Search all mailboxes for phishing email and count.
Scenario 1: You are asked to search mailboxes and
estimate the number of mailboxes that got a phishing email with subject SERVICE
DESK, sent on July 3 through July 4, 2014, where sender is test@test.com.
Use the following one liner:
$Recipients = (Get-Transportservice |
Get-MessageTrackingLog —messagesubject "SERVICE DESK" -Start
"07/03/2014 09:00:00" -End "07/04/2014 23:00:00" -Sender
"test@test.com").recipients
When the command-let completes, you can perform the following:
1. Select unique Recipients by running:
$Recipients = $Recipients | Select -unique
2. Display unique Recipients by running:
$Recipients
3. Count the unique Recipients by running: (this will include
internal and external email addresses)
$Recipients.Count
4. Get a better count for the internal recipients. There are
two methods provided, either method will get you the count:
a. Output the $Recipients to a file and
massage in Excel to filter what you want to see:
$Recipients | Out-file C:\recipients.txt
b. Use PowerShell to get a count of each
internal domain you are looking for by running the one liner below. Make sure
you edit domain.com with an internal email domain. Repeat for each of the other
internal domains. Add the counts.
$count = 0; $recipients | ForEach {If($_ -like
"*domain.com"){$count = $count + 1}};$count
Example:
$count = 0; $recipients | ForEach {If($_ -like
"*domain.com"){$count = $count + 1}};$count
$count = 0; $recipients | ForEach {If($_ -like
"*domain2.com"){$count = $count + 1}};$count
$count = 0; $recipients | ForEach {If($_ -like
"*exchange.domain.com"){$count = $count + 1}};$count
Scenario 2: You need to search and destroy phishing
email from the mailboxes that received the email. Please note that the search-mailbox
command has a limit of removing 10,000 items per mailbox. In the event you are
removing items that exceeds that limit, a loop will be required. See sample
script below:
$Recipients | Foreach {write-host $_; search-mailbox $_ -searchquery Subject:"SERVICE DESK" -deletecontent -force}