Labels

Search all mailboxes for phishing email and count.

Scenario 1: You are asked to search mailboxes and estimate the number of mailboxes that got a phishing email with subject SERVICE DESK, sent on July 3 through July 4, 2014, where sender is test@test.com. Use the following one liner:

$Recipients = (Get-Transportservice | Get-MessageTrackingLog —messagesubject "SERVICE DESK" -Start "07/03/2014 09:00:00" -End "07/04/2014 23:00:00" -Sender "test@test.com").recipients

When the command-let completes, you can perform the following:

1. Select unique Recipients by running:
$Recipients = $Recipients | Select -unique

2. Display unique Recipients by running:
$Recipients

3. Count the unique Recipients by running: (this will include internal and external email addresses)
$Recipients.Count

4.  Get a better count for the internal recipients. There are two methods provided, either method will get you the count:
     
a. Output the $Recipients to a file and massage in Excel to filter what you want to see:
          $Recipients | Out-file C:\recipients.txt

b. Use PowerShell to get a count of each internal domain you are looking for by running the one liner below. Make sure you edit domain.com with an internal email domain. Repeat for each of the other internal domains. Add the counts.
          
$count = 0; $recipients | ForEach {If($_ -like "*domain.com"){$count = $count + 1}};$count

Example: 

$count = 0; $recipients | ForEach {If($_ -like "*domain.com"){$count = $count + 1}};$count
$count = 0; $recipients | ForEach {If($_ -like "*domain2.com"){$count = $count + 1}};$count
$count = 0; $recipients | ForEach {If($_ -like "*exchange.domain.com"){$count = $count + 1}};$count



Scenario 2: You need to search and destroy phishing email from the mailboxes that received the email. Please note that the search-mailbox command has a limit of removing 10,000 items per mailbox. In the event you are removing items that exceeds that limit, a loop will be required. See sample script below:


$Recipients | Foreach {write-host $_; search-mailbox $_ -searchquery Subject:"SERVICE DESK" -deletecontent -force}

Other Examples of Search and Destroy

Email Post
Labels: