locked
Checking to see who all received a phishing email via Powershell RRS feed

  • Question

  • We received a phishing email and I am trying to find out who all it was sent to within the O365 tenant.

    I have checked Quarantine and found where 3 were caught but apparently some slipped through and were delivered to the user mailboxes.

    If I use the "Get-MessageTrace -MessageId '<202007100643.0000000000@phishdomain.com>' " I can find the one user that it delivered to which reported it to Security who then sent it to me.

    Message ID        : <202007100643.0000000000@phishdomain.com>
    Received          : 7/10/2020 6:43:59 AM
    Sender Address    : User@contoso.com
    Recipient Address : User@contoso.com
    From IP           : 198.x.x.x
    Subject           : New voicemail received
    Status            : FilteredAsSpam
    Size              : 35643

    Checking the Email Headers it shows the data that I would normally search against with the exception of Return-Path.
    From: "voicemail@contoso.com" <User@contoso.com>
    To: User@contoso.com
    Return-Path: root@phishdomain.com

    If I try " Get-MessageTrace | where {$_.MessageID -like "*@phishdomain*"} " nothing is returned.

    I have tried using -page and -pagesize and still nothing.

    What am I doing wrong?

    Thanks in advance!

    Sunday, July 12, 2020 3:56 AM

Answers

  • I was finally able to figure it out. Used Get-MessageTrace -StartDate "07/10/2020 6:01 AM" -EndDate "07/10/2020 7:00 AM" | ?{$_.messageid -like "*@phishdomain*"} | Select MessageID,Received,*Address,*IP,Subject,Status,Size | Out-GridView

    I had to keep playing around with the date range to narrow it down.

    • Marked as answer by Andy DavidMVP Sunday, July 12, 2020 8:15 PM
    Sunday, July 12, 2020 6:22 PM

All replies

  • Do you see in Threat Explorer?

    https://protection.office.com/threatexplorer

    Be sure to change the view to the correct filter and search based on that.


    Sunday, July 12, 2020 12:10 PM
  • yeah I tried that but I only see 2 results in Threat Explorer for 1 user. 

    I should have clarified that User@contoso.com is our internal user but they are not the actual sender so I cannot search against that. The few emails that were quarantined show the recipient as the sender. We also have an internal system that sends emails as voicemail@contoso.com so that can't be used to search on either otherwise we get legit results returned.

    If I search on root@phishdomain.com nothing is return.

    Sunday, July 12, 2020 4:02 PM
  • I was finally able to figure it out. Used Get-MessageTrace -StartDate "07/10/2020 6:01 AM" -EndDate "07/10/2020 7:00 AM" | ?{$_.messageid -like "*@phishdomain*"} | Select MessageID,Received,*Address,*IP,Subject,Status,Size | Out-GridView

    I had to keep playing around with the date range to narrow it down.

    • Marked as answer by Andy DavidMVP Sunday, July 12, 2020 8:15 PM
    Sunday, July 12, 2020 6:22 PM
  • I was finally able to figure it out. Used Get-MessageTrace -StartDate "07/10/2020 6:01 AM" -EndDate "07/10/2020 7:00 AM" | ?{$_.messageid -like "*@phishdomain*"} | Select MessageID,Received,*Address,*IP,Subject,Status,Size | Out-GridView

    I had to keep playing around with the date range to narrow it down.

    The content search tool in Office 365 Security & Compliance also could help you to search email from all mailboxes.

    This Microsoft Online: Exchange Online Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Regards,

    Kyle Xu


    Microsoft Online: Exchange Online will be migrating to a new home on Microsoft Q&A! We invite you to post new questions in the new forum.

    For more information, please refer to the sticky post.

    Thursday, July 30, 2020 8:46 AM