none
Office 365 hosted email.Searching for message in logs

    Question

  • They want me to find out who sent a message outside of the organization they believe was BCC'd but the only information I have is the subject. Can we find out who sent it to an outside address?

    Jason

    Thursday, November 09, 2017 8:53 PM

All replies

  • Hi,

    Try search-mailbox -messagesubject "subject title" | select recipients, sender

    Thursday, November 09, 2017 9:58 PM
  • Hi,

    We can also run the command below for message trace:

    Get-MessageTrace –Startdate "11/05/2017 2:30PM" –Enddate “11/09/2017 5:30PM" -MessageSubject "test"| select timestamp, messageid, messagesubject, sender, {$_.recipients}, recipientcount | export-csv c:\messagetrace.csv

    Refer to: https://technet.microsoft.com/en-us/library/jj200704(v=exchg.160).aspx

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 10, 2017 3:18 AM
    Moderator
  • I get 

    A parameter cannot be found that matches parameter name 'MessageSubject'.
        + CategoryInfo          : InvalidArgument: (:) [Get-MessageTrace], ParameterBindingException
        + FullyQualifiedErrorId : NamedParameterNotFound,Get-MessageTrace
        + PSComputerName        : outlook.office365.com


    Jason

    Friday, November 10, 2017 1:34 PM
  • I got this to run but it gives me a blank file

    Get-MessageTrace -StartDate "11/05/2017" -EndDate "11/09/2017" | Where {$_.Subject -like "*Sub position*"} | select timestamp, messageid, subject, sender, {$_.recipients}, recipientcount | export-csv c:\temp2\messagetrace.csv

     I'm no PS expert by the way


    Jason

    Friday, November 10, 2017 1:41 PM
  • don't export it on the first run. try a few variations and see if you get the output on the shell. Then export the results.

    if you have the time period, you can do the get-messagetrace for all emails and export the result to csv. Then in the csv search for subject or similarity of subject. Sometimes the subject may not be exactly conveyed to you.


    Thanks & Regards Ramandeep Singh

    Saturday, November 11, 2017 8:02 AM
  • But it displays nothing. It doesn't error out it just goes to the next line. So display or export gives me nothing

    Jason

    Tuesday, November 14, 2017 2:18 PM
  • Thanks for your response. The following command get out the last 96 hours for all users, please change the time accordingly and search the result with the subject.

    $dateEnd = get-date
    
    $dateStart = $dateEnd.AddHours(-96)
    
    Get-MessageTrace -StartDate $dateStart -EndDate $dateEnd | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, ToIP, FromIP, Size, MessageID, MessageTraceID | Out-GridView

    Hope it helps.


    Regards,

    Jason Chao


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 17, 2017 9:43 AM
    Moderator