Skip to main content

Posts

Featured Post

Using the Tag for external email messages received feature in the Microsoft Graph and Exchange Web Services

The "Tag for external email messages received" feature was introduced into Office365 recently to help people better to identify mail that comes from external sender vs internal sender see this for more info on this feature . What happens when you enable this feature is that for messages with External sender a new Mapi property is set on those messages eg For messages from internal senders the property doesn't appear to get set and if the feature isn't enabled in your tenant then you won't see this property either. You can negate the boolean value of the property which will turn off the external tag. Using it in the Microsoft Graph API If you want to use it in the Microsoft Graph API when you retrieve messages you can include this as a SingleValueExtendedProperties eg for Retrieving and filtering message you can use I've included this in my Get LastEmail 101 graph sample  if you want to try this in a real mailbox eg you can do  Get-LastEmail -InternalSender -M
Recent posts

Auditing Inbox rules (and looking for hidden rules) with EWS in OnPrem Exchange

 After the events of the last weeks around the latest zero day vulnerabilities in Exchange   and once you've finished cleaning up any back doors that may have been left on servers its a good idea to review some other less known but established ways bad actors may hide persistent access within Mailboxes. One of these are Inbox Rules (but Mail Flow rules could also be used) and a more advanced method is the hidden Inbox rule exploit that was first talked about  https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/  and I covered it in  https://gsexdev.blogspot.com/2019/05/audting-inbox-rules-with-ews-and-graph.html  and somebody else  https://mgreen27.github.io/posts/2019/06/09/O365HiddenRules.html  there are a number of tools and techniques around detecting these types of rule but are all focused more toward Office365 as that was where at the time this exploit was being mostly employed. In my post at the time I modified the Microsoft script https://gith

Using Shared Mailboxes in the Microsoft Graph API from PowerShell

I've created a few new Binder entries in GitHub for using Shared Mailboxes in the Graph API using PowerShell The Binder index is  https://gscales.github.io/Graph-Powershell-101-Binder/   The topics covered are Accessing a Shared Mailbox folder and its Items Sending an Email from a Shared Mailbox The script for these entries can be found  https://github.com/gscales/Powershell-Scripts/blob/master/Graph101/SharedMailboxOps.ps1

Getting Teams Chat History Messages (Compliance Records) From a Mailbox using EWS and/or in Outlook Add-in

 Microsoft made a recent change to where the compliance messages get stored in a Mailbox for private Teams Chats from the \Conversation History\Teams Chat Folder to a non_ipm_subtree folder called TeamsMessagesData (see  https://office365itpros.com/2020/10/14/microsoft-changes-location-teams-compliance-records/ for some good commentary on this change). In terms of programmatic access to these messages this change affects the ability of the Graph (and Outlook REST) Endpoints to access them. While you could never access the Folder directly with the Graph API (because of the FolderClass) the messages themselves would appear in the \Messages endpoint (this is because they where captured by the underlying AllItems Search folder that backs this endpoint). Now the messages are in the Non_IPM_Subtree you loose the ability of that Search Folder to access those messages. This first up broke my OWA add-in from  https://gsexdev.blogspot.com/2019/03/microsoft-teams-private-chat-history.html that

Finding Emails in a Mail Folder older then a specific date using the Microsoft Graph and Powershell

  If you are doing any archiving, clean-up or just searching for Messages that are older then a specific date you will need to make use of a filter on the receivedDateTime. The receivedDateTime property This property represents when the Message was received expressed and stored in UTC time, this means when you query it you should also make sure your query value is in UTC. So for instance if I where looking for all the Email in the JunkEmail folder older then 30 days I could use /v1.0/users('gscales@datarumble.com')/MailFolders('JunkEmail')/messages?$Top=10&$filter=receivedDateTime lt 2020-10-21T00:00:00Z If the mailboxes are in a TimeZone other then UTC then first convert the actual date to the local date you want to include to UTC eg in Powershell something like (Get-Date).adddays(-30).Date.ToUniversalTime().ToString("o") This means if my timezone is +11 UTC my actual query time would look like 2020-10-20T13:00:00.0000000Z based on an Actual day value of

Looking at raw Mailbox analytics data using EWS and a ChangeDiscovery script

Mailbox analytics is something Microsoft have been working on for a number of years and its seems to be something that has received a little more effort in these pandemic times. If you have ever looked at the Non_IPM_Subtree of your mailbox you will see a lot of data being stored in their from various apps and substrate processes. A while back i wrote a ChangeDiscovery script to allow me to dump out quick what changes where happening in a Mailbox in a short time frame (eg i wanted to see what happened to all the items in a Mailbox when i performed a specific task). If you run this script with a slightly longer time-frame (eg looking over a day) it picks up all the Items that are being written and created for the Mailbox insights processes and other substrate processes. Most of these emails get written under the  Usually if I then wanted to look at these type of items I would use OutlookSpy or MFCMapi to browse the raw MAPI properties on items to see if they where of interest. Given the

Reporting on the Favorites Shortcut items in Outlook, OWA and Outlook Mobile using PowerShell and EWS

One of the email UI features that I find the most useful in Outlook on the Web and Outlook mobile is the People favorites feature which saves having to do a search for historical email from particular high use contacts. Favorites is a feature that has evolved especially in Outlook on the web and Outlook mobile eg People/Persona favorites and category favorites. The way this is implemented in the Mailbox is interesting eg   People/Persona favorites get their own search folder under the favoritePersonas Folder in the Non_IPM_Subtree in a Mailbox eg As well as a configuration object under the  \ApplicationDataRoot\32d4b5e5-7d33-4e7f-b073-f8cffbbb47a1\outlookfavorites eg The configuration object is of interest as this tells as a lot about what type of favorites are being created and used in a Mailbox. It also can serve in a custom app if you want to reproduce the same type of favorites folder tree (you will need to use EWS for this as the Graph API is unfortunately hamstrung for this type
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.