Note The current design does not provide a more refined functionality through the EAC.
Method 1: Use EWSEditorA free-ware EWSEditor application is available to work around this issue. There is an eDiscovery window which can be used to search for items.
Note You have to set up the account being used to have the Audit RBAC role to do these searches.
Method 2: Use a different APIUse a different API that does not rely on KQL. You have to build a custom solution by using other programs, such as Exchange Web Services (EWS). The solution can retrieve some parts of the data (a bigger dataset). The solution can further process the received result by using external logic to arrive at the desired set of messages that match the NOT recipients:"internalDomain" criteria as you would interpret it.
Also, for identification of such messages going forward, a better solution would be to use a transport rule that could send copies of such items (internal and external recipients) to an auditing mailbox.
The following is a sample code to work around this issue by using EWS Managed API.
Note In this code sample, replace InternalDomain1.com, InternalDomain2.com, InternalDomain3.com with your internal domain name. This placeholder appears in three locations in the code.
Method 3: Preventive monitoringFor identification of items that have internal and external recipients, create a transport rule that can send copies of such items to an auditing mailbox.
Article ID: 2977178 - Last Review: Mar 5, 2016 - Revision: 1