Remove From My Forums

How can I use Search-Mailbox to find messages sent from user's primarysmtpaddress?

Question
0

Sign in to vote

Over the weekend one of our executives received a scary phishing email with his own email address as the sender. Since it landed in the junk email folder, presumably the phisher just used direct send to deliver it. He asked me to "check everyone's junk email folders to see if they are also receiving phishing emails sent from their own email addresses".

This seems like is should be a pretty straightforward process to feed the PrimarySmtpAddress into -searchquery as 'from: $_.primarysmtpaddress' but I'm not good enough at PowerShell to make this work. Can anyone provide some guidance?

Monday, October 8, 2018 6:41 PM

All replies

0

Sign in to vote
Please carefully review the following links to set your expectation for posting in technical forums.

This Forum is for Scripting Questions Rather than script requests

Script Gallery.
Script Center
Script requests

Learn PowerShell
PowerShell Documentation
PowerShell Style Guidelines

Posting guidelines
Handy tips for posting to this forum
How to ask questions in a technical forum
Rubber duck problem solving
How to write a bad forum post
Help Vampires: A Spotter's Guide
This forum is for scripting questions rather than script requests
\_(ツ)_/
Monday, October 8, 2018 7:07 PM
0

Sign in to vote

Hi.
1. the sender smtpaddress is (99%) not the same as smtpaddress of your executive..   only displayname, which can be anything, like Donald_Trump@yoourdomain.com for example (message header would be nice to see). If it is, you will have to fix your smtp server security settings.

2. These phishing emails should be caught by your antispam filter.. Antispams arent  100%, they will never be. Some will break through, before antispam database is updated.

3. Search-mailbox cmdlet (i think) cannot be targetted to certain folder.   U will need to use EWS API

Tuesday, October 9, 2018 6:16 AM
0

Sign in to vote

Thanks, Makec.

These messages are being sent with the actual smtp address, not just as "Rich Ladderclimb" <aserasrewwr@dsdf.tp> as we also see plenty of. They are going into the Junk Email folder which for whatever reason some nontechnical people seem not recognize as a repository for spam, phishing, and other suspicious messages as clearly as they should.

I saw someone using -folderscope junkemail for a different search but can't say whether or not it is valid as they weren't able to get their script to work either.

Wednesday, October 10, 2018 5:37 PM
0

Sign in to vote
No native cmdlet enables you to browse another user mailbox (obvious reason).

You could see folderscope junk with usage of get-mailboxfolderstatistics, for example.

You can either give yourself full access to mailboxes and browse it one by one (fastest with OWA), or write a script using Exchange Web Services API.

Google for EWSMail (Mike Pfeiffer )
- Proposed as answer by LeeSeenLiMicrosoft contingent staff Friday, October 26, 2018 8:59 AM
Wednesday, October 10, 2018 6:25 PM
0

Sign in to vote

Hi,

Was your issue resolved?

If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

Best Regards,

Lee
Just do it.

Friday, October 26, 2018 9:00 AM
0

Sign in to vote

Hi,

As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

Best Regards,

Lee
Just do it.

Monday, November 5, 2018 9:36 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

How can I use Search-Mailbox to find messages sent from user's primarysmtpaddress?

Question

All replies