identify emails sent to an unusually <strong>high number of recipients<\/strong>:<\/p>\n<figure id=\"attachment_28729\" aria-describedby=\"caption-attachment-28729\" style=\"width: 1377px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28729\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/4-Retrieval-of-emails-sent-to-more-than-100-recipients-mail.log_.png\" alt=\"Retrieval of emails sent to more than 100 recipients (mail.log)\" width=\"1377\" height=\"144\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/4-Retrieval-of-emails-sent-to-more-than-100-recipients-mail.log_.png 1377w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/4-Retrieval-of-emails-sent-to-more-than-100-recipients-mail.log_-437x46.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/4-Retrieval-of-emails-sent-to-more-than-100-recipients-mail.log_-71x7.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/4-Retrieval-of-emails-sent-to-more-than-100-recipients-mail.log_-768x80.png 768w\" sizes=\"auto, (max-width: 1377px) 100vw, 1377px\" \/><figcaption id=\"caption-attachment-28729\" class=\"wp-caption-text\"><em>Retrieval of emails sent to more than 100 recipients (mail.log)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_28731\" aria-describedby=\"caption-attachment-28731\" style=\"width: 1371px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28731\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/5-Retrieval-of-emails-sent-to-more-than-100-recipients-mailbox.log_.png\" alt=\"Retrieval of emails sent to more than 100 recipients (mailbox.log)\" width=\"1371\" height=\"185\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/5-Retrieval-of-emails-sent-to-more-than-100-recipients-mailbox.log_.png 1371w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/5-Retrieval-of-emails-sent-to-more-than-100-recipients-mailbox.log_-437x59.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/5-Retrieval-of-emails-sent-to-more-than-100-recipients-mailbox.log_-71x10.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/5-Retrieval-of-emails-sent-to-more-than-100-recipients-mailbox.log_-768x104.png 768w\" sizes=\"auto, (max-width: 1371px) 100vw, 1371px\" \/><figcaption id=\"caption-attachment-28731\" class=\"wp-caption-text\"><em>Retrieval of emails sent to more than 100 recipients (mailbox.log)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Here, you can observe that the user <strong>user25@wavestone.corp<\/strong> sent an email to <strong>211 recipients<\/strong>. Such behavior is clearly <strong>suspicious<\/strong>.<\/p>\n<p style=\"text-align: justify;\">In practice, it is <strong>rare<\/strong> for a <strong>personal email address<\/strong> to send a message to s<strong>everal dozen recipients simultaneously<\/strong>. This type of volume is usually associated with <strong>shared mailboxes<\/strong> or <strong>generic addresses<\/strong> (e.g., internal communications, HR services, institutional announcements).<\/p>\n<p style=\"text-align: justify;\">When a standard user account exhibits this kind of activity, it is essential to:<\/p>\n<ul style=\"text-align: justify;\">\n<li>identify the usual communication practices within the organization<\/li>\n<li>determine whether this sending volume is normal or recurrent for the user in question<\/li>\n<li>examine the time window, IP address, and user agent used during the sending<\/li>\n<li>check if any potentially malicious attachments were associated with the messages<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">To save time, it is often relevant to <strong>confirm directly with the user<\/strong> whether the sending was legitimate.<\/p>\n<p style=\"text-align: justify;\">The example presented here isolates sends containing <strong>more than 100 recipients<\/strong>. However, this <strong>threshold should be adjusted<\/strong> depending on:<\/p>\n<ul>\n<li style=\"text-align: justify;\">the usual volume within the organization<\/li>\n<li style=\"text-align: justify;\">the type of accounts involved<\/li>\n<li style=\"text-align: justify;\">and the period covered by the logs analyzed<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h4>Uploading suspicious attachments<\/h4>\n<p style=\"text-align: justify;\">Unlike email reception, the <strong>upload of suspicious attachments<\/strong> is better logged by Zimbra. Each time a user attaches a file to a new email, Zimbra carefully records the operation in its logs.<\/p>\n<p style=\"text-align: justify;\">Using the commands below, you can <strong>retrieve the attachments added to emails<\/strong> by a potentially compromised user:<\/p>\n<figure id=\"attachment_28737\" aria-describedby=\"caption-attachment-28737\" style=\"width: 1374px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28737\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/6-Retrieval-of-attachment-upload-events-mailbox.log-1-2.png\" alt=\"Retrieval of attachment upload events (mailbox.log) (1\/2)\" width=\"1374\" height=\"184\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/6-Retrieval-of-attachment-upload-events-mailbox.log-1-2.png 1374w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/6-Retrieval-of-attachment-upload-events-mailbox.log-1-2-437x59.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/6-Retrieval-of-attachment-upload-events-mailbox.log-1-2-71x10.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/6-Retrieval-of-attachment-upload-events-mailbox.log-1-2-768x103.png 768w\" sizes=\"auto, (max-width: 1374px) 100vw, 1374px\" \/><figcaption id=\"caption-attachment-28737\" class=\"wp-caption-text\"><em>Retrieval of attachment upload events (mailbox.log) (1\/2)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_28739\" aria-describedby=\"caption-attachment-28739\" style=\"width: 1377px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28739\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/7-Retrieval-of-attachment-upload-events-mailbox.log-2-2.png\" alt=\"Retrieval of attachment upload events (mailbox.log) (2\/2)\" width=\"1377\" height=\"147\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/7-Retrieval-of-attachment-upload-events-mailbox.log-2-2.png 1377w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/7-Retrieval-of-attachment-upload-events-mailbox.log-2-2-437x47.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/7-Retrieval-of-attachment-upload-events-mailbox.log-2-2-71x8.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/7-Retrieval-of-attachment-upload-events-mailbox.log-2-2-768x82.png 768w\" sizes=\"auto, (max-width: 1377px) 100vw, 1377px\" \/><figcaption id=\"caption-attachment-28739\" class=\"wp-caption-text\"><em>Retrieval of attachment upload events (mailbox.log) (2\/2)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Similarly to the reception of malicious attachments, you can search in the logs for:<\/p>\n<ul style=\"text-align: justify;\">\n<li>the <strong>upload of attachments with suspicious extensions<\/strong> (e.g., .htm, .html, .exe, .js, .arj, .iso, .bat, .ps1, or Office\/PDF documents containing macros);<\/li>\n<li><strong>files already observed earlier<\/strong> during the initial phases of the incident (for example, a document downloaded by patient zero);<\/li>\n<li><strong>correlating upload activities<\/strong> with malicious source IP addresses or accounts identified as compromised.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">This list is <strong>not exhaustive<\/strong>; it may be relevant to search for <strong>any type of file<\/strong> that seems <strong>pertinent<\/strong> <strong>to the context of your investigation<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<h4>Removal of traces<\/h4>\n<p style=\"text-align: justify;\">Now that you have a clear picture of what the attacker did with the compromised accounts, you are disappointed because you <strong>cannot locate the emails in question<\/strong>. You suspect that the attacker <strong>erased its traces<\/strong>. But how can you verify this?<\/p>\n<p style=\"text-align: justify;\">Indeed, after sending malicious emails, an experienced attacker may try to <strong>hide its tracks<\/strong> from the legitimate mailbox owner by <strong>deleting sent emails<\/strong> or returned messages.<\/p>\n<p style=\"text-align: justify;\">Fortunately, the following commands will allow you to <strong>identify email deletions <\/strong>performed in Zimbra:<\/p>\n<figure id=\"attachment_28743\" aria-describedby=\"caption-attachment-28743\" style=\"width: 1373px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28743\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/8-Retrieval-of-deleted-items-from-the-trash-mailbox.log_.png\" alt=\"Retrieval of deleted items from the trash (mailbox.log)\" width=\"1373\" height=\"361\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/8-Retrieval-of-deleted-items-from-the-trash-mailbox.log_.png 1373w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/8-Retrieval-of-deleted-items-from-the-trash-mailbox.log_-437x115.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/8-Retrieval-of-deleted-items-from-the-trash-mailbox.log_-71x19.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/8-Retrieval-of-deleted-items-from-the-trash-mailbox.log_-768x202.png 768w\" sizes=\"auto, (max-width: 1373px) 100vw, 1373px\" \/><figcaption id=\"caption-attachment-28743\" class=\"wp-caption-text\"><em>Retrieval of deleted items from the trash (mailbox.log)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_28746\" aria-describedby=\"caption-attachment-28746\" style=\"width: 1375px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28746\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/9-Retrieval-of-permanently-deleted-files-mail.log_.png\" alt=\"Retrieval of permanently deleted files (mail.log)\" width=\"1375\" height=\"364\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/9-Retrieval-of-permanently-deleted-files-mail.log_.png 1375w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/9-Retrieval-of-permanently-deleted-files-mail.log_-437x116.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/9-Retrieval-of-permanently-deleted-files-mail.log_-71x19.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/9-Retrieval-of-permanently-deleted-files-mail.log_-768x203.png 768w\" sizes=\"auto, (max-width: 1375px) 100vw, 1375px\" \/><figcaption id=\"caption-attachment-28746\" class=\"wp-caption-text\"><em>Retrieval of permanently deleted files (mail.log)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">In legitimate use, it is not uncommon for a user to <strong>delete multiple emails<\/strong> (e.g., inbox cleanup, managing newsletters). However, the situation becomes <strong>suspicious<\/strong> when deletions occur:<\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Immediately<\/strong> after a <strong>mass email sending<\/strong><\/li>\n<li>Targeting specifically the <strong>most recently sent messages<\/strong><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">During your investigation, keep in mind that an attacker may also attempt to delete:<\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Read receipts generated by their emails<\/strong><\/li>\n<li><strong>Automatic replies<\/strong> (out-of-office messages, NDRs) that could alert the victim<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">It is therefore important <strong>not to overlook deletions<\/strong> and to <strong>correlate them with other indicators<\/strong> (suspicious authentications, mass email sending, quota exceedances, connections from malicious IPs) to assess the <strong>legitimacy<\/strong> <strong>of these actions<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<h4>Data exfiltration<\/h4>\n<p style=\"text-align: justify;\"><strong>One question still troubles you<\/strong>\u2026 Among the compromised accounts, some belonged to users who handled sensitive data for the company. You therefore want to determine whether the attacker attempted to <strong>exfiltrate any email<\/strong> they had access to.<\/p>\n<p style=\"text-align: justify;\">Unfortunately for you, <strong>Zimbra does not log the direct download of emails<\/strong>. After all, retrieving messages via IMAP or SMTP is essentially a &#8220;<em>download<\/em>&#8221; from the server to the mail client. It is therefore difficult to distinguish a <strong>normal transfer<\/strong> from a <strong>malicious download<\/strong>. And in the Nginx logs (which expose the webmail), the same issue arises: it is impossible to precisely identify whether an email was downloaded.<\/p>\n<p style=\"text-align: justify;\">As a small consolation, Zimbra does log certain internal operations, particularly <strong>copy actions<\/strong> performed within the mailbox. An attacker could, for example, create a folder to store sensitive emails before extraction.<\/p>\n<p style=\"text-align: justify;\">The following command allows you to identify a <strong>massive copy of emails<\/strong> <strong>into a folder<\/strong> (here named &#8220;<em>Exfiltration<\/em>&#8220;) from the web client:<\/p>\n<figure id=\"attachment_28748\" aria-describedby=\"caption-attachment-28748\" style=\"width: 1254px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28748\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/10-Retrieval-of-mass-email-copy-events-mailbox.log-1-2.png\" alt=\"Retrieval of mass email copy events (mailbox.log) (1\/2)\" width=\"1254\" height=\"785\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/10-Retrieval-of-mass-email-copy-events-mailbox.log-1-2.png 1254w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/10-Retrieval-of-mass-email-copy-events-mailbox.log-1-2-305x191.png 305w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/10-Retrieval-of-mass-email-copy-events-mailbox.log-1-2-62x39.png 62w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/10-Retrieval-of-mass-email-copy-events-mailbox.log-1-2-768x481.png 768w\" sizes=\"auto, (max-width: 1254px) 100vw, 1254px\" \/><figcaption id=\"caption-attachment-28748\" class=\"wp-caption-text\"><em>Retrieval of mass email copy events (mailbox.log) (1\/2)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">The following command allows you to identify a copy of a large number of emails in a folder from an IMAP thick client:<\/p>\n<figure id=\"attachment_28750\" aria-describedby=\"caption-attachment-28750\" style=\"width: 1129px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28750\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/11-Retrieval-of-mass-email-copy-events-mailbox.log-2-2.png\" alt=\"Retrieval of mass email copy events (mailbox.log) (2\/2)\" width=\"1129\" height=\"708\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/11-Retrieval-of-mass-email-copy-events-mailbox.log-2-2.png 1129w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/11-Retrieval-of-mass-email-copy-events-mailbox.log-2-2-305x191.png 305w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/11-Retrieval-of-mass-email-copy-events-mailbox.log-2-2-62x39.png 62w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/11-Retrieval-of-mass-email-copy-events-mailbox.log-2-2-768x482.png 768w\" sizes=\"auto, (max-width: 1129px) 100vw, 1129px\" \/><figcaption id=\"caption-attachment-28750\" class=\"wp-caption-text\"><em>Retrieval of mass email copy events (mailbox.log) (2\/2)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Although there are legitimate cases (e.g., manual backup by the user), this type of activity should <strong>raise attention<\/strong>, especially when correlated with:<\/p>\n<ul style=\"text-align: justify;\">\n<li>Logins from unusual IP addresses<\/li>\n<li>Suspicious authentications<\/li>\n<li>Mass email sending<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">However, as you can see, it is very difficult to <strong>confirm a data exfiltration<\/strong>. Therefore, it should be assumed that if a <strong>mailbox is compromised<\/strong>, the attacker potentially had the ability to <strong>download all emails<\/strong> <strong>of the affected user<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<h3>Detection of antivirus and antispam solutions<\/h3>\n<p style=\"text-align: justify;\">We haven\u2019t really covered this until now, but it\u2019s important to know that Zimbra natively integrates <strong>Amavis<\/strong>, a &#8220;<em>central<\/em>&#8221; component that <strong>orchestrates various security engines<\/strong>. These engines help identify suspicious files, phishing campaigns, and mass spam sending. It is therefore valuable to leverage these detection mechanisms when analyzing an attacker\u2019s activities.<\/p>\n<p style=\"text-align: justify;\">During your investigations, examining the messages generated by Amavis can help highlight:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>Messages blocked<\/strong> before reaching the user\u2019s mailbox (e.g., spoofing attempts)<\/li>\n<li style=\"text-align: justify;\"><strong>Malicious attachments<\/strong> detected and placed in quarantine<\/li>\n<li style=\"text-align: justify;\"><strong>Violations of certain security policies<\/strong> defined on the platform<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h4>Amavis<\/h4>\n<p style=\"text-align: justify;\">It is possible to retrieve certain events generated by <strong>Amavis<\/strong> with the following commands:<\/p>\n<figure id=\"attachment_28754\" aria-describedby=\"caption-attachment-28754\" style=\"width: 1124px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28754\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/12-Retrieval-of-amavis-events-mail.log_.png\" alt=\"Retrieval of amavis events (mail.log)\" width=\"1124\" height=\"185\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/12-Retrieval-of-amavis-events-mail.log_.png 1124w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/12-Retrieval-of-amavis-events-mail.log_-437x72.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/12-Retrieval-of-amavis-events-mail.log_-71x12.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/12-Retrieval-of-amavis-events-mail.log_-768x126.png 768w\" sizes=\"auto, (max-width: 1124px) 100vw, 1124px\" \/><figcaption id=\"caption-attachment-28754\" class=\"wp-caption-text\"><em>Retrieval of amavis events (mail.log)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_28757\" aria-describedby=\"caption-attachment-28757\" style=\"width: 1127px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28757\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/13-Retrieval-of-amavis-events-mailbox.log_.png\" alt=\"Retrieval of amavis events (mailbox.log)\" width=\"1127\" height=\"272\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/13-Retrieval-of-amavis-events-mailbox.log_.png 1127w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/13-Retrieval-of-amavis-events-mailbox.log_-437x105.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/13-Retrieval-of-amavis-events-mailbox.log_-71x17.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/13-Retrieval-of-amavis-events-mailbox.log_-768x185.png 768w\" sizes=\"auto, (max-width: 1127px) 100vw, 1127px\" \/><figcaption id=\"caption-attachment-28757\" class=\"wp-caption-text\"><em>Retrieval of amavis events (mailbox.log)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Since Amavis generates a <strong>large number of events<\/strong>, it may be wise to focus your investigation on detections related to <strong>spam<\/strong> and <strong>phishing<\/strong>. Note that the identification of phishing messages has already been discussed in a previous section of this article (&#8220;<em>Account Compromise via Phishing Attack<\/em>&#8220;)<\/p>\n<p>\u00a0<\/p>\n<h4>Incoming spam<\/h4>\n<p style=\"text-align: justify;\">It may be useful to identify messages that have triggered incoming <strong>spam detections<\/strong>. When a message is classified as spam, Zimbra generates logs indicating the <strong>reason for this categorization<\/strong>.<\/p>\n<p style=\"text-align: justify;\">These events can contain <strong>several useful pieces of information<\/strong>:<\/p>\n<ul style=\"text-align: justify;\">\n<li>The affected account<\/li>\n<li>The unique identifier of the message in the mailbox<\/li>\n<li>The originating IP address of the email<\/li>\n<li>Additionally, in the case of a SpamReport:\n<ul>\n<li>The result of the analysis (isSpam field)<\/li>\n<li>The action taken (e.g., moving the message from the Inbox to Junk)<\/li>\n<li>Sometimes the recipient of the report used for training or reporting purposes (e.g., a dedicated address such as spam@wavestone.corp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">The following command can help you <strong>identify events related to the processing of incoming spam:<\/strong><\/p>\n<figure id=\"attachment_28759\" aria-describedby=\"caption-attachment-28759\" style=\"width: 1124px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28759\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/14-Retrieval-of-events-related-to-incoming-spam-zimbra.log_.png\" alt=\"Retrieval of events related to incoming spam (zimbra.log)\" width=\"1124\" height=\"456\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/14-Retrieval-of-events-related-to-incoming-spam-zimbra.log_.png 1124w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/14-Retrieval-of-events-related-to-incoming-spam-zimbra.log_-437x177.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/14-Retrieval-of-events-related-to-incoming-spam-zimbra.log_-71x29.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/14-Retrieval-of-events-related-to-incoming-spam-zimbra.log_-768x312.png 768w\" sizes=\"auto, (max-width: 1124px) 100vw, 1124px\" \/><figcaption id=\"caption-attachment-28759\" class=\"wp-caption-text\"><em>Retrieval of events related to incoming spam (zimbra.log)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_28761\" aria-describedby=\"caption-attachment-28761\" style=\"width: 1127px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28761\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/15-Retrieval-of-events-related-to-incoming-spam-mailbox.log_.png\" alt=\"Retrieval of events related to incoming spam (mailbox.log)\" width=\"1127\" height=\"154\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/15-Retrieval-of-events-related-to-incoming-spam-mailbox.log_.png 1127w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/15-Retrieval-of-events-related-to-incoming-spam-mailbox.log_-437x60.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/15-Retrieval-of-events-related-to-incoming-spam-mailbox.log_-71x10.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/15-Retrieval-of-events-related-to-incoming-spam-mailbox.log_-768x105.png 768w\" sizes=\"auto, (max-width: 1127px) 100vw, 1127px\" \/><figcaption id=\"caption-attachment-28761\" class=\"wp-caption-text\"><em>Retrieval of events related to incoming spam (mailbox.log)<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Since spam detections generate a <strong>large number of false positives<\/strong>, it may be useful to <strong>narrow the scope of your investigation<\/strong> as much as possible (for example, by focusing on a specific time period or a specific set of users).<\/p>\n<p>\u00a0<\/p>\n<h4>Outgoing spam<\/h4>\n<p style=\"text-align: justify;\">The threat does not always come from outside. Some malicious emails <strong>sent from compromised internal accounts<\/strong> to external recipients can leave very interesting traces in Zimbra\u2019s logs. Indeed, if the message sent from the compromised account is <strong>blocked by the recipient mail server\u2019s antispam solution<\/strong>, that server will send an error notification back to the Zimbra server to report the rejection.<\/p>\n<p style=\"text-align: justify;\">Analyzing these <strong>non-delivery reports (NDRs)<\/strong> can therefore raise a red flag:<br \/>it may reveal that a user is compromised\u2026 or that an account has been used in an <strong>attempt to send malicious emails<\/strong>.<\/p>\n<p style=\"text-align: justify;\">It is possible to extract these rejected messages using the following command:<\/p>\n<figure id=\"attachment_28763\" aria-describedby=\"caption-attachment-28763\" style=\"width: 1130px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-28763\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/16-Retrieval-of-events-related-to-outgoing-spam.png\" alt=\"Retrieval of events related to outgoing spam\" width=\"1130\" height=\"188\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/16-Retrieval-of-events-related-to-outgoing-spam.png 1130w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/16-Retrieval-of-events-related-to-outgoing-spam-437x73.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/16-Retrieval-of-events-related-to-outgoing-spam-71x12.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/01\/16-Retrieval-of-events-related-to-outgoing-spam-768x128.png 768w\" sizes=\"auto, (max-width: 1130px) 100vw, 1130px\" \/><figcaption id=\"caption-attachment-28763\" class=\"wp-caption-text\"><em>Retrieval of events related to outgoing spam<\/em><\/figcaption><\/figure>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\">Outgoing spam is generally rare. Analyzing it only becomes truly useful in cases where the attacker attempts to <strong>lateralize<\/strong> to <strong>external email accounts<\/strong>.<\/p>\n<p>\u00a0<\/p>\n<h2>Remediation measures<\/h2>\n<p style=\"text-align: justify;\"><strong>You have conducted your investigation at full speed<\/strong>: compromised users identified, malicious IP addresses cataloged, suspicious activities analyzed\u2026 in short, you have traced the attack with surgical precision. It is now time to move to the next step: <strong>remediation<\/strong>.<\/p>\n<p style=\"text-align: justify;\">The primary goal of remediation is to <strong>remove the attacker\u2019s access<\/strong> to the infrastructure, <strong>implement detection mechanisms<\/strong> capable of preventing further compromise attempts, and <strong>strengthen user awareness<\/strong> to limit the impact of <strong>ongoing<\/strong> and <strong>future<\/strong> <strong>phishing<\/strong> <strong>campaigns<\/strong>.<\/p>\n<p style=\"text-align: justify;\">By <strong>collecting various indicators<\/strong> related to the phishing campaign (compromised or suspected accounts, email addresses, malicious IPs and domains, etc.), it is recommended to implement a series of <strong>corrective<\/strong> and <strong>preventive<\/strong> <strong>actions<\/strong> (non-exhaustive):<\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Reset passwords for suspected accounts<\/strong>: For any user who has been compromised or is suspected of being compromised, a password reset is required.<\/li>\n<li><strong>Block malicious domains, IP addresses, and email addresses<\/strong>: Infrastructure elements used by the attacker (domains, IPs, senders) should be blocked using available network solutions (proxy, firewall, mail filters) as soon as they are detected. This will limit the risk of further propagation.<\/li>\n<li><strong>Perform antivirus\/EDR scans on compromised user workstations<\/strong>: Workstations of compromised users should undergo antivirus or EDR analysis to:\n<ul>\n<li>Detect and remove any potential malicious files<\/li>\n<li>Ensure that phishing-related files are no longer present on the workstation<\/li>\n<\/ul>\n<\/li>\n<li><strong>Strengthen user awareness<\/strong>: Communication about ongoing phishing campaigns should be sent to users to prevent further compromise. Regular phishing awareness campaigns are strongly recommended, particularly for users who have already been compromised.<\/li>\n<li><strong>Implement multi-factor authentication (MFA) for Zimbra mail access<\/strong>: Deploying a second authentication factor is highly recommended to secure mailbox access. While MFA can be perceived as inconvenient, using a Single Sign-On (SSO) with unified MFA can reduce friction while strengthening overall authentication security.<\/li>\n<li><strong>Deploy a specialized phishing detection and filtering solution<\/strong>: It is recommended to install a specialized solution in detecting malicious activity in email environments. The solution should be able to identify:\n<ul>\n<li>Logins from unusual IP addresses<\/li>\n<li>Brute-force attempts on user accounts<\/li>\n<li>Mass email sending to numerous recipients<\/li>\n<li>Use of suspicious attachments or links to untrusted domains<\/li>\n<li>Active phishing campaigns (e.g., identified by a CTI service)<\/li>\n<\/ul>\n<\/li>\n<li><strong>Ensure Zimbra log retention<\/strong>: It is important to secure the collection and retention of logs. It is recommended to centralize logs from the entire Zimbra infrastructure on a server external to that infrastructure. This ensures that even in the event of compromise, modification, or encryption of Zimbra servers, logs remain intact and accessible, allowing reliable forensic investigations.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\">Although non-exhaustive, these remediation measures will help <strong>restore confidence<\/strong> in your Zimbra infrastructure and user accounts. <strong>Continuous monitoring<\/strong> and <strong>improvement<\/strong> <strong>of<\/strong> <strong>the<\/strong> <strong>security<\/strong> <strong>posture<\/strong> will, however, be necessary to adapt to <strong>future<\/strong> <strong>threats<\/strong>.<\/p>\n<h1 style=\"text-align: justify;\">\u00a0<\/h1>\n<p style=\"text-align: justify;\">At the end of this little investigation, one thing is certain: while the attacker can choose the easiest path, the forensic analyst doesn\u2019t have that luxury. Between <strong>scattered<\/strong> (or sometimes <strong>missing<\/strong>) <strong>logs<\/strong>, <strong>conflicting<\/strong> <strong>user<\/strong> <strong>testimonials<\/strong>, and <strong>limited<\/strong> <strong>visibility<\/strong> into certain Zimbra events, conducting an investigation can sometimes feel <strong>like solving a Rubik\u2019s Cube<\/strong>\u2026 <strong>in the dark<\/strong>\u2026 <strong>with mittens on<\/strong>.<\/p>\n<p style=\"text-align: justify;\">But with a <strong>solid methodology<\/strong> and a <strong>few good habits<\/strong>, Zimbra can reveal far more information than it might seem at first glance. Its logs are a <strong>real goldmine<\/strong>, provided you <strong>don\u2019t get lost in them<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Ultimately, this article does not aim to turn every reader into a J<strong>edi master of Zimbra forensics<\/strong>\u2026 but if it can save you two days of trying to <strong>decode Zimbra logs<\/strong> or <strong>hunt down the useful information<\/strong>, then the goal has been achieved!<\/p>\n<p style=\"text-align: justify;\">And as is often said, in cybersecurity as elsewhere, <strong>prevention is better than cure<\/strong>. So harden your Zimbra infrastructure, back up your logs, raise user awareness\u2026 and above all, don&#8217;t be short on coffee supplies!<\/p>\n<p>\u00a0<\/p>\n<h1>Sources<\/h1>\n<ul>\n<li><span style=\"color: #000080;\"><a style=\"color: #000080;\" href=\"https:\/\/wiki.zimbra.com\/wiki\/Log_Files\">https:\/\/wiki.zimbra.com\/wiki\/Log_Files<\/a><\/span><\/li>\n<li><span style=\"color: #000080;\"><a style=\"color: #000080;\" href=\"https:\/\/wiki.zimbra.com\/wiki\/Troubleshooting_Course_Content_Rough_Drafts-Zimbra_Architecture_Component_Overview\">https:\/\/wiki.zimbra.com\/wiki\/Troubleshooting_Course_Content_Rough_Drafts-Zimbra_Architecture_Component_Overview<\/a><\/span><\/li>\n<li><span style=\"color: #000080;\"><a style=\"color: #000080;\" href=\"https:\/\/wiki.zimbra.com\/wiki\/Trouble_Shooting_Spam_Score_Changes\">https:\/\/wiki.zimbra.com\/wiki\/Trouble_Shooting_Spam_Score_Changes<\/a><\/span><\/li>\n<\/ul>\n<p>\u00a0<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s time to begin the second part of our Zimbra investigation. If you haven&#8217;t read the first part yet, we strongly recommend starting HERE before continuing.In this second part, we&#8217;ll assume that an attacker has managed to compromise a Zimbra&#8230;<\/p>\n","protected":false},"author":1573,"featured_media":28453,"comment_status":"open","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3922,3273],"tags":[4892,3480,3487,4883,4012,3405,4884,4893,2979,4886],"coauthors":[4876,4877],"class_list":["post-28717","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-deep-dive-en","category-ethical-hacking-indicent-response-en","tag-amavis","tag-cert-en","tag-cert-w-en","tag-forensic","tag-incident-response","tag-incident-response-cert-w-en","tag-investigation","tag-spam","tag-spoofing","tag-zimbra"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) - RiskInsight<\/title>\n<meta name=\"description\" content=\"How to perform a forensic analysis following a Zimbra compromission ? This article shows steps and tips to perform an investigation on Zimbra\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"How to perform a forensic analysis following a Zimbra compromission ? This article shows steps and tips to perform an investigation on Zimbra\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2026-01-07T09:47:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-07T09:47:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1352\" \/>\n\t<meta property=\"og:image:height\" content=\"896\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Evenson Jeunesse, Cl\u00e9ment Gonnaud\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Evenson Jeunesse, Cl\u00e9ment Gonnaud\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\"},\"author\":{\"name\":\"Evenson Jeunesse\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/a5b119ee593e1ff5413508d6fa66648b\"},\"headline\":\"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2)\",\"datePublished\":\"2026-01-07T09:47:27+00:00\",\"dateModified\":\"2026-01-07T09:47:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\"},\"wordCount\":3259,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png\",\"keywords\":[\"Amavis\",\"CERT\",\"CERT-W\",\"forensic\",\"Incident response\",\"incident response CERT-W\",\"investigation\",\"Spam\",\"spoofing\",\"Zimbra\"],\"articleSection\":[\"Deep-dive\",\"Ethical Hacking &amp; Incident Response\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\",\"name\":\"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png\",\"datePublished\":\"2026-01-07T09:47:27+00:00\",\"dateModified\":\"2026-01-07T09:47:31+00:00\",\"description\":\"How to perform a forensic analysis following a Zimbra compromission ? This article shows steps and tips to perform an investigation on Zimbra\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png\",\"width\":1352,\"height\":896},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/a5b119ee593e1ff5413508d6fa66648b\",\"name\":\"Evenson Jeunesse\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/evenson-jeunesse\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) - RiskInsight","description":"How to perform a forensic analysis following a Zimbra compromission ? This article shows steps and tips to perform an investigation on Zimbra","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/","og_locale":"en_US","og_type":"article","og_title":"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) - RiskInsight","og_description":"How to perform a forensic analysis following a Zimbra compromission ? This article shows steps and tips to perform an investigation on Zimbra","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/","og_site_name":"RiskInsight","article_published_time":"2026-01-07T09:47:27+00:00","article_modified_time":"2026-01-07T09:47:31+00:00","og_image":[{"width":1352,"height":896,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png","type":"image\/png"}],"author":"Evenson Jeunesse, Cl\u00e9ment Gonnaud","twitter_misc":{"Written by":"Evenson Jeunesse, Cl\u00e9ment Gonnaud","Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/"},"author":{"name":"Evenson Jeunesse","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/a5b119ee593e1ff5413508d6fa66648b"},"headline":"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2)","datePublished":"2026-01-07T09:47:27+00:00","dateModified":"2026-01-07T09:47:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/"},"wordCount":3259,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png","keywords":["Amavis","CERT","CERT-W","forensic","Incident response","incident response CERT-W","investigation","Spam","spoofing","Zimbra"],"articleSection":["Deep-dive","Ethical Hacking &amp; Incident Response"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/","name":"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2) - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png","datePublished":"2026-01-07T09:47:27+00:00","dateModified":"2026-01-07T09:47:31+00:00","description":"How to perform a forensic analysis following a Zimbra compromission ? This article shows steps and tips to perform an investigation on Zimbra","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2025\/12\/COVER-1.png","width":1352,"height":896},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/01\/zimbra-mailbox-compromise-from-analysis-to-remediation-part-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Zimbra Mailbox Compromise: From Analysis to Remediation (Part 2)"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/a5b119ee593e1ff5413508d6fa66648b","name":"Evenson Jeunesse","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/evenson-jeunesse\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/28717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1573"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=28717"}],"version-history":[{"count":28,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/28717\/revisions"}],"predecessor-version":[{"id":28788,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/28717\/revisions\/28788"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/28453"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=28717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=28717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=28717"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=28717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}