o365info-blog - Tumblr blog

o365info-blog · 7 years ago

Text

New Post has been published on o365info.com

New Post has been published on https://o365info.com/restore-deleted-mail-items-to-their-original-folder-using-powershell-introduction-1-3/

Restore deleted mail items to their original folder using PowerShell - introduction | 1#3

The current article series is dedicated to the subject of – Viewing + Restoring deleted mail items from an Exchange Online mailbox, to their original folder, using two new PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems.

Restore deleted mail items to their original folder using PowerShell| The article series

The article series includes the following articles:

Restore deleted mail items to their original folder using PowerShell – introduction | 1#3

Display information about Deleted mail items using the PowerShell cmdlet Get-RecoverableItems |2#3

Restoring Deleted mail items using the PowerShell cmdlet Restore-RecoverableItems |3#3

The magic of using Get-RecoverableItems and Restore-RecoverableItems cmdlets

Exchange mail clients such as Outlook and OWA, include a built-in option that enables the user (mailbox owner) to recover by himself “standard deleted mail items” (mail items stored in the “Deleted mail” folder), and Soft Deleted mail items” (mail items stored in the “Deletion” folder).

So, the obvious question could be – what is the advantage of using the set of the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems?

The answer is using this set of PowerShell cmdlets, have three major advantages:

1. Manage the event of – viewing and restore deleted mail items | Server side.

The interesting thing is, that up until now, Exchange didn’t provide a dedicated method for the Exchange Administrator to view and restore deleted mail items. I use the term “dedicated” because Exchange online includes an option to search and export the content of a mailbox to a PST file, but this “ability” is not dedicated to deleted mail items.

You can read more information about the procedure in the article – Using Office 365 content search for exporting deleted mail items to a PST file – prefix | 1#3

2. Manage the event of – viewing and restore deleted mail items | Remotely.

The set of the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems, enable Exchange Administrator to manage the task of restoring deleted mail items remotely without user intervention.

In the past, the available methods of Exchange Administrator to manage an event of restore deleted mail items was to physically reach the user’s desktop or assign to himself the Full Access permissions on the user mailbox.

Using the PowerShell cmdlet – Get-RecoverableItems, provide us the ability to remotely view and display a detailed information about the deleted mail items of a specific Exchange mailbox, and based upon this information, decide how and what mail items to recover.

3. Restore deleted mail items to their original folder

Regarding the PowerShell cmdlet – Restore-RecoverableItems, the outstanding and interesting advantage of this cmdlet is, the ability to restore the deleted mail items to their original mail folder.

Until the present time, before the PowerShell cmdlet – Restore-RecoverableItems “appear,” we didn’t have the option to restore deleted mail items to their original mail folder.

In many scenarios, although we and the user are happy that we were able to restore deleted mail items, what saddened the happiness was the fact that the user needs to implement a tedious and arduous process of locating the “original mail folder” that hosts the deleted mail items, and manually “scatter” the mail items that were recovered between this mail folder.

Exchange environment and the subject of “Deleted mail items”

If we ask to be honest, for most of us, the subject of “restoring deleted mail items” in the Exchange-based environment, could be considered as a complicated and confusing subject.

For example, to be able to manage well the process of – restoring deleted mail items in an Exchange environment, we need to be familiar with the architecture of Exchange mailbox (Single item recovery, Recovery mail items system folders and the Dumpster), the “life cycle” of deleted mail items, the various types of mail deletion classification such as – standard deletion, Soft deleted mail item and Hard deleted mail item. In the current article, we provide a brief review of the basic terms and concepts that relate to the subject of – deleted mail item in Exchange environment.

In case that you want to read more detailed information about Exchange Online recovery mail items folder structure and concepts, you can read the articles – Recover deleted mail items – Office 365 | 4#7 and Recover deleted mail items in the Exchange Online environment | Deleted mail flow | 3#7

Although we cannot get into a detailed description of how Exchange infrastructure handles an event of deletion of mail items, it is necessary to mention some basic terms and concept that relate to “deleted mail items.

When a user deletes a mail item, the mail items are “sent” to the “deleted items” mailbox folder. It is important to emphasize that although the mail items are stored in the “deleted items” folder. It is important to empathize that technically; the mail items are not deleted. For example, the apparently deleted mail items can stay forever in the “deleted items” folder (number 1).

Soft Deleted mail items

In case that the user decides to empty the “deleted items” folder or to delete a specific mail item stored in the “deleted items” folder, the operation described as “Soft Deleted.”

When the user deletes a mail item that is stored in the “deleted items” folder, the mail items are sent to a specially hidden mailbox store, that described as – “Recoverable item folder” (a parallel term is the “Dumpster” folder). An important thing that I would like to mention is that even though we use the term “Recoverable item folder”, which allegedly refers to a singular folder, in reality, the “Recoverable item folder” is implemented as “array of system folders” that each of them has a unique function. When the mail item is Soft deleted, the mail item is sent to the “Recoverable item folder space” to a folder named “Deletions” (number 2).

Deleted mail items policy

The important thing that we need to know is, that Exchange applies a special policy named – “Deleted mail items policy” on the “Recoverable item folder space.”

By default, the “Deleted mail items policy” define a time window of 14 days for the mail item that is stored in the “Recoverable item folder space.” After this period has elapsed, the mail item will permanently be deleted without being able to recover.

Note – in Exchange Online based environment the default “14 days” policy can be extended to a maximum of 30 days. In case that you need a longer time period of defining a policy that will keep forever deleted mail items that are stored in the “Recoverable item folder space,” you can use the option of Litigation Hold or In-Place Hold that required an E3 or Exchange plan 2 licenses.

The “Deletions” folder doesn’t appear as a standard mailbox folder which the user can access, but, the user has the ability to view the content of the “Deletions” folder + delete or restore mail items from the “Deletions” folder by using the option of – “Recover Deleted items.”

Hard Deleted mail items

In case that for some reason the user decides to access the “Deletions” folder, and delete the mail items that stored in the “Deletions” folder the action defined as – Hard Delete.

In this case, the mail item\s will be moved from the “Deletions” folder to an additional special system folder named – “Purges” (number 3). The user (mailbox owner) is not able to view the content of the “Purges” folder! Only Exchange administrator has the ability to view or restore mail items that stored in the “Purges” folder. In other words, only the Exchange Administrator can recover Hard deleted mail items.

Note – we cannot use the set of the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems for recovering Hard Deleted mail items.

Restoring deleted mail items | The user himself versus Restore implemented via PowerShell

The current article series is dedicated to the new PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems, that we can use for restoring deleted mail items from Exchange mailbox.

But before we continue to the “technical part” in which we review the syntax of this PowerShell cmdlets, it is important that we answer a couple of questions. Q1: Can a user (mailbox owner) has the ability to restore Deleted mail items? A1: The answer is “Yes.” Deleted mail items, sent to the mailbox Recycle bin (Deleted items folder). The user can easily view the content of the mailbox recycle bin (Deleted items folder) and “move” the mail items to any folder he chooses (notice that there is no option to recover the mail items to their original folder). Regarding deleted mail items that considered as – Soft Deleted mail items, Outlook mail client, and OWA mail client includes a built-in interface that enables a user to perform a restore process of Soft Deleted mail items. Q2: Is there a scenario where a user cannot perform a restoration of deleted mail by himself? A2: The answer is “Yes.” In case that the Deleted mail items considered as – Hard Deleted mail items, the user (mailbox owner) cannot recover these mail items by himself. Only Exchange administrator with will be able to perform the procedure of restoring – Hard Deleted mail items meaning, mail items that are stored in the “Recoverable item folder space” in the “Purges” folder.

You can read more detailed information about how to perform Hard Deleted mail items recovery in the following articles:

Using Office 365 content search for exporting deleted mail items to a PST file – prefix | 1#3

Recover mail items from Recovery mail folder (the Dumpster) using PowerShell | Part 3#5

Q3: Given that a user can restore deleted mail items by himself, what are the advantage of using the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems?

A3:

Case 1 – Restoring Hard Deleted mail items

Using the set of the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems don’t include the option of performing the procedure of restoring – Hard Deleted mail items. Referring to the above point the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems don’t have any advantage versus the ability of the user (mailbox owner) to recover deleted mail items.

Case 2 – Restoring Deleted mail items + Soft Deleted mail items The main advantage of using the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems is that these cmdlets know how to use a special property of a mail item, that includes information about the mail folder that stores the mail item before the mail items were deleted. Using the information stored in this property (named – LastParentFolderID), we have the ability to help users not only to recover Deleted mail items but, also restore the deleted mail items to the original location.

Recap and takeaways

The type of deleting mail items scenario

Regarding the term “deletion of mail items”, in the Exchange-based environment, there are 3 types of mail deletion scenarios:

Standard mail item deletion

Soft deleted mail item

Hard deleted mail item

The procedure of restoring deleted mail items by the user himself or by using the PowerShell cmdlets (Get-RecoverableItems and Restore-RecoverableItems), is relevant only to the following types of mail depletion scenarios:

Standard mail deletion – a scenario in which user delete a mail item, and the mail item is sent to the mailbox recycle bin meaning – the deleted items folder.

Soft deleted mail – a scenario in which the user deletes mail items that stored in the deleted items folder (and the mail items sent to the “Deletions” folder).

Hard deleted mail item

The set of PowerShell cmdlets (Get-RecoverableItems cmdlet and the Restore-RecoverableItems cmdlet) cannot be used in a scenario of Hard Deleted mail items and cannot be used to view and recover mail items that are stored in the “Purges” folder.

Restore deleted mail items and Soft Deleted mail to their original mail folder

To be able to understand better what is the big advantage of using the Restore-RecoverableItems cmdlet that “know” how to restore deleted mail items to their original folder,” let’s briefly review the process of restoring a mail item by the user himself using the Outlook or OWA graphic interface.

Scenario 1 – Restore “standard” deleted mail

In the following diagram, we can see an example of such as scenario. When the user accesses his mailbox recycle bin (deleted mail folder), he can see all the mail items that stored in the recycle bin but notice an important fact – the user doesn’t have any “recover” menu option.

The meaning is that the “recovery process” is implemented by dragging the mail items from the recycle bin store the “destination mail folder.” The basic assumption is that the user knows what the “original mail folder” that stores the mail items before they were deleted, but the reality is a little more complicated. In many scenarios, the user doesn’t remember the what was the original folder, and he will need to guess what was the original folder or just drop the mail items in any folder that he randomly chooses.

Another version of the “deleted mail item” scenario, is a scenario in which the deleted mail items consider as Soft Deleted mail items (mail items stored in the “Deletions” folder in the “Recoverable item folder space”).

In this case, when the user views the content to the “recovery mail items” folder, he has a menu option that enables him to restore the mail items. But the important thing that we should Know is that the “restore procedure” is not implemented by restoring the Soft Deleted a mail item to his original mail folder but instead, to the “last folder” that host the mail item before he was deleted. In this scenario, the “last folder” is the – deleted items folder (mailbox recycle bin). All tough the user has the ability to restore the Soft Deleted mail item, the user is facing the same problem of – how to locate to restore the mail item to the “real folder” that host the mail item. In the following diagram, we can see an example of such as scenario. Mail item that was stored in a folder named – “Customers 2018” was deleted and moved to the mailbox recycle bin (the deleted items folder). If the user decides to empty the recycle bin, the mail items considered as – Soft Deleted mail items (moved to the Deletions folder in the “Recoverable item folder space”). When the user decides to recover the Soft Deleted a mail item, the restore process “move” the mail item back to the last folder which hosts the file, the deleted items folder (mailbox recycle bin).

How does the Restore-RecoverableItems cmdlet know “how to restore deleted mail items to their original folder”?

The “magic” of restoring the Soft Deleted mail items to their original folder is implemented by using two properties of the Soft Deleted a mail item:

LastParentFolderID – this property includes the GUID value of the “original folder” that hosts the mail items before they were deleted.

OriginalFolderExists – this property uses the values of “True” or “False” for defining the status of the original folder. For example, if the original folder that hosts the mail items before they were deleted still exists, the value is “True.”

When we perform deleted mail restore procedure using the Restore-RecoverableItems cmdlet, the Restore-RecoverableItems cmdlet knows how to read the information stored in the LastParentFolderID mail item property, and based upon this information, how to restore the deleted mail items to the folder that hosts the mail items before he was deleted.

It is important to mention that these special properties exist only in Exchange mailboxes that hosted by Exchange 2016 server and above. In Office 365 based environment, the basic assumption is that the Exchange Online infrastructure is implemented by using Exchange 2016 server infrastructure.

The Get-RecoverableItems and Restore-RecoverableItems couple

Restoring deleted mail items via PowerShell is implemented by using a set of two PowerShell cmdlets:

Get-RecoverableItems cmdlet

This is the PowerShell cmdlet that we use for viewing (displaying) information about the deleted mail items of a specific user (specific Exchange Online mailbox). It is important to mention that the Get-RecoverableItems cmdlet will be able to display deleted mail items that store in the mailbox recycle bin (Deleted items folder) and in the “Purges” folder that store Soft Deleted mail items.

For example-

View the content of the user mailbox recycle bin (Deleted items folder)

Get-RecoverableItems <Mailbox Name> -SourceFolder DeletedItems

View the content of a user mailbox – Purges folder (Soft Deleted mail items)

Get-RecoverableItems <Mailbox Name> -SourceFolder Recoverableitems

Restore-RecoverableItems cmdlet

This is the “other half” of the two-cmdlets set that is used to recover (restore) the deleted mail items.

The most basic use of the Restore-RecoverableItems can be implemented by using the following syntax:

Restore-RecoverableItems <Mailbox Name>

In this scenario, the Restore-RecoverableItemscmdlet will access the user mailbox and start an automatic recovery process of the following type of deleted mail items:

All the mail items stored in the mailbox recycle bin meaning, the deleted items folder.

All the mail items that defined as – Soft deleted mail item meaning, the mail items that are stored in the “Deletions” folder in the “Recoverable item folder space”).

Permissions to use the Get-RecoverableItems and Restore-RecoverableItems cmdlets

To be able to use the Get-RecoverableItems and Restore-RecoverableItems cmdlets, the user needs to have the rule – “Mailbox Import Export role.”

What are the non-supported scenarios (what recovery scenario cannot be implemented)?

Up until now, what review the deleted mail recovery scenarios that can be implemented by using the PowerShell cmdlets – Get-RecoverableItems and Restore-RecoverableItems.

At the same time, it is important that we know about the limitation of this PowerShell cmdlets or in other words, what are the recovery mail scenarios, which are not supported when using the above PowerShell cmdlets.

At the current time, the Get-RecoverableItems and Restore-RecoverableItemscmdlets are only supported in the Office 365 cloud environment (Exchange Online).

We cannot use the Get-RecoverableItems and Restore-RecoverableItemscmdlets for – view the content of the Purges folder or restore mail items stored in the Purges In other words, at the current time, this set of PowerShell cmdlet cannot be used for recovering Hard deleted mail items.

We cannot use the Restore-RecoverableItemscmdlet for restoring deleted mail items based on Retention tags.

We cannot use the Restore-RecoverableItemscmdlet for restoring deleted mail items to a “destination folder” which we choose. The Restore-RecoverableItemscmdlet will automatically restore the deleted mail items to their original folder (the mailbox folder that hosts the deleted mail items before they were deleted). In case that the original folder doesn’t exist, the mail items will be restored to the “Root mailbox folder.”

We cannot use Restore-RecoverableItemscmdlet for – restoring a deleted “mail folder” (this command can restore “mail items” but not a “Mail Folder” object).

We cannot use the Get-RecoverableItems and Restore-RecoverableItemscmdlets for – restoring deleted mail items stored in an Archive mailbox.

In case that the original folder that host the deleted mail was deleted, we cannot solve this issue by creating a new folder with identical name because the information about the “original folder” is saved using the original folder GUID identity

The next article in the current article series

Display information about Deleted mail items using the PowerShell cmdlet Get-RecoverableItems |2#3

Now it’s Your Turn! It is important for us to know your opinion on this article

#Recover mail items #restore mail items

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/how-to-use-the-spam-mail-report-powershell-script-part-3-3/

How to use the spam mail report PowerShell script | Part 3#3

In the current article, we review the PowerShell menu script that I created for exporting and viewing information stored in Exchange Online spam mail log file.

Article series | Using Get-MailDetailSpamReport | View and export spam mail report

Office 365 spam mail report using PowerShell | Introduction | 1#3

Using Get-MailDetailSpamReport PowerShell cmdlet | View and export spam mail report | Part 2#3

How to use the spam mail report PowerShell script | Part 3#3

The purpose of the PowerShell script

The current PowerShell script is based on the PowerShell cmdlet – Get-MailDetailSpamReport

The PowerShell cmdlet – Get-MailDetailSpamReport, (available only in an Exchange Online environment), enables us to view (display on the PowerShell console), and export to file information about “spam mail events.”

The main purpose of the current PowerShell script is, to simplify and optimize the use of this useful PowerShell cmdlet. The PowerShell script menu options, enable you to export various types of “spam mail reports” using various file type formats (TXT, CSV, and HTML), that will help you to get a deeper understanding of spam mail events in your Office 365 (Exchange Online) environment.

For example:

Internal spam – identify and deal with, events in which the spam mail is “generated” by a legitimate organization user\s.

Spoof events – identify and deal with, events in which hostile element tries to spoof the identity of a legitimate organization user (send spam mail using his identity).

Spam mail attacks – identify and deal with, events in which hostile element targets a specific recipient or recipients by flooding them with spam mail.

The logic and the concepts of the Office 365 spam mail reports PowerShell script

The following PowerShell script is configured to automatically export many different spam mail reports, based on a predefined “search queries” and filters (that will be explained later on).

The purpose of the different type of spam mail reports is, to provide the ability to get insight and draw conclusions, about “spam mail events” that occur in our organization environment.

The concept of “E-mail addresses entities”

The spam mail report relates to the identity of the “entity” that sends spam mail or receives the spam mail, by specifying the E-mail address of this entity.

The “E-mail address” can be classified as the E-mail address of organization recipient, meaning E-mail address that includes our organization domain name suffix or E-mail address of non-organization recipients, meaning any E-mail address that includes a domain name suffix that doesn’t include our organization domain name.

When we use the term “organization E-mail address,” the meaning can be translated into many types of Exchange Online recipients such as – Distribution Group, contact, Public Folder, Shared mailbox, Room mailbox, User mailbox and so on.

Most of the times, our main concern is to analyze information that relates to our organization recipients (E-mail addresses that their suffix includes our organization domain name).

Although that we want to get information about each spam mail event that involved E-mail address of our organization recipients, in many cases, we want to use additional “classification,” in which our main target is to review and investigate spam mail events, that are related to specific types of Exchange Online recipient – Exchange user (the technical term is User Mailbox).

To enable you to get more “closer views” about spam mail events that relate to – Exchange Online users, each type of the spam mail report (summary spam mail report and spam mail events reports), include a dedicated section that “reveal” spam mail events that relate only to E-mail address that “belong” to Exchange Online users.

The PowerShell script will “fetch” from Exchange Online a list of Exchange Online Users and their E-mail addresses, and in the next step, “scan” the Exchange Online spam mail log file, looking for any type of spam mail events that include the “E-mail address” that appears on this list.

Organization E-mail address of non-existing recipients

Many times, when we look at the results of the spam mail reports, we will find information about E-mail address that includes “our domain name suffix” which allegedly “look like” organization E-mail address but in reality, there are no such E-mail addresses!

Most of the times, this phenomenon is realized when hostile elements try to “guess” E-mail addresses of our organization recipients, and try to send mail to “non-existing” recipients (non- existing E-mail addresses).

Summary spam mail report Versus spam mail events reports

The current PowerShell script will generate two types of spam mail reports:

“Summary spam mail report,” and “spam mail events reports.”

These terms are not formal terms, but instead, terms that I use for describing the different type of spam mail reports that are automatically generated by the PowerShell script.

Summary spam mail report

Summary spam mail reports are created by using a manipulation of the data that appears in the “original” Exchange Online spam mail log file. The Summary spam mail report is created by using a formula that counts the spam mail events, that relate to a specific E-mail address in a specific time period (30 days is the default time period used in the current PowerShell script).

The purpose of the “Summary spam mail report” is, to provide a quick insight about the “volume” of spam mail events that are related to a specific E-mail address.

For example, in case that we find in the report that there are many spam mail events that relate to emails that were sent from E-mail address of one of our organization users, this could be a sign to a scenario, in which the user account was comprised, and it used by hostile elements for distributing spam mail using the legitimate identity of the organization recipient.

Spam mail events reports

The report which I described as – “spam mail events reports,” are reports that include a detailed description of each specific “spam mail event.”

For example, a “spam mail event” will include information such as – the E-mail address of the sender, the E-mail address of the recipient, the specific date, the E-mail message subject, the direction (inbound or outbound) and so on.

Generate spam mail report automatically using menu 2

The current PowerShell script includes two types of menus:

Fully automated menu (menu 2).

Generate spam mail report by using as a specific search query

Menu number 2 was created for implementing automation of the following tasks:

Fetch the content of the Exchange Online spam mail log

Automatically generate various types of spam mail reports. Each of these reports will help you to get a different “angle” of the information in the spam mail log.

When you “hit” the menu option number “2,” the PowerShell script will start an automatic process that includes the following sequence of steps:

1. Create folder hierarchy

The PowerShell script starts by creating a custom folder hierarchy, that will be used to store the various spam mail reports.

For example, the folder that stores the primary spam mail report will be created in C: drive, using the following folder path: C:\INFO\Spam mail Reports – <Date>

2. Fetch information from Exchange Online spam mail log file

Next, the PowerShell script connects Exchange Online and fetches all the information that is stored in Exchange Online spam mail log file for a period of 30 days.

The information that was fetched, will be saved in the “Primary spam mail report.”

We can define this spam mail report as- a “row” data because, the information appears as it is, without any customization or search query that “filter” specific type of data.

3. Create the various types of spam mail reports.

The “foundation stone” for the various spam mail reports is – the “main spam mail report.” This primary spam mail report, include all the available information about – every spam event that appears in the Exchange Online spam mail Log file, for the last 30 days period.

The PowerShell script uses the information that is stored in the “Primary spam mail report file” for – creating additional custom spam mail reports. We can relate to the additional spam mail reports, as a derivative of the primary spam mail report.

Spam mail reports structure and folder hierarchy.

The Spam mail reports folder hierarchy is built using a structure that is similar to the concept of Matryoshka doll.

First-level folder hierarchy

In the following diagram, we can see the “first level” of the folder hierarchy that will be automatically created by the spam mail PowerShell script:

A. ALL Spam mail events – Last 30 days

This folder will store the “Primary spam mail report file.”

B. Summary Spam Report – Count (Sum) RECEIVED & SENT spam emails

This folder will store the spam mail reports, which I describe as “Summary Spam Report.” This term is not a formal technical term, but instead, a term that is used for describing a custom type of spam mail reports that count (sum) the spam events that related to a specific E-mail address.

C. Dedicated Spam Mail Report For Each e-mailed address.

This folder will store the spam mail reports, which I describe as “Dedicated Spam Report.” The PowerShell script will automatically create a dedicated folder, for each E-mail address that appears in the spam mail report.

Second level folder hierarchy

Each of the “first-level level folders,” include an additional subfolder (Second level folder) that used for storing the spam mail reports, that are based on a specific classification (filtered view) of the “row” spam mail data.

To demonstrate the Second-level folder hierarchy, let’s review the hierarchy of “first level” folder named – “B. Summary Spam Report – Count RECEIVED & SENT spam emails”

Inside this folder, we will find the “Second level folder hierarchy” that includes the following two folders:

1. Exchange Online users

This folder includes a spam mail report that relates only to specific types of E-mail addresses: The E-mail addresses of Exchange Online recipients who describe as “Mailbox user.” The purpose of this classification is, to enable us to focus on “spam mail events” that relate to our organization users (technically speaking, Exchange Online includes many types of recipients besides the “user recipient”).

2. All E-mail Addresses

This folder includes a spam mail report, that relates to – ALL the E-mail addresses that appear in the spam mail report. In this case, the report will not relate to a specific type of E-mail addresses, but instead, relate to each of the E-mail addresses that appear in the spam log (organization recipients E-mail addresses and non-organization E-mail addresses).

Third-level folder hierarchy

This is the “last folder hierarchy.” For example, the “1. Exchange Online users” folder, will include additional two folders:

1.1 Count RECEIVED spam mail

This folder includes a spam mail report that filters the information from the primary spam mail report, by using the following two criteria:

Spam mail events that related to the E-mail address of Exchange Online users.

Spam mail events which described as – RECEIVED spam mail. The meaning is – spam mail that was sent to (received by) Exchange Online user.

1.2 Count SENT spam mail

This folder includes a spam mail report that filters the information from the primary spam mail report, by using the following two criteria:

Spam mail events that related to the E-mail address of Exchange Online users.

Spam mail events which described as – SENT spam mail. The meaning is – spam mail that was sent from (sent by) E-mail address of the Exchange Online user.

Spam mail reports type.

The current PowerShell script is configured to export the various spam mail reports to three different file formats: text file, SCV (Comma Separated Values) file, and HTML file.

Each file format has his strengths and weaknesses. For example, the HTML spam mail report is very “friendlily” and easy to read. The “weakness” of the HTML file format is that there is no option for “manipulating” or editing the data.

Regarding the CSV file format, most of the times we use an application such as Microsoft Excel to view and edit the content of the CSV file.

This is an example of the CSV spam mail summary report that was created.

Quick tip – to optimize the way we view the “data,” we can use the option of – Table view.

Select one of the cells that include data (number 1)

Select the menu Insert and the submenu – Table (number 2)

In the following screenshot, we can see that Excel format that data in a “Table style.”

In addition, Excel adds to each column header, a “small arrow,” that enables us to manipulate the data. For example, filter specific values, sort the information and so on.

The Excel “issue” with long path and file names

In some scenario, when you try to open a CSV file, the following error appears:

“Sorry we couldn’t find XYZ file. It is possible it was moved, renamed or deleted? “. This error is related to Excel “issue” that relates to file that stored in a deep folder hierarchy or have a very long file name.

The solution, in this case, will be to shorten the CSV file name or move the file to “top folder”

Brief review – the two types of spam mail reports

As mentioned, the spam mail reports PowerShell script, will generate two types of reports:

The summary spam mail reports

In the following screenshot, we can see an example of summary spam mail reports. The information table includes only two columns:

The E-mail address that appears in the spam mail log file + sum of the spam events that are “related” to the specific E-mail address.

In the current example, the report includes information only about the Exchange Online user recipient who received spam mail.

Using this “received spam mail summary report”, could help us to identify a scenario in which hostile element try to “flood” specific Exchange Online user\user, identify who are the organization user who suffers most from spam mail attack and so on.

The “Dedicated Spam Mail Report”

I use the term “Dedicated Spam Mail Report” to highlight the special way that the current PowerShell script use for generating spam mail reports.

The spam mail reports PowerShell script, is configured to create a list of Exchange Online User E-mail address. in the next step, the PowerShell script will scan the “primary spam mail report,” looking for information about each of the E-mail addresses in the list (spam events that are related to each of these E-mail addresses).

Given that there were spam mail events that relate to the specific E-mail address, the PowerShell script will automatically create a dedicated folder for each Exchange Online user, that will be named by using the Exchange Online user display name.

In the following screenshot, we can see an example of the results from the “Dedicated Spam Mail Report.” A Dedicated folder will be created for each Exchange Online user who (in this scenario) received spam emails.

The “Dedicated user folder,” will contain the three-spam mail reports using the following file formats – Text, CSV, and HTML.

In the following screenshot, we can see an example of a “Dedicated spam mail report” that includes all the spam mail events that are related to Exchange user named – Angelina.

2.2 – PowerShell script menus | Description

PowerShell script includes the following sections:

Connect to Exchange Online using Remote PowerShell

General information – to be able to manage Exchange Online infrastructure, you must first create a Remote PowerShell session.

Menu 1 – Login to Exchange Online using Remote PowerShell

To create the required Remote PowerShell session, select the menu “1”. A user credential’s window will appear. You will need to provide your Office 365 Global Administrator credentials.

SECTION A: Export Various type of spam mail reports

Menu 2 – Export Spam Mail Reports | Last 30 days

This is the main menu option. To be able to generate all the various spam mail reports that were described in the former sections, all you need to do is just hit the number “2”, and the PowerShell script will do all to work for you.

The spam mail reports will be stored by using the following folder hierarchy:

ALL Spam mail events – Last 30 days

Summary Spam Report – Count RECEIVED & SENT spam emails

Exchange Online users

1.1 Count RECEIVED spam mail

1.2 Count SENT spam mail

All E-mail Addresses

2.1 Count RECEIVED spam mail – ALL E-mail Address

2.2 Count SENT spam mail – ALL E-mail Address

Dedicated Spam Mail Report For Each E-mail Address

Exchange Online users

1.1 – RECEIVED Spam mail report

1.2 – SENT Spam mail report

All E-mail Addresses

2.1 – RECEIVED Spam mail report

2.2 – SENT Spam mail report

SECTION B: Display + Export about spam mail senders or receivers that passes a certain threshold

Menu 3 – Display + Export Spam Mail Reports | E-mail addresses that pass a certain spam mail threshold

The purpose of the following menu is, enable you to locate “E-mail addresses” that involved in spam mail activity that passes a certain threshold. Based on the specified threshold that you provide, the PowerShell script will scan all the events that appear in the Exchange Online spam mail (using date range of a 30-day period) looking for the following E-mail addresses:

E-mail address that RECEIVED number of spam emails, that are equal or higher from the specified threshold value.

E-mail address that SENT number of spam emails, that are equal or higher from the specified threshold value.

SECTION C: Spam mail report | Top 10 spam mail Receiver and Senders

Menu 4 – Export Spam Mail Reports | Dedicated spam events report for Top 10 spam mail Receiver and Senders

The purpose of the following menu is, to automatically create a dedicated spam mail events report, for each E-mail address in the spam mail log file, that answers the following criteria:

The Top 10 spam mail SENDERS.

The Top 10 spam mail RECEIVER.

Export SPAM mail reports – Office 365

PowerShell menu based script, that will help you to display and export information (to various file formats -TXT, CSV, and HTML) about – spam mail events in an Office 365 based environment. The spam mail report includes – summary spam mail report, which counts the sent and received spam mails for specific recipients or detailed spam mail report, that includes a description of each spam mail event.

Download5 Downloads

The former article in the current article series

Using Get-MailDetailSpamReport PowerShell cmdlet | View and export spam mail report | Part 2#3

Now it’s Your Turn! It is important for us to know your opinion on this article

Client protocol connectivity flow in Exchange 2013...

The Exchange 2013 coexistence article series index...

Restore Exchange Online Room mailbox | Cloud only ...

How to use the PowerShell script – manage Em...

What is the hostname of my Office 365 MX records?

.yuzo_related_post imgwidth:120px !important; height:110px !important; .yuzo_related_post .relatedthumbline-height:15px;background: !important;color:!important; .yuzo_related_post .relatedthumb:hoverbackground:#fcfcf4 !important; -webkit-transition: background 0.2s linear; -moz-transition: background 0.2s linear; -o-transition: background 0.2s linear; transition: background 0.2s linear;;color:!important; .yuzo_related_post .relatedthumb acolor:!important; .yuzo_related_post .relatedthumb a:hover color:!important;} .yuzo_related_post .relatedthumb:hover a color:!important; .yuzo_related_post .yuzo_text color:!important; .yuzo_related_post .relatedthumb:hover .yuzo_text color:!important; .yuzo_related_post .relatedthumb margin: 0px 0px 0px 0px; padding: 5px 5px 5px 5px; jQuery(document).ready(function( $ ) //jQuery('.yuzo_related_post').equalizer( overflow : 'relatedthumb' ); jQuery('.yuzo_related_post .yuzo_wraps').equalizer( columns : '> div' ); )

#Spam mail report

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/using-get-maildetailspamreport-powershell-cmdlet-view-and-export-spam-mail-report-part-2-3/

Using Get-MailDetailSpamReport PowerShell cmdlet | View and export spam mail report | Part 2#3

he PowerShell Get-MailDetailSpamReport cmdlet was created as a tool that simplifies the process of viewing and “dumping” information stored in Exchange Online spam log file.The Exchange Online spam log file, serve as a store that holds the documentation for each of the “spam mail events” that relates to incoming and outgoing mail flow.

In the current article, we review how we can expand and enhance the capabilities of the Exchange Online PowerShell cmdlet – Get-MailDetailSpamReport.

Article series | Using Get-MailDetailSpamReport | View and export spam mail report

Office 365 spam mail report using PowerShell | Introduction | 1#3

Using Get-MailDetailSpamReport PowerShell cmdlet | View and export spam mail report | Part 2#3

How to use the spam mail report PowerShell script | Part 3#3

In the first part, we review the basic PowerShell syntax examples that can be used with the Get-MailDetailSpamReport cmdlet.

In the second part, we will review the more advanced use of the Get-MailDetailSpamReport cmdlet, by using a PowerShell script that will help us perform a sequence of tasks and to generate various types of spam mail reports (by using search queries).

Part 1#2 – basic use of the Get-MailDetailSpamReport cmdlet

Display – spam mail report information

To be able to get the spam mail report, all we need to do is just type the name of the Get-MailDetailSpamReport cmdlet without any other mandatory parameters.

For example:

Get-MailDetailSpamReport | FT Date,Subject,Direction,SenderAddress,RecipientAddress

Get-MailDetailSpamReport output

PS C:\Users\Eyal\> Get-MailDetailSpamReport | FT Date,Domain,Subject,Direction,SenderAddress,RecipientAddress,EventType,MessageSize,MessageId,MessageTraceId Date Domain Subject Direction SenderAddress RecipientAddress ---- ------ ------- --------- ------------- ---------------- 2017-09-28 1:42:16 PM o365info.com INBOX SMTP,RDP,UNLIMITED WEBMAIL,FRESH LEADS,FUND TRANSFER TO ALL BANKS IN USA..all available now. Inbound [email protected] [email protected] 2017-09-28 1:42:25 PM o365info.com Undeliverable: INBOX SMTP,RDP,UNLIMITED WEBMAIL,FRESH LEADS,FUND TRANSFER TO ALL BANKS IN USA..all available now. Outbound [email protected] [email protected] 2017-09-28 1:42:25 PM o365info.com Undeliverable: INBOX SMTP,RDP,UNLIMITED WEBMAIL,FRESH LEADS,FUND TRANSFER TO ALL BANKS IN USA..all available now. Outbound [email protected] [email protected] 2017-09-28 7:50:37 PM o365info.com Scan Data Outbound [email protected] [email protected] 2017-09-28 8:24:52 PM o365info2.onmicrosoft.com Cloud App Security: suspicious administrative activity detected Inbound [email protected] [email protected] 2017-09-28 11:35:40 PM o365info.com 近期计划安排！0433 Inbound [email protected] [email protected] 2017-09-29 12:41:46 AM o365info.com RE: ANITA ROBERTS ( DEVCOIN CRYPTOCURRENCY ) Inbound [email protected] [email protected] 2017-09-29 2:39:59 AM o365info.com Scan Data Outbound [email protected] [email protected] 2017-09-29 7:02:53 PM o365info.com Become a Target Content Curator Today! Inbound [email protected] [email protected] 2017-09-29 11:31:00 PM mottie.com Invoice Outbound [email protected] [email protected] 2017-09-29 11:56:57 PM o365info.com 业务没激情没业绩怎么办？ Inbound [email protected] [email protected] 2017-09-30 5:16:18 AM alwasmiwater.com BENEFICIARY PAYMENT ADVICE Outbound [email protected] [email protected] 2017-09-30 6:38:37 AM o365info.com Top On Web Inbound [email protected] [email protected] 2017-09-30 7:07:23 AM eenvoudigonline.be Invoice Outbound [email protected] [email protected] 2017-09-30 8:04:06 AM timberlineroof.net Invoice Outbound [email protected] [email protected] 2017-09-30 9:24:07 AM o365info.com Invitation: UNITED BANK OF AFRICA @ Friday, 29 September 2017 Inbound [email protected] [email protected] 2017-10-01 7:43:34 PM interia.com QUOTATION doc20171002 Outbound [email protected] [email protected] 2017-10-02 4:09:56 AM o365info.com Hi Inbound [email protected] [email protected] 2017-10-02 8:24:58 AM o365info.com What's up Inbound [email protected] [email protected] 2017-10-02 7:54:21 PM o365info.com 胡良平主讲-SAS统计分析全方位应用课程学习班 [email protected] Inbound [email protected] [email protected] 2017-10-02 10:36:54 PM o365info.com Hey, Sweety Inbound [email protected] [email protected] 2017-10-03 1:15:58 AM o365info.com Emailed Invoice - 822287 Outbound [email protected] [email protected] 2017-10-03 2:19:17 AM o365info.com Hey, Sweety Inbound [email protected] [email protected] 2017-10-03 3:24:55 AM o365info.com Hey, Sweety

Export spam mail report information to CSV file.

To be able to export the result from the spam mail report to a CSV file, we can use the following syntax:

PowerShell command syntax

Get-MailDetailSpamReport | Export-CSV <Path> –NoTypeInformation -Encoding utf8

PowerShell command example

Get-MailDetailSpamReport | Export-CSV c:\temp\"spam mail report.CSV" –NoTypeInformation -Encoding utf8

Export spam mail report information to CSV file | Specific Date range

In this scenario, we want to export the result from the spam mail report to a CSV file, but this time. We want to define a specific date range for the spam mail report.

To define the required date range, we use the parameters StartDate and EndDate.

PowerShell command syntax

Get-MailDetailSpamReport -StartDate <Date> -EndDate <Date>

PowerShell command example

Get-MailDetailSpamReport -StartDate 09/01/2017 -EndDate 10/01/2017

Note – Later , we review more sophisticated methods that we can use for defining that required date range.

Brief prefix – spam mail sender versus spam mail receiver

The spam log file includes many “properties” of each spam mail events.

One of the most important distinctions that we need to be familiar with is – the event in which some entity (represented as E-mail address) sends spam mail. The meaning is – the side that holds the rule of the “attacker,” versus the entity of the user or the recipient who receives the spam emails meaning, the victim of the spam mail attack.

The implementation of this distinction is implemented by using the following PowerShell parameters:

The PowerShell parameter – SenderAddress, define the entity that sends the spam mail

The PowerShell parameter – RecipientAddress, define the entity that receives the spam mail.

Get spam mail report | Filter results – specific spam mail receiver

In this scenario, we want to get information about all the spam mail events, in which the spam mail was sent to (received by) a specific “destination E-mail address”.

To define the identity of the “receiver”, we use the PowerShell parameter RecipientAddress, and provide the E-mail address of the destination recipient.

PowerShell command syntax

Get-MailDetailSpamReport -RecipientAddress <Sender E-mail address>

PowerShell command example

Get-MailDetailSpamReport -RecipientAddress [email protected]

Get spam mail report | Filter results | Specific spam mail Sender

In this scenario, we want to get information about all the spam mail events, in which the spam mail was sent from (sent by) a specific E-mail address.

To define the identity of the “sender,” we use the PowerShell parameter SenderAddress, and provide the E-mail address of the sender.

PowerShell command syntax

Get-MailDetailSpamReport -SenderAddress <Sender E-mail address>

PowerShell command example

Get-MailDetailSpamReport -SenderAddress [email protected]

Get spam mail report | Filter results | Spam mail RECEIVER that their E-mail address includes specific domain name suffix

In this scenario, we want to get information about spam emails that were sent to specific recipients (destination E-mail addresses). Notice that this time we are interested in “multiple recipients” versus the default PowerShell parameter “RecipientAddress” that relate to a single entity of the recipient.

Our wish is to get information about all the spam emails, that was sent to recipients, which their E-mail address includes a specific domain name suffix. For example, get information about all the spam emails that were sent to our organization recipients, meaning, recipients whom their E-mail address includes our organization domain name suffix.

In this scenario, we use the PowerShell parameter “Where-Object” which filter the information based on the search query that we define. In our scenario, the search query syntax is:

$_.RecipientAddress -like "*@<Domain name suffix>*"

PowerShell command syntax

Get-MailDetailSpamReport -StartDate <Date> -EndDate <Date> | Where-Object $_.RecipientAddress -like "*@<Domain name suffix>*" | Select SenderAddress,RecipientAddress ,Date

PowerShell command example

Get-MailDetailSpamReport -StartDate $StartDate -EndDate $EndDate | Where-Object $_.RecipientAddress -like "*@o365info.com*" | Select SenderAddress,RecipientAddress ,Date

Get spam mail report | Filter results | Spam mail SENDERS that their E-mail address includes specific domain name suffix

This scenario is similar to the former scenario, but this time; we want to get information about all spam emails events, which relate to the “spam mail senders” (the entity that sends the spam mail) which use E-mail with a specific domain name suffix.

PowerShell command syntax

Get-MailDetailSpamReport -StartDate <Date> -EndDate <Date> | Where-Object $_.SenderAddress -like "*@<Domain name suffix>*" | Select SenderAddress,RecipientAddress ,Date

PowerShell command example

Get-MailDetailSpamReport -StartDate $StartDate -EndDate $EndDate | Where-Object $_.SenderAddress -like "*@o365info.com*" | Select SenderAddress,RecipientAddress ,Date

Part 2#2 – More advanced use of the Get-MailDetailSpamReport cmdlet

General concepts of Get-MailDetailSpamReport cmdlet use

The term “spam mail event”

Along the current article, we will mention the term “spam mail event” a couple of times. This term is not a formal term, but instead, my term that I use.

The term “spam mail event,” define a recorded in the Exchange Online spam mail log file, that includes a documentation of one of the two options:

Spam mail that was Sent From (Sent by) a specific entity (E-mail address).

Spam mail that was Received by (Sent to) specific entity (E-mail address).

The term “spam mail event record” includes the properties of the events such as date, message ID, message subject and so on.

Optimize the way we use Date ranges

As far as I know, at the current time, there is no formal information about the default time range that is used by the Get-MailDetailSpamReport PowerShell cmdlet.

Note – I don’t know what is the maximum date range of spam mail events that saved in the Exchange Online spam mail log file. From my experience, we can “fetch” information about spam mail events within 30 days ranges or more.

To be able to define that exact date range, we can add to the basic Get-MailDetailSpamReport PowerShell cmdlet the parameters – StartDate and EndDate, which enable us to set the exact date range.

For example

Get-MailDetailSpamReport -StartDate 09/01/2017 -EndDate 10/01/2017

In the current article, I will use a customization of “Date range parameters.” We will use a simple PowerShell formula, which defines Date range that will be measured in “day’s units.”

In our examples, we define Date range of 30 days. Note – using this simple PowerShell formula, you can very easily create the required date rage customization for your specific needs.

The End Date value

Instead of manually providing the value for the “End Date”, we use a variable, that stores the results that we get from the PowerShell cmdlet Get-Date.

The PowerShell cmdlet Get-Date is configured to “fetch” the current date.

The Start Date value

Instead of manually providing the value for the “Start Date,” we use a variable that stores the results of a simple formula. The formula that we use, take the current date and subtract from this date the number of days that we specify.

The result of this formula will be – the “Start Date.”

An example of the two variables that we will use along this current article is:

$EndDate = Get-Date $StartDate = $EndDate.Adddays(-30)

In this example, we define a date range of “30 days”.

In the following diagram, we can see an example of the “date range” concept.

Dump the content of the Exchange Online spam mail Log file

In this section, we review the how to “dump” the content of the Exchange Online spam mail Log file, but the point is a trick that we use that will help us to bypass the default limitation of the Get-MailDetailSpamReport PowerShell cmdlet, so we will be able to export (dump) the whole content of the Exchange Online spam mail Log file, for the date ranges that we define.

Export Spam Mail Reports | ALL Spam mail events | Last 30 days

Our mission: export all existing spam mail events from last 30 days.

Notice that in this scenario, we don’t want to use any type of filter or define a specific search query. Instead, we just want to “dump” all the information from the Exchange Online spam mail Log file to – a local file.

Exchange Online and secret data limitation default settings

When we ask for Exchange Online to “fetch” information that is stored in the data center Log file, the little secret that is not known to most of us is, that by default, Exchange Online will not “volunteer” to provide us 100% of the information.

Even when we provide a defined “date range,” Exchange Online is configured to provide a “restricted amount of data.”

The reason for this built-in limitation is probably some kind of “server protection mechanism” that was created for preventing excess loads from Exchange Online server or prevent excess loads of communication lines by limiting the amount of data that flows from the “cloud.”

The data measurement unit – the page

The way that we use to measure the “amount of data” that Exchange Online server provides, defined using a measurement unit named “page.”

Each “page” can contain the maximum number of “rows.” In case that we need to get more information than the information that can be stored in a single “page,” we need to “instruct” Exchange Online to provide us additional “pages.”

Page content default and maximum limit

The default number of “events” (Log rows) that appear on a single page is – 1,000.

The maximum number of “events” (Log rows) that can appear on a single page is – 5,000.

Pages default and maximum limit

The default number of pages is – 1.

The maximum number pages that can be provided by Exchange Online is – 1,000.

If you like to do the match, the maximum results that Exchange Online can provide us are – 5 million events (5,000,00000).

Exchange Online and the Get-MailDetailSpamReport cmdlet default settings

Regarding the output that we get from the Get-MailDetailSpamReport PowerShell cmdlet, the default setting is configured to produce “1 page” that contains a maximum of one thousand lines (1 X 1,000). In other words, by default, the Get-MailDetailSpamReport PowerShell cmdlet, is configured to provide us only the “first page” from existing information that is stored in the Exchange Online spam mail Log file.

To demonstrate this concept, let’s use the following scenario: Exchange Online spam mail log, including a documentation of 15,000 spam mail events. (The Exchange Online spam mail log file includes – 15,000 rows).

In case that we use the Get-MailDetailSpamReport PowerShell cmdlet without any filters or parameters, Exchange Online will “send” us information about 1,000 events.

A quick reminder – Exchange Online is configured to provide by default only one “page” and each page is configured by default to a maximum of 1,000 “rows.”

This “default configuration,” could lead to problems with “data integrity” because, we cannot see the full picture and instead, we see only part of the whole information.

The good news is the Get-MailDetailSpamReport PowerShell cmdlet, allow us to define two important parameters:

Page size – the maximum number of “events” (rows) that each page contains. The maximum rows that a page can contain is – 5,000.

The number of pages – the number of pages that we “ask to get”.

Additional reading

Get-MailDetailSpamReport

In our scenario, in case that we want to get “Full spam mail report” that will include 100% of the available information, we will need to “expend” the default Get-MailDetailSpamReport PowerShell command syntax in the following way:

Get-MailDetailSpamReport -PageSize 5000 -Page 3

Using a PowerShell script that will dump all the information from the spam log file

Although this “solution” look like a satisfactory answer to our problem, we have additional issues that we need to solve!

In the current scenario, I mentioned that we “know” that the Exchange Online spam mail log file includes 15,000 rows but, in reality, how can we really know what is the number of events that are stored in the log file, so we can make the required adjustment to the PowerShell command syntax?

And the answer is, that most of the times, we don’t know what is the exact “number” of rows (events) that appeared in the Exchange Online Server Log file.

To be able to deal with this challenge, we can use a little PowerShell “tweak” that will provide the required solution.

The solution is implemented by using a “loop” procedure, that will instruct Exchange Online to provide us the required results, using a page size of 5,000 rows.

In case that there is additional information in the Exchange Online spam mail log file, the PowerShell “loop command” asks for Exchange Online to create a “NEW page,” that will contain the next 5,000 results and so on and so forth.

This loop process will run until we get all the available information that is stored in the Exchange Online spam mail log file.

In the following section, we can see an example of such a solution. The PowerShell script will perform the following sequence of actions:

Define the date range as a date range of 30 days (30 days going backward from the current date).

Automatically create in drive C: NEW folder structure, that will serve as a container for the information that will be exported.

The “data” that is collected from the PowerShell “loop process” that fetches all the available information from Exchange Online spam log file, will be saved in a variable named – $SpamMailLogFileContent.

The content of the variable named – $SpamMailLogFileContent will be exported to a CSV file.

Export all information from Exchange Online spam log file | Last 30 days

$EndDate = Get-Date $StartDate = $EndDate.Adddays(-30) # Define the Date format variable $Datef = Get-Date -Format "\Da\te dd-MM-yyyy \Ti\me H-mm" # Define variables that contain the folder names $A20 = "C:\INFO\Spam mail Reports" $A21 = "$A20\ALL Spam mail events - Last 30 days - $Datef" # C:\INFO\Spam mail Reports IF (!(Test-Path -path $A20)) New-Item $A20 -type directory # ALL Spam mail events - Last 30 days - <Date> IF (!(Test-Path -path $A21)) Out-Null # Define the variable for the exported Filename $File1 = "Full spam mail report – All information – last 30 Days" # Using PowerShell command that will verify that ALL the available information will be exported. # Get the complete content of the Exchange Online spam mail Log file (all existing spam mail events in the last 30 days) $SpamMailLogFileContent = for($c=1;$c -lt 1001; $c++) if((Get-MailDetailSpamReport -StartDate $StartDate -EndDate $EndDate -PageSize 5000 -Page $c).count -gt 0) Get-MailDetailSpamReport -StartDate $StartDate -EndDate $EndDate -PageSize 5000 -Page $c else break; # Define a variable that store the content of the Exchange Online spam log file $ExportSpamLog = $SpamMailLogFileContent | Sort-Object -Property Date -descending # Export information to the CSV file $ExportSpamLog | Export-CSV $A21\"$File1.CSV" –NoTypeInformation -Encoding utf8

Count Sent and Received Spam emails | Spam mail report.

In this section, I would like to demonstrate how to use the Get-MailDetailSpamReport PowerShell cmdlet, for generating a specific type of spam mail report, which will count the number of specific spam mail events versus the standard output of the Get-MailDetailSpamReport PowerShell cmdlet that display information about a specific spam mail event (the details about the specific spam mail event).

By default, the Get-MailDetailSpamReport PowerShell cmdlet doesn’t “know” how to count spam mail events. In the current section, we will demonstrate how to use PowerShell script that will “add” this required capacity.

The goal we seek to achieve is, to count the following types of spam mail events:

Sum (count) the amount of spam mail that was Received (sent to) specific entity.

Sum (count) the amount of spam mail that was sent from (Sent by) a specific entity.

In our scenario, the term “entity” is translated to – “E-mail address.” The “E-mail address identity,” could be the E-mail address of the external recipient (non-organization recipient) or the E-mail address of recipient organization.

Export Spam Mail Summary | Count (sum) all received Spam emails | All E-mail Addresses

In this section, we review how to use PowerShell script, which will generate a spam mail “summary report”, that count all the spam emails that were Sent to (Received by) each E-mail address that appears in the Exchange Online spam log file.

The goal we seek to achieve is, to count the following type of spam mail events:

Sum (count) the amount of spam mail that was Received by (sent to) specific entity.

Before we begin with the description of the PowerShell script that includes many different parts, I would like to present the basic PowerShell command structure that we use for counting the number of spam mail event that received (sent to) a specific E-mail address.

The basic PowerShell command syntax

Before we provide the “complex” PowerShell syntax, let’s view the basic PowerShell syntax structure that we need to use in this scenario:

$ReceiveEvents = Get-MailDetailSpamReport -RecipientAddress <E-mail address> -StartDate <StartDate> -EndDate <EndDate> $ReceiveEventsCount = @($ReceiveEvents).count write-host "The Number of Received spam emails is: $ReceiveEventsCount"

In this scenario, the PowerShell script that will implement the following sequence of tasks:

Task 1 – Get information from Exchange Online spam mail log file about all the spam mail events, which occurred in the last 30 days.

The content of the spam log file is fetched by the PowerShell command that we revive in the section XXX.

We use the variable – $SpamMailLogFileContent as a logical container, that will store the content of the spam log file.

Task 2 – Create a list of all E-mail addresses that appear in the Exchange Online spam mail log file.

The list of all E-mail addresses from the Exchange Online spam log file that appears “under” the column – “spam mail Receiver,” is created by using the following PowerShell command:

$ALLSpamMailRecipients = $SpamMailLogFileContent | Group-Object -Property RecipientAddress | Sort-Object name -descending | Select-Object name,count

We use the variable – $ALLSpamMailRecipients as a logical container, that will store the list of the E-mail addresses.

Task 3 – Create a folder hierarchy which will store the exported spam mail summary report.

Task 4 – Run a loop process, which will take the “first E-mail address” on the list, and count all the spam mail events that relate to this E-mail address. Then the loop process will “move on” to the next E-mail address in the list until he reaches the last E-mail address in the list.

The information about each E-mail address and the “sum” of receiving spam events will be written to the PowerShell console and in parallel exported to a report file.

The output from the loop process takes place in a dedicated space which describes as – a hash array.

In our scenario the hash array named – $Results = @()

The loop process in which we query the spam log file for each E-mail address, is implemented by the following PowerShell command:

$ReceiveEvents = Get-MailDetailSpamReport -RecipientAddress $ID1 -StartDate $StartDate -EndDate $EndDate

We use the variable – $ReceiveEvents as a logical container, that will store the information about all spam mail events that are related to the specified E-mail address (represented as $ID1)

Counting the spam mail events

Given that we have the list of spam mail events that are related to the specific E-mail address (specific receiver), we can use PowerShell formal, that we count the number of the existing spam mail events.

The counting process, is implemented by the following PowerShell command:

$ReceiveEventsCount = @($ReceiveEvents).count

We use the variable – $ReceiveEventsCount as a logical container, that will store the “counting results” for the specific E-mail address.

Task 5 – Write the information that was saved in the hash array to – CSV file. The PowerShell command that we use for exporting spam mail report to CSV file is:

$ResultsExport | Export-CSV $A22\"$File1.CSV" –NoTypeInformation -Encoding utf8

We use the variable – $ResultsExport as a logical container, that store all the result from that was gathered during the loop process. The meaning is – each E-mail address of “spam mail receiver” and the sum of the spam emails (spam events) that was sent to the specific E-mail address.

The PowerShell script Count (sum) all received Spam emails

Export Spam Mail Summary | Count (sum) all Sent Spam emails | All E-mail Addresses

The current scenario is similar to the former scenario which we review in the former section.

The main variance from the former scenario is that now, our main focus is about the entities that send spam mail.

The goal we seek to achieve is, to count the following type of spam mail events:

Sum (count) the number of spam mail that was sent from (Sent by) a specific entity.

The basic PowerShell command syntax

The basic PowerShell syntax structure that we need to use in this scenario is:

$ReceiveEvents = Get-MailDetailSpamReport -SenderAddress <E-mail address> - $SENTEventsCount = @($SENTEvents).count write-host "The Number of Sent spam emails is: $SENTEventsCount"

The PowerShell script – Count (sum) all Sent Spam emails

# Define variables for a start date, and End date $EndDate = Get-Date $StartDate = $EndDate.Adddays(-30) # Define variables that contain the folder names $A20 = "C:\INFO\Spam mail Reports" $A21 = "$A20\Summary Spam Report" $A22 = "$A21\2. Count SENT spam mail report – Each Unique E-mail Address" # Create folders Structure that contains the exported information # C:\INFO\Spam mail Reports IF (!(Test-Path -path $A20)) New-Item $A20 -type directory # Summary Spam Report IF (!(Test-Path -path $A21)) Out-Null # 2. Count SENT + RECEIVED spam mail report – each Unique E-mail Address - <Date> IF (!(Test-Path -path $A22)) Out-Null # Get the complete content of the Exchange Online spam mail Log file (all existing spam mail events in the last 30 days) $SpamMailLogFileContent = for($c=1;$c -lt 1001; $c++) if((Get-MailDetailSpamReport -StartDate $StartDate -EndDate $EndDate -PageSize 5000 -Page $c).count -gt 0) Get-MailDetailSpamReport -StartDate $StartDate -EndDate $EndDate -PageSize 5000 -Page $c else break; # Create a list of unique E-mail addresses that appear in the spam mail report | Spam Mail Sender (E-mail address that sent spam mail) $ALLSpamMailSenders = $SpamMailLogFileContent | Group-Object -Property SenderAddress | Sort-Object name -descending | Select-Object name,count # Define an array (hash) that will store information about spam mail events that fetched from the mail spam mail report $Results = @() ForEach ($SpamEvent in $ALLSpamMailSenders) # Specific Unique identity (E-mail address) $ID1 = $SpamEvent.name # Display progress bar information on the PowerShell console Write-Progress -Activity "Export to Log Files – SPAM mail Report for $ID1 E-mail address - last 30 days" # Define a variable that store ALL spam mail events of emails that where SENT by specified recipient $SENTEvents = Get-MailDetailSpamReport -SenderAddress $ID1 -StartDate $StartDate -EndDate $EndDate # Count the number of - Spam emails that was sent by (Sent from) a specific E-mail Address $SENTEventsCount = @($SENTEvents).count write-host -ForegroundColor white ---------------------------------------------------------------------------- write-host -ForegroundColor white "Spam mail information about - Exchange Online User " -NoNewline;Write-Host $ID1 -ForegroundColor white -BackgroundColor DarkGreen write-host -ForegroundColor white "(The last 30 days)" write-host write-host -ForegroundColor white "* Number of SENT spam emails is: " -NoNewline;Write-Host $SENTEventsCount -ForegroundColor white -BackgroundColor Darkred write-host -ForegroundColor white ---------------------------------------------------------------------------- # Define that array of -properties, that appears in the spam mail report $Properties = @ "E-mail address" = $ID1 "Spam mail SENT" = $SENTEventsCount # Define a variable that store the information about each identity $Results += New-Object psobject -Property $properties $ResultsExport = $Results # Define the variable for the exported Filename $File1 = "SENT Spam emails per unique E-mail Address" # Export information about - Sent SPAM mail Report $ResultsExport | Export-CSV $A22\"$File1.CSV" –NoTypeInformation -Encoding utf8

Generate Dedicated Spam Mail Reports For Each Exchange mailbox user (Bulk mode)

In this section, we use a method that will generate a “dedicated spam mail report” for each Exchange Online User E-mail address, that appears in the Exchange Online spam mail log file.

I use the term “dedicated,” for describing the process in which the PowerShell will automatically create a dedicated folder for each Exchange Online User E-mail address. This folder will serve as a container that stores the “dedicated spam mail report” that includes information about – all the spam mail events that are related to the specified E-mail address.

We will review two variations of this scenario.

Scenario 1 – in this scenario, we create a dedicated spam mail report for each Exchange Online User E-mail address, which appears as an E-mail address that “RECEIVE” spam mail. In this case, our purpose is to analyze spam mail events in which hostile element attacks our organization recipients.

Scenario 2 – in this scenario, we create a dedicated spam mail report for each Exchange Online User E-mail address, which appears as – E-mail address that “SEND” spam mail. In this case, our purpose is to analyze spam mail events, in which one of our organization users is distributing (Intentionally or unintentionally) spam mail.

Export dedicated Spam Mail events Report | RECEIVED Spam Mail | For Each Exchange mailbox user recipient

In the current scenario, we would like to get a detailed information about spam mail events, in which we organotin users are being attacked by the hostile element that sends them spam mail.

The PowerShell script that will implement the following sequence of tasks:

Task 1 – Get information from Exchange Online spam mail log file about all the spam mail events, which occurred in the last 30 days.

Task 2 – Create a list of all E-mail addresses of Exchange Online recipients who describe as “Exchange Online users” (user with a mailbox).

The “list” of the Exchange Online user recipient will be created by using the following PowerShell command:

$GetMBXUser = Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Where-Object $_.name -notlike '*DiscoverySearchMailbox*' | Sort-Object -Property Displayname

We use the variable $GetMBXUser as a logical container, that will store the list of Exchange Online Users E-mail addresses.

Task 3 – Scan the information that was fetched from the Exchange Online spam log file, and perform a loop process.

The PowerShell script will take the “first E-mail address” in the list, and check if there is any information in the spam log about – spam mail events in which spam mail was sent to the specific E-mail address.

In case that there is no information that related to the specific E-mail address, the PowerShell script will continue to implement the same process for the “next E-mail address” in the list.

In case that the PowerShell script finds information about spam emails that was sent to the specific E-mail address, the PowerShell script will perform the following actions:

3.1 – Create a dedicated folder, and name the folder using the Display name of the Exchange Online user recipient.

3.2 – Generate spam event log that includes all the spam mail events in which spam mail was sent to the specified E-mail address (described as Received spam).

The PowerShell script – Export Dedicated Spam Mail events Report | RECEIVED Spam Mail

# Define variables for a start date and End date $EndDate = Get-Date $StartDate = $EndDate.Adddays(-30) # All Exchange Online USER Mailboxes $GetMBXUser = Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Where-Object $_.name -notlike '*DiscoverySearchMailbox*' | Sort-Object -Property Displayname # Define variables that contain the folder names $A30 = "$A10\C. Dedicated Spam Mail Report For Each E-mail Address" $A31 = "$A30\1. Exchange Online users" $A32 = "$A31\1.1 - RECEIVED Spam mail report" # Create folders Structure that contains the exported information # C:\INFO\Spam mail Reports # C. Dedicated Spam Mail Report For Each E-mail Address IF (!(Test-Path -path $A30)) New-Item $A30 -type directory # 1. Exchange Online users IF (!(Test-Path -path $A31)) New-Item $A31 -type directory # 1.1 - RECEIVED Spam mail report IF (!(Test-Path -path $A32)) Out-Null # Loop via the list of existing Exchange Online mailbox users | locate information about the spam mail event for each E-mail address ForEach ($Mailbox in $GetMBXUser) Specific member from mailboxes Array $ID1 = $Mailbox.Displayname $ID2 = $Mailbox.PrimarySmtpAddress # Define variable - Spam report for a specified Exchange Online user # Define a variable that store all spam mail event of E-mail that sent to the specified recipient $ReceiveEvents = Get-MailDetailSpamReport -RecipientAddress $ID2 -StartDate $StartDate -EndDate $EndDate # Count the number of - all spam mail event of E-mail that sent to the specified recipient $ReceiveEventsCount = @($ReceiveEvents).count # Verify if the specified Exchange Online user RECEIVE any spam mail IF (!$ReceiveEventsCount) Else # Define variables that contain the folders name for the dedicated Exchange Online user spam report folder $A40 = "$A32\$ID1" # Dynamically create a dedicated folder that will store spam mail report # <User name> IF (!(Test-Path -path $A40)) Out-Null # Define the variable for the exported Filename $File1 = "Spam emails RECEIVED" # Export information about - Received Spam emails by specific Exchange Online recipient $ReceiveEvents

Export Spam events Mail Report | SENT Spam Mail | For Each Exchange mailbox user recipient

The current scenario, is similar to the former scenario which we review in the former section.

The main variance from the former scenario is that now, our main focus is about the “entities” that send spam mail.

In this case, we want to create a dedicated spam mail report for each Exchange Online User E-mail address, that appears in the Exchange Online spam log file as – E-mail address that sends spam mail.

The PowerShell script – Export Dedicated Spam Mail events Report | SENT Spam Mail

Export Spam Mail Summary | Count (sum) Sent Spam emails | All E-mail Addresses | only if sent item value is Greater than X

In the current scenario, we would like to count spam mail events of “spam mail senders” (spam mail that was sent from a specific E-mail address).

The difference from the former scenarios in which we count the spam mail that was sent by a specific E-mail address is that this time we want to view information only when the number of the sent spam mail items passes a certain threshold.

In our specific example, we define the number “10” as the threshold.

The basic PowerShell command syntax

The basic PowerShell syntax structure that we need to use in this scenario is:

$ReceiveEvents = Get-MailDetailSpamReport -SenderAddress <E-mail address> - $SENTEvents = Get-MailDetailSpamReport -SenderAddress [email protected] -StartDate $StartDate -EndDate $EndDate $SENTEventsCount = @($SENTEvents).count IF ($SENTEventsCount -lt 10) write-host "The Number of Sent spam emails is: $SENTEventsCount" write-host “This is less than required number 🙁 “ Else write-host "The Number of Sent spam emails is: $SENTEventsCount" write-host “This is a dangerous sender !!!!”

xxx

# Define variables for start date and End date $EndDate = Get-Date $StartDate = $EndDate.Adddays(-30) $ThresHold = Read-Host "Type the Number of threshold " $A20 = "C:\INFO\Spam mail Reports - $Datef" $A21 = "$A20\C. E-mail addreses that Pass a certain spam mail threshold" $A22 = "$A21\1.1 RECEIVED spam mail - ThresHold" $A23 = "$A21\1.2 SENT spam mail - ThresHold" # Create folders Structure that contains the exported information to TXT, CSV and HTML files #--------------------------------------------------------------------------------------------------- # C:\INFO\Spam mail Reports - <Date> IF (!(Test-Path -path $A20)) New-Item $A20 -type directory # C. E-mail addresses that Pass a certain spam mail threshold IF (!(Test-Path -path $A21)) Out-Null # 1.1 RECEIVED spam mail - ThresHold IF (!(Test-Path -path $A22)) Out-Null # 1.2 SENT spam mail - ThresHold IF (!(Test-Path -path $A23)) New-Item $A23 -type directory $SpamMailLogFileContent = for($c=1;$c -lt 1001; $c++) if((Get-MailDetailSpamReport -StartDate $global:StartDate -EndDate $global:EndDate -PageSize 5000 -Page $c).count -gt 0) Get-MailDetailSpamReport -StartDate $global:StartDate -EndDate $global:EndDate -PageSize 5000 -Page $c else break; # Define variables that will store the list of Exchange Online users (mailbox users) + all E-mail addresses that appear in the spam mail log file # Create a list of unique E-mail address that appear in the spam mail report | Spam Mail Sender (E-mail address that sent spam mail) $ALLSpamMailSenders = $SpamMailLogFileContent | Group-Object -Property SenderAddress | Sort-Object name -descending | Select-Object name,count # Define an array (hash) that will store information about spam mail events that fetched from the mail spam mail report $Results = @() # Loop via the list of All existing E-mail addresses | locate information about spam mail event for each E-mail address ForEach ($SpamEvent in $ALLSpamMailSenders) Export-CSV $A23\"$File1.CSV" –NoTypeInformation -Encoding utf8

Export SPAM mail reports – Office 365

Download4 Downloads

The next article in the current article series

How to use the spam mail report PowerShell script | Part 3#3

Now it’s Your Turn! It is important for us to know your opinion on this article

Manage Distribution Groups by using PowerShell | O...

Full Access Mailbox permission – Everything You Al...

Outlook Autodiscover decision process | Choosing t...

Manage Litigation Hold by using PowerShell | Offic...

Solving an Exchange Online mailbox restore mistake...

#Spam mail report

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/office-365-spam-mail-report-using-powershell-introduction-1-3/

Office 365 spam mail report using PowerShell | Introduction | 1#3

The current article is the first article in a three-article series. The Purpose of this article series is to Show you a relatively new PowerShell cmdlet named – Get-MailDetailSpamReport, that was created for Exchange Online and Office 365 administrator that need to view and export information stored in Exchange Online spam mail log file.

Article series | Using Get-MailDetailSpamReport | View and export spam mail report

Office 365 spam mail report using PowerShell | Introduction | 1#3

Using Get-MailDetailSpamReport PowerShell cmdlet | View and export spam mail report | Part 2#3

How to use the spam mail report PowerShell script | Part 3#3

The syntax of the Get-MailDetailSpamReport PowerShell cmdlet is quite simple. In the next article, we review some basic example syntax example of the Get-MailDetailSpamReport PowerShell cmdlet and in addition we also review more advanced PowerShell syntax that will help us to “squeeze more juice” from the Get-MailDetailSpamReport PowerShell cmdlet

The real challenges of – using the Office 365 spam mail report

Associatively the task of reading spam mail reports looks like and easy and simple task for the average Exchange Online administrator.

My arguments are that:

Although the term “spam mail” like quite an obvious term, in Office 365 and Exchange Online based environment this term is not so obvious because the term “spam mail” can relate to many different types of “problematic emails” (Spoofing or Phishing mail, bulk mail and more).

Analyzing the data in the spam mail report

Given that we manage to get the Office 365 spam mail report via the web admin interface or by using PowerShell command. The real question is – what do we do with this information?

And again, although it looks like a simple task, in reality, the conclusions we can draw the “raw data” are not so clear.

The little secret that is not known for most of us is that the “data” in the spam mail report can be very interesting and useful data that can help is to identify security risks that are “hidden” in the “spam mail report data”.

For example, by viewing the information in the spam mail report we can Identify in advance and prevent “events such as –

Identify event in which hostile element try to spoof the E-mail address of our legitimate organization user\s.

Identify event in which an organization user account was comprised and it used by hostile element for distributing spam mail.

Identify event in which a legitimate granitization user is implemented Improper use of mail and for this reason his mail stamped as “spam mail”.

General review of- “spam mail” concepts in Office 365 (Exchange Online) environment

Before we begin with the technical description of the – how to use the Get-MailDetailSpamReport PowerShell cmdlet,” it is important that we get familiar with the basic concept of the term: “spam mail” in “Microsoft based environment” and especially, in Office 365 (Exchange Online) based environment.

Spam mail and SCL score

The basic technical definition of the term – “spam mail” in the Exchange Online environment is mail item, which his SCL score is a value between 2 and 9.

This leads us to the next question – what is SCL?

The term SCL stands for – Spam Confidence Level. SCL is a method, which is used in an Exchange server environment to define the “trust level” of specific mail items. An SCL value of “-1,” defines a mail item that is fully trusted. The higher the SCL score\value, the meaning is that the specific mail item is – less trusted. In other words, the higher the SCL score\value, it is more likely to assume that the E-mail message is defiantly “bad mail” (spam mail).

What is the meaning of “spam mail”?

The term “spam mail” is quite vague because, in real life, the meaning of this term can be realities to – spam mail (as the name imply) but at the same time, to another type of “problematic mail” such as – spoof mail, Phishing mail, Bulk mail and more.

Bottom line – in Exchange Online and Office 365 environment, we should understand that spam mail can be related to many types of “unwanted” mail items.

Spam mail | The Sender versus the Receiver

Another classification of “spam mail” that we should know is the definition of “Sender” versus the “Receiver” of the spam mail.

Spam mail Sender – this is the entity that is responsible for “distributing” the spam mail.

Spam mail Receiver – this is the entity that “suffer” from the spam mail.

Apparently, the definition of “spam mail sender“ versus “spam mail Receiver,” look quite obvious. But in reality, things can get a little complicated because this classification of “bad guy” versus “good guy” is not always so clear.

For example, the “spam mail sender“ can be a “bad guy” (external user), that bothersome our organization users (Exchange recipients) but at the same time, the “spam mail sender,” can be a legitimate organization recipient.

The same logic can be implemented regarding the “entity” that gets (receive) the spam mail. It is true that most of the times, the recipients who get the spam mail are, our organization recipients, but in some scenario in which – organization user is sending spam mail, the recipient who “suffer” from the spam mail could be external recipients (non-organization recipients).

“Information” about spam mail events versus, what happened to spam mail

In this part, I would like to emphasize the difference between the concept of the “information about spam mail events” versus, what the mail infrastructure (Exchange Online in our scenario) is “doing” with the spam mail.

Each mail that is sent or received by EOP (Exchange Online Protection), and “stamped” as spam mail, will appear on the spam mail report. In other words, the documentation of the “spam mail events” is written to Log file.

The “action” taken on mail that is identified as – “spam mail,” is implemented by a different mechanism, such as – the Exchange Online spam policy filter or Exchange Online Transport rules.

In other words, the information that appears in the spam mail report doesn’t include information about “what happened” to the spam mail. Instead, the information in the spam mail log, include a documentation about “spam mail event” meaning, an event in which a specific E-mail message is “stamped” as a spam mail.

What is our mail focus when analyzing the spam mail report?

Assuming that we already get the “spam mail report.” The questions that can appear now are:

Q1: What can I do with this information? Q2: Can I benefit from the information that appears in the spam mail report? Q3: Should I need to generate different spam mail reports, that emphasizes different spam mail events aspects? Q4: What should be my mail focus – the sender of the spam mail, the receiver of the spam mail? Q5: Should I look for specific events that relate to my organization recipient or should I put my main focus on “external entities” that try to attack my organization users?

The answer is, that there is no one “right answer.” Our main challenge is to take the “dry data,” and see what’s hiding behind is the “boring numbers.”

When I wrote the current spam mail reports PowerShell script, my aim was to simplify the process. The PowerShell script will give you the option to export spam mail reports, that “light” different aspects of the event that we should observe, and analyze for the purpose “reacting” with the needed security and administrative steps.

Spam mail Report usage

In the following section, I would like to give you a couple of examples of “security event’s scenarios,” that we can “fetch,” by looking over the data stored in the spam mail reports.

Spam mail sender

When we decide to focus on the “spam mail sender,” in some scenario, we can identify events in which the “spam sender” entity, appears to be the entity of a legitimate organization user (an E-mail address of organization user or E-mail address that has our domain name suffix).

Despite the underlying premise that our organization users are the “good guys,” in reality, we can reveal scenarios, in which one of our organization recipients (deliberately or on purpose), is involved in sending mail that is recognized as “spam mail” (in the Exchange Online environment these phenomena described as – internal spam).

Another possible explanation to such a scenario could be – a scenario in which the organization user account was comprised, and now it is used by hostile elements for distributing spam mail.

An additional optional scenario could be, a hostile element that tries to “present himself” as a legitimate organization user, by spoofing the E-mail address (the identity) of a specific organization user.

Spam mail Receiver

When we decide to focus on the element that “gets the spam mail” (most of the time our organization users), we should look at the “spam mail report data,” and try to understand if we can locate specific “trends” hidden within the row data.

For example, locate a trend in which specific “attacker” (specific E-mail address or specific E-mail address with a specific domain name suffix), is trying to attack our organization users. In other words, is there a specific Identifiable “element” that targets our users?

Another scenario could be a hostile element that uses many types of E-mail addresses, but when we take a closer look at the data, we can see that he tries to attack specific organization users (such as scenarios of – spear phishing).

Spam mail “Originator” (sender)

In this section, I would like to view in more details the subject of “spam mail sender.”

As mentioned, the term “spam mail sender” is associatively associated with “bad guy” that plotting evil, and trying to hurt our Innocent organization user but the reality is more complex.

Spam mail sender | External entity

The “spam mail sender” can be indeed, “external entity” that uses non-organization identity meaning – external E-mail address.

At the same time, this “external entity” could try to appear as a – legitimate organization user, by using the identity of a specific existing organization user (existing organization E-mail address) or by using an E-mail address that includes our organization domain name (our organization domain name suffix).

Notice that the “spam mail report” can not help you to identify “spoofed E-mail address,” but only “point” on a specific event\s, in which a specific organizational identity (organization E-mail address) is involved in spam mail activity.

When we identify such as scenario, in which a specific external recipient is involved in sending a lot of spam emails to our organization users, we should review the information and try to answer such as:

What is the average amount of spam mail that the specific sender “generate”?

Is the spam mail addressed to a specific user\s?

Spam mail sender | Legitimate organization user

In this scenario, the “spam mail originator,” is indeed legitimate organization user.

There could be many reasons for such a scenario. For example: Scenario 1 – Bulk mail Organization user who sends E-mail to hundreds or thousands of recipients, and “stamped” by EOP as “bulk mail” (translated into an email message that has an SCL value of 2-9).

Scenario 2 – compromised E-mail client.

A scenario in which malware is using existing mail client such as – Outlook, for distributing spam mail.

Scenario 3 – compromised Office 365 user account.

A scenario in which hostile element, manage to get the credentials of a legitimate Office 365 user, and use these credentials for sending spam mail.

In a scenario in which the spam mail sender appears as one of our organization users, the questions that we can ask could be:

Is the user aware of the fact that his E-mail classified as “spam mail”?

Does the user know and confirm the email address of the target recipients?

Does the mail that the organizational user sends have certain characteristics?

Export SPAM mail reports – Office 365

Download5 Downloads

The next article in the current article series

Using Get-MailDetailSpamReport PowerShell cmdlet | View and export spam mail report | Part 2#3

Now it’s Your Turn! It is important for us to know your opinion on this article

Client protocol connectivity flow in Exchange 2013...

Setting up an Automatic Reply in Office 365 using ...

Autodiscover and Outlook client protocol connectiv...

Autodiscover flow in an Exchange Hybrid environmen...

Exchange clients and their Public facing Exchange ...

#Spam mail report

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/managing-focused-inbox-office-365-using-powershell/

Managing Focused Inbox in Office 365 using PowerShell

In the current article, we review how to manage the option of – Focused Inbox in Office 365 by using PowerShell.

Generally speaking, we can enable or disable the option Focused Inbox in “organization level” by using the PowerShell cmdlet – Get-OrganizationConfig or by managing single Exchange mailbox” by using the PowerShell cmdlet – Set-FocusedInbox

What is the purpose of the Focused Inbox feature?

Focused Inbox—focus on the emails that matter most

For many, the inbox is the command center for their day. It’s the way to keep track of what is going on and what needs to get done. Outlook’s Focused Inbox makes this process easier by helping you focus on the emails that matter most to you. It separates your inbox into two tabs—Focused and Other. Emails that matter most to you are in the Focused tab, while the rest remain easily accessible—but out of the way in the Other tab. You’ll be informed about email flowing to “Other”, and you can switch between tabs at any time to take a quick look.

For more about what makes Focused Inbox great, see Outlook helps you focus on what matters to you.

[Source of information – Managing Focused Inbox in Office 365 and Outlook]

Transition from Clutter to Focused Inbox in Office 365

Users can keep using the existing Clutter experience through the transition. However, after the transition period, Clutter will be completely replaced by Focused Inbox.

In the meantime, if a Clutter user chooses to opt-in to using Focused Inbox they will no longer receive less important email in the “Clutter” folder.

Instead, email will be split between the Focused and Other tabs in their inbox. Tenant admins will be proactively notified before Clutter is fully replaced.

[Source of information – Managing Focused Inbox in Office 365 and Outlook]

Enable “Focused Inbox” option

Enable Focused Inbox option | Organization level

When using the PowerShell cmdlet – Set-OrganizationConfig, the option of Focused Inbox will be applied (activated) for all existing Exchange mailboxes + to all NEW Exchange mailboxes that will be created in the Future.

In case that we want to Disable the option of Focused Inbox for a specific Exchange mailbox, we can use the PowerShell cmdlet – Set-FocusedInbox

PowerShell command Example

Set-OrganizationConfig -FocusedInboxOn $True

Enable Focused Inbox | Single Mailbox

PowerShell command syntax

Set-FocusedInbox -Identity <Mailbox> -FocusedInboxOn $True

PowerShell command Example

Set-FocusedInbox -Identity Bob -FocusedInboxOn $True

Enable Focused Inbox | All Exchange USER Mailboxes (Bulk)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Set-FocusedInbox -FocusedInboxOn $True

Disable “Focused Inbox” option

Disable Focused Inbox | Organization level

In case that we want to Enable the option of Focused Inbox for a specific Exchange mailbox, we can use the PowerShell cmdlet – Set-FocusedInbox

PowerShell command Example

Set-OrganizationConfig -FocusedInboxOn $False

Disable Focused Inbox | Single Mailbox

PowerShell command syntax

Set-FocusedInbox -Identity <Mailbox> -FocusedInboxOn $False

PowerShell command Example

Set-FocusedInbox -Identity Bob -FocusedInboxOn $False

Disable Focused Inbox | All Exchange USER Mailboxes (Bulk)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Set-FocusedInbox -FocusedInboxOn $False

Export + View (Display) “Focused Inbox” settings ” option

View Focused Inbox settings | Organization level

PowerShell command Example

Get-OrganizationConfig | Select *FocusedInbox*

View Focused Inbox settings | Single Mailbox

PowerShell command syntax

Get-FocusedInbox -Identity <Mailbox>

PowerShell command Example

Get-FocusedInbox -Identity Bob |Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

View (Display) information about All Exchange user mailboxes Focused Inbox (Enabled or Disabled)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Get-FocusedInbox | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

View (Display) information about All Exchange user mailboxes that their Focused Inbox option is Enabled

PowerShell command Example

Get-Mailbox | Where $_.RecipientTypeDetails -eq 'UserMailbox'| Get-FocusedInbox | Where $_.FocusedInboxOn -eq ‘$True�� | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

View (Display) information about All Exchange user mailboxes that their Focused Inbox option is Disabled

PowerShell command Example

Get-Mailbox | Where $_.RecipientTypeDetails -eq 'UserMailbox'| Get-FocusedInbox | Where $_.FocusedInboxOn -eq $False | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

Export information about All Exchange user mailboxes Focused Inbox (Enabled or Disabled)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Get-FocusedInbox | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime | Export-CSVc:\temp\"All Exchange user mailboxes that their Focused Inbox option is Enabled.CSV" –NoTypeInformation -Encoding utf8

For your convenience, I have “Wrapped” all the PowerShell commands that were reviewed in the article, in a “Menu Based” PowerShell Script. You are welcome to download the PowerShell script and use it.

Managing Focused Inbox in Office 365 using PowerShell

Download Now!2 Downloads

In case you want to get more detailed information about how to use the o365info menu PowerShell script, you can read the following article

Additional reading

PowerShell

Get-FocusedInbox

Set-FocusedInbox

Set-OrganizationConfig

General information

How the Focused Inbox Replaces Clutter Inside Office 365

Managing Focused Inbox in Office 365 and Outlook

Focused Inbox for Outlook

Enable or Disable Focused Inbox Outlook \OWA

Focused Inbox for Outlook

Turn off Focused Inbox

How to Turn On/Off Focused Inbox feature in Outlook

Enable or Disable Focused Inbox Using Exchange Online transport rule

Configure Focused Inbox for everyone in your organization

Video links – Focused Inbox

Outlook helps you focus on what matters to you

Focused Inbox for Outlook

Getting started with Office 365 PowerShell

PowerShell Naming Conventions & general information Get more information about the Naming Conventions that are used in the PowerShell articles – Help and additional information – o365info.com PowerShell articles

Creating a remote PowerShell session to Exchange Online To get more information about the required remote PowerShell commands that you need to use for connecting to Exchange Online, read the following article: Connect to Exchange Online by using Remote PowerShell

Creating a remote PowerShell session to Azure Active Directory To get more information about the required software component + the remote PowerShell commands that you need to use for connecting Azure Active Directory, read the following article: Part 2: Connect to Office 365 by using Remote PowerShell

Basic introduction to PowerShell in Office 365 based environment If you are new in the PowerShell world, you can read more information about how to start working with PowerShell in Office 365 based environment in the following article series: Getting started with Office 365 PowerShell – Part 1, Part 2, Part 3.

Running and using o365info PowerShell scripts In case that you need more information about how to use the o365info PowerShell scripts that I add to the PowerShell articles, you can read the article – How to run and use o365info PowerShell menu script

Now it’s Your Turn! It is important for us to know your opinion on this article

PowerShell command syntax – Office 365 | Article series index

Using Remote PowerShell to manage Office 365 | Par...

The importance of Exchange 2013 CAS in Exchange 20...

Configuring exceptions for the Exchange Online Spo...

Manage Distribution Group using PowerShell in Offi...

Using Remote PowerShell to manage Office 365 | Par...

#Focused Inbox

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/managing-focused-inbox-office-365-using-powershell/

Managing Focused Inbox in Office 365 using PowerShell

In the current article, we review how to manage the option of – Focused Inbox in Office 365 by using PowerShell.

What is the purpose of the Focused Inbox feature?

Focused Inbox—focus on the emails that matter most

For more about what makes Focused Inbox great, see Outlook helps you focus on what matters to you.

[Source of information – Managing Focused Inbox in Office 365 and Outlook]

Transition from Clutter to Focused Inbox in Office 365

Users can keep using the existing Clutter experience through the transition. However, after the transition period, Clutter will be completely replaced by Focused Inbox.

In the meantime, if a Clutter user chooses to opt-in to using Focused Inbox they will no longer receive less important email in the “Clutter” folder.

Instead, email will be split between the Focused and Other tabs in their inbox. Tenant admins will be proactively notified before Clutter is fully replaced.

[Source of information – Managing Focused Inbox in Office 365 and Outlook]

Enable “Focused Inbox” option

Enable Focused Inbox option | Organization level

In case that we want to Disable the option of Focused Inbox for a specific Exchange mailbox, we can use the PowerShell cmdlet – Set-FocusedInbox

PowerShell command Example

Set-OrganizationConfig -FocusedInboxOn $True

Enable Focused Inbox | Single Mailbox

PowerShell command syntax

Set-FocusedInbox -Identity <Mailbox> -FocusedInboxOn $True

PowerShell command Example

Set-FocusedInbox -Identity Bob -FocusedInboxOn $True

Enable Focused Inbox | All Exchange USER Mailboxes (Bulk)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Set-FocusedInbox -FocusedInboxOn $True

Disable “Focused Inbox” option

Disable Focused Inbox | Organization level

In case that we want to Enable the option of Focused Inbox for a specific Exchange mailbox, we can use the PowerShell cmdlet – Set-FocusedInbox

PowerShell command Example

Set-OrganizationConfig -FocusedInboxOn $False

Disable Focused Inbox | Single Mailbox

PowerShell command syntax

Set-FocusedInbox -Identity <Mailbox> -FocusedInboxOn $False

PowerShell command Example

Set-FocusedInbox -Identity Bob -FocusedInboxOn $False

Disable Focused Inbox | All Exchange USER Mailboxes (Bulk)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Set-FocusedInbox -FocusedInboxOn $False

Export + View (Display) “Focused Inbox” settings ” option

View Focused Inbox settings | Organization level

PowerShell command Example

Get-OrganizationConfig | Select *FocusedInbox*

View Focused Inbox settings | Single Mailbox

PowerShell command syntax

Get-FocusedInbox -Identity <Mailbox>

PowerShell command Example

Get-FocusedInbox -Identity Bob |Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

View (Display) information about All Exchange user mailboxes Focused Inbox (Enabled or Disabled)

PowerShell command Example

Get-MailBox -Filter '(RecipientTypeDetails -eq "UserMailbox")' | Get-FocusedInbox | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

View (Display) information about All Exchange user mailboxes that their Focused Inbox option is Enabled

PowerShell command Example

Get-Mailbox | Where $_.RecipientTypeDetails -eq 'UserMailbox'| Get-FocusedInbox | Where $_.FocusedInboxOn -eq ‘$True’ | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

View (Display) information about All Exchange user mailboxes that their Focused Inbox option is Disabled

PowerShell command Example

Get-Mailbox | Where $_.RecipientTypeDetails -eq 'UserMailbox'| Get-FocusedInbox | Where $_.FocusedInboxOn -eq $False | Select MailboxIdentity, FocusedInboxOn ,FocusedInboxOnLastUpdateTime

Export information about All Exchange user mailboxes Focused Inbox (Enabled or Disabled)

PowerShell command Example

Managing Focused Inbox in Office 365 using PowerShell

Download Now!2 Downloads

In case you want to get more detailed information about how to use the o365info menu PowerShell script, you can read the following article

Additional reading

PowerShell

Get-FocusedInbox

Set-FocusedInbox

Set-OrganizationConfig

General information

How the Focused Inbox Replaces Clutter Inside Office 365

Managing Focused Inbox in Office 365 and Outlook

Focused Inbox for Outlook

Enable or Disable Focused Inbox Outlook \OWA

Focused Inbox for Outlook

Turn off Focused Inbox

How to Turn On/Off Focused Inbox feature in Outlook

Enable or Disable Focused Inbox Using Exchange Online transport rule

Configure Focused Inbox for everyone in your organization

Video links – Focused Inbox

Outlook helps you focus on what matters to you

Focused Inbox for Outlook

Getting started with Office 365 PowerShell

Now it’s Your Turn! It is important for us to know your opinion on this article

PowerShell command syntax – Office 365 | Article series index

Send E-mail to office 365 using PowerShell script ...

My E-mail appears as spam | The 7 major reasons | ...

Migrating Exchange on-Premises Mailboxes Separatel...

Configure your WordPress site to send E-mail via E...

Send mail to Exchange Online | Part 1#4

#Focused Inbox

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/search-and-delete-mail-items-from-multiple-exchange-mailboxes-bulk-using-the-search-mailbox-powershell-cmdlets-part-4-5/

Search and Delete mail items from Multiple Exchange mailboxes (Bulk) using the Search-Mailbox PowerShell cmdlets | Part 4#5

The current article serves as an introduction to the subject of Deleting mail items using the Search-Mailbox cmdlet. In this article, we review some various scenarios of using the Search-Mailbox cmdlet for deleting mail items from multiple Exchange mailboxes (Bulk Deletion).

Article Series table of content | Click to expand

Using the Search-Mailbox PowerShell command | Article Series

Using the Search-Mailbox PowerShell command – Introduction | Part 1#5

Using the Search-Mailbox PowerShell command | Perform a search + save a copy of search results | Part 2#5

Using the Search-Mailbox PowerShell command | Recover mail items from Recovery mail folder (the Dumpster) | Part 3#5

Search and Delete mail items from Multiple Exchange mailboxes (Bulk) using the Search-Mailbox PowerShell cmdlets | Part 4#5

Search and Delete mail items from the Exchange mailbox using the Search-Mailbox PowerShell cmdlets | Single mailbox | Part 5#5

PowerShell | Help & additional information

Running PowerShell commands in Office 365 based environment To be able to run the PowerShell commands specified in the current article, you will need to create a remote PowerShell with Azure Active Directory or Exchange Online. In case that you need help with the process of creating a Remote PowerShell session, you can use the links on the bottom of the Article.

In the next article – Search and Delete mail items from Exchange mailbox using the Search-Mailbox PowerShell cmdlets | single mailbox | Part 5#5, we review a various scenario of using Search-Mailbox cmdlet for deleting mail items from a single Exchange.

Disclaimer and warning

Before we begin and before to run the PowerShell commands that we review in this article, I must strongly emphasize that you should be careful with this use of the Search-Mailbox PowerShell cmdlet, because the cmdlets perform Hard Delete of mail items.

In other words, you should have a good reason for using this option, and I recommend that you get familiar with the PowerShell syntax, and understand the exact Search Query that you use, what happened to the deleted mail, what are the Exchange mailboxes are impacted and so on.

The scenario in which we need to use the Search-Mailbox cmdlet for deleting mail items

An example of scenarios in which Exchange administrator need to enroll the Search-Mailbox cmdlet for “mail items deletion” from a single Exchange mailbox or from Multiple Exchange mailboxes (Bulk deletion) could be:

1. Virus attacks

A scenario in which a virus attacks your organization recipient. You need that the Virus sent for a couple of Exchange recipient, but you don’t know who is this recipient.

In this case, we would like to use the Search-Mailbox cmdlet for performing a search in ALL Exchange mailboxes looking for the virus file name, and after we locate this mail item, delete the mail items from the user mailbox.

2. A sensitive E-mail message that was sent by mistake to multiple recipients.

A scenario in which Exchange recipient sent by mistake a “sensitive E-mail message” to the recipients who were not supposed to read the specific mail item.

And again, in this case, we would like to use the Search-Mailbox cmdlet for performing a search in ALL Exchange mailboxes and “remove” (delete) this mail item.

The “logic” of the Search-Mailbox cmdlet relating to “mail item deletion”

Given that we decide that we must use the Search-Mailbox cmdlet for deleting mail items, there are two main scenarios which we can choose from:

Option 1 – Delete mail items from the source mailbox without saving a copy of the Deleted mail items.

In this scenario, we wish to delete from the Source Mailbox the specific mail items (the mail items that answer our Search Query of Filter scope) without saving any copy of these deleted mail items.

In this case, we use the PowerShell command syntax without providing information about the Target Mailbox + The Target Folder.

An example of the PowerShell command syntax could be:

Search-Mailbox <Source Mailbox> -DeleteContent -Force

Option 2 – Delete mail items from Source mailbox + saving a copy of the Deleted mail items

In this scenario, we wish to delete from the Source Mailbox the specific mail items (the mail items that answer our Search Query of Filter scope) but save a copy of the Deleted mail items in a Target Mailbox (in a Target Folder)

In this case, we use the PowerShell command syntax + providing information about the Target Mailbox + The Target Folder.

An example of the PowerShell command syntax could be:

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force

Option 3 – Perform a search – locate the mail items that we are going to delete from Source mailbox + Generate Report (Log)

In this scenario, we wish to generate a report (Log file) which includes details about the mail items that we are “going to delete but without performing any “action” beside of the generating the report.

To generate only report without performing any action, we use the PowerShell parameter – LogOnly

My recommendation is to consider using this option before we start with the actual deletion. In other words- better safer than sorry!

After we look at the information that appears in the report (Log) and after we “approve” to delete the specific mail items only then, go back and use one of the options mentioned above (delete the mail items without saving a copy or save a copy of the deleted mail items in the Target Mailbox).

In this case, we use the PowerShell command syntax + providing information about the Target Mailbox + The Target Folder that will “store” the report file.

An example of the PowerShell command syntax could be:

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogOnly

Scenario description

In the following example, I prefer to be on the safe side. For this reason, all the PowerShell command examples will be based on a scenario in which we save a copy of the Deleted mail items in the “Target Mailbox.” In case that you prefer to avoid this option, you can remove the section about the Target Mailbox + the Target Folder from the PowerShell command syntax.

The Goals

The goals we seek to achieve are:

Perform a search in Multiple Exchange mailboxes (Bulk Mailbox search). The search is implemented by defining a specific Search Query (search criteria), that will help us to locate specific mail items that answer the Search Query.

We wish to Delete all the mail items that appear in the Search Results.

The Search Results (deleted mail items) will be copied to a Target Mailbox, and saved in a dedicated folder (Target Folder).

In addition, we want to create a detailed report (Log), about each mail items that appear in the Search Results, and that was Deleted (the Log \ Report file will be saved in the Target Folder).

Source mailbox + Target mailbox (and Target Folder)

The Source Mailboxes (the mailboxes on which we perform the search) are ALL Exchange Mailboxes.

The Target Mailbox which we use for storing the search result (the mail items) is Adele’s

The Target Folder name will be – Search Results Multiple Mailbox search – DELETED mail item’s Backup.

The mailbox search scope

By default, the Search-Mailbox cmdlet performs a search in the “Source Mailbox” that includes the following “Mailbox spaces”:

Primary mailbox

The Search-Mailbox cmdlet will perform a search that relates to all folders and sub folders in the Primary mailbox.

Recovery mail folder – by default, the Search-Mailbox cmdlet will also search for mail items stored in the Recovery mail folder (the Dumpster).

Archive mailbox

In case that the Source Mailbox has Archive mailbox,

The Search-Mailbox cmdlet will perform a search that relates to all folders and sub folders in the Archive mailbox.

Recovery mail folder – by default, the Search-Mailbox cmdlet will also search for mail items stored in the mailbox archive Recovery mail folder (the Dumpster).

Cleaning the Recovery mail folder (the Dumpster).

The Search-Mailbox cmdlet has the ability, to delete mail items stored in the Recovery mail folder (the Dumpster).

The Recovery mail folder (the Dumpster) uses two separated folders for storing the following type of deleted mail items:

Deletion – the folder that store Soft Deleted mail items.

Purges – the folder that store Hard Deleted mail items.

It is important to mention that in case that we use the Search-Mailbox cmdlet for deleting mail items stored in the Recovery mail folder (the Dumpster); the Search-Mailbox cmdlet can only delete mail items that stored in the Deletion folder (the folder that store Soft Deleted mail items) but cannot delete mail items that are stored in the Purges folder (the folder that store Hard Deleted mail items).

Using the Search-Mailbox for deleting mail items | PowerShell parameters

The “active” the option of Deleting mail items using the Search-Mailbox cmdlet we need to add the following PowerShell command parameters: 1. DeleteContent

This “DeleteContent” parameter instructs the Search-Mailbox cmdlet to “search and destroys” the mail items that match the Search query criteria. 2. Force

This “Force” parameter is not a mandatory parameter. The purpose of this parameter is, to prevent from the Search-Mailbox cmdlet to ask us for a confirmation for each mail items that are going to be deleted.

In the following diagram, we can see the additional parameters that “turn” the Search-Mailbox cmdlet from a tool that searches and locate information (mail items) into a deadly weapon that destroys (Hard Delete) mail items!

The term “Multiple mailbox search”

In the current article, we review how to use the Search-Mailbox cmdlet for performing a search + mail deletion of mail items that are stored on a “group” or “array” of Exchange mailboxes.

The definition of the Exchange mailboxes is a very flexible definition because there are multiple ways that we can use in addressing the Exchange mailboxes that consider as part of the “group.”

In other words, we have many options for defining the mailbox’s search scope.

The simplest example is – perform a mailbox’s search that relates to ALL existing Exchange mailboxes. In this scenario, we define the “group” of ALL existing Exchange mailboxes as:

Get-Mailbox -ResultSize Unlimited

After we define the characters or the specific mailbox “Group” (multiple mailboxes), we “pipe” the Exchange mailbox group to the Search-Mailbox PowerShell command.

There many options that we can use for defining a specific “group” of Exchange mailboxes.

Example 1 – Perform Multiple mailbox search | All types of Exchange mailboxes. For example, to perform a search for mail items in all existing Exchange mailboxes, we can use the following command syntax:

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery

Example 2 – Perform Multiple mailbox search | All Exchange USER mailboxes

Get-Mailbox -Filter '(RecipientTypeDetails -eq "UserMailbox") | Search-Mailbox -SearchQuery

Example 3 – Perform Multiple mailbox search | All Exchange Shared mailboxes

Get-Mailbox -Filter '(RecipientTypeDetails -eq "SharedMailbox") | Search-Mailbox -SearchQuery

Example 4 – Perform Multiple mailbox search | All Exchange Room mailboxes

Get-Mailbox -Filter '(RecipientTypeDetails -eq "RoomMailBox") | Search-Mailbox -SearchQuery

Example 5 – Perform Multiple mailbox’s search | Exchange Mailboxes – members in Distribution Group

In this scenario, we want to perform a search by defining a “group of Exchange mailboxes” which “belong” (members) to a specific Distribution Group.

Get-DistributionGroupMember <"Distribution Group name"> | Search-Mailbox -SearchQuery

Using the Search-Mailbox for performing a search | PowerShell command syntax

Search and Delete mail items + save a Copy of mail items | Delete mail items from the Recovery mail folder (the Dumpster).

In this example, we use the Search-Mailbox cmdlet without any “filter” or Search query filters.

Instead, we use that the PowerShell parameter SearchDumpsterOnly for restricting the search (and the deletion of mail items) only to mail items stored in the Recovery mail folder (the Dumpster).

In this scenario, our goal is to delete all Soft Deleted mail items stored in the Recovery mail folder (the Dumpster) + Save a copy all the mail items that were deleted from the Source Mailbox to the Target Mailbox.

As mentioned, the Search-Mailbox cmdlet cannot delete Hard Deleted mail items that are stored in the Purges sub folder (sub folder of the Recovery mail folder)

Search and Delete mail items + Save a Copy of mail items | Mailbox Search Scope Recovery mail folder (the Dumpster)

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchDumpsterOnly -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchDumpsterOnly -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search query Filter – specific Type of Mail item

In this scenario, we want to:

Look (search), only a specific type of mail items (such as calendar or contact mail items) in a multiple Source Mailboxes (Exchange mailboxes).

Delete these mail items

Save a copy of the delete d mail items in the Target mailbox

Search + Save a copy of mail items | Search Query filter – Calendar items

Search + Delete specific type of mail items – Calendar items

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "Kind:meetings" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "Kind:meetings" -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search + Save a copy of mail items | Search Query – Contact items

Search + Delete specific type of mail items – Contacts items

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "Kind:contacts" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "Kind:contacts" -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Note

By default, if not specified, the Search-Mailbox cmdlet will look for all types of message types.

When using the option the “kind” search filter, valid values can be one or more of the following:

Meetings

Tasks

Notes

Docs

Journals

Contacts

Search and Delete mail items + Save a Copy of mail items | Search query Filter – Text String

In this section, we use Search Query that looks for mail items that include a specific text string.

General note – because we use the quotation marks, the search will fetch only results in which all the words in the text string that we define appear.

For example, in our scenario, we look for the text string: “A meeting in New York.” Mail items that include the words “New York” or “meeting” will not appear in the Search Results.

Only mail items that include all the text phrases that appear inside the quotation marks, will be considered as “valid mail items” that answer the Search Query (exact phrases or keywords in subjects of items).

Search and Delete mail items + Save a Copy of mail items | Search Query – Mail items with Text String in mail SUBJECT

Search + Delete mail items with a specific TEXT string that appears is an E-mail Message Subject line.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Subject:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search Query – Mail items with Text String in mail BODY

Search + Delete mail items with a specific TEXT string that appears is an E-mail Body.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery body:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Search and Delete mail items + Save a Copy of mail items | Search Query – Mail items with Text String in mail BODY or Mail Subject

Search + Delete mail items with a specific TEXT string that appears is an E-mail Message Subject line or Mail Subject.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Additional PowerShell command syntax that we can use for performing a search that includes two types of search criteria is:

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Subject:"A meeting in New York" OR body:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search query Filter – specific Date or Date Range

General information about the subject of “Date and Date format.”

The subject of the date format that we use in the Search-Mailbox query is a little tricky because the date format is affected the Windows OS Date format, the Exchange Online Mailbox Date format, etc.

Case 1 – most of the time, the date format that you need to use in the Search Query is your Windows OS Date format.

Case 2 – when using a date format in Search-Mailbox queries needs to be in a format that conforms to the Exchange server’s Regional settings.

In case that you get an error such as – “The KQL parser threw an exception,”, use the “month name” instead of the format of “month number.”

For example, instead of using the Date format – 07/21/2017 use the following format – 02/July/2017

You can read more information about this subject in the article: eDiscovery search error when you use KQL format for dates in Exchange 2013 in Office 365 Dedicated

>Search and Delete mail items + Save a Copy of mail items | Search Query – Emails SENT on a Specific date

Search + Delete mail items with Sent on a specific Date.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery sent:mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery sent:21/07/2017 -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search Query – Emails SENT in a specific Date Range

Search + Delete mail items with Sent on a specific Date Range.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery sent:mm/dd/yyyy..mm/dd/yyyy -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery sent:21/06/2017..07/21/2017 -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search Query – Emails RECEIVED in a specific Date Range

Search + Delete mail items that were Received on a specific Date range.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Received:mm/dd/yyyy..mm/dd/yyyy -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Received:21/06/2017..21/07/2017 -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search Query – Emails SENT in a specific Date + Emails RECEIVED in a specific Date

Search + Delete mail items that were Sent or Received on a specific Date range.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery sent:mm/dd/yyyy OR Received: mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery sent:30/07/2017 OR Received:30/07/2017-TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search query Filter – sender or by Recipient

In this section, we would like to Search + Delete mail items that were sent from a specific sender or reach to a specific recipient.

Search and Delete mail items + Save a Copy of mail items | Filter scope – Email sent by a specific SENDER

Search + Delete mail items that was Sent from a specific Sender (the FROM mail felid).

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery from:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery from:[email protected] -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Filter scope – Emails sent TO a specific RECIPIENT

Search + Delete mail items that were Received from a specific recipient (sent to a specific recipient – the TO mail felid)

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery to:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery to:[email protected] -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search query Filter – E-mail Attachments

In this section, we would like to Search + Delete mail items that have an attachment.

Search and Delete mail items + Save a Copy of mail items | Filter scope – Emails that include a specific attachment file name

Search + Delete mail items, that have an attachment with a specific File extension.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery attachment:"<Attachment file name>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery attachment:"Customer.pdf" -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Filter scope – specific attachment type (suffix)

Search + Delete mail items, that have an attachment with a specific file name suffix.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Attachment -like "*.<suffix>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Attachment -like "*.PDF"-TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Filter scope – Emails with Attachment

Search + Delete mail items, that have an attachment.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery HasAttachment -eq $true-TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DeleteContent -Force -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery -SearchQuery HasAttachment -eq $true -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search and Delete mail items + Save a Copy of mail items | Search query Filter – Additional search queries

Search and Delete mail items + Save a Copy of mail items | Filter scope – E-mail items size greater than X MB

Search + Delete mail items, that their size is “bigger” (grater) than a specific size.

PowerShell command syntax

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Size -gt <size in KB or MB> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery -SearchQuery Size -gt 5MB -TargetMailbox Adele -TargetFolder “Search Results Multiple Mailbox search – DELETED mail item’s Backup” -DeleteContent -Force -LogLevel Full

Search-Mailbox | Mailbox Search scope| The Recovery mail folder (dumpster) and Archive Mailbox

In the following section, I would like to briefly review the subject of “Mailboxes search scope.”

As mentioned, the Search-Mailbox cmdlet will perform by default search in all the following mailbox locations:

Primary mailbox

Primary mailbox – Recovery mail folder (the Dumpster)

Archive mailbox

Archive mailbox – Recovery mail folder (the Dumpster)

The Search-Mailbox cmdlet enables us to define a specific mailbox search scope or to exclude a specific mailbox scope from the search results.

Mailbox scope Recovery mail folder (the Dumpster)

One of the most conspicuous advantages of the Search-Mailbox cmdlets is, the ability that it provides to Exchange administrator to view (search) the content of the Recovery mail folder (the Dumpster) and “fetch” a copy of Soft Deleted + Hard Deleted mail items stored in the Recovery mail folder.

By default, the Search-Mailbox cmdlets will perform a search in the Primary mailbox + in the Recovery mail folder (the Dumpster).

For example, in case that we don’t define a specific mailbox scope filter the search task will include the Primary mailbox space + the Recovery mail folder (the Dumpster)

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

Exclude the Recovery mail folder (dumpster) search

In case that we want to exclude the Recovery mail folder (the Dumpster) from the search, we can use the parameter SearchDumpster and set the switch to $false, for example –SearchDumpster:$False

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -SearchDumpster:$false -LogLevel Full

Search Dumpster Only

In case that we want to perform a search only in the Recovery mail folder (the Dumpster), we can use the parameter – SearchDumpsterOnly which specifies that only the Recoverable Items folder of the specified mailbox be searched.

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -SearchDumpsterOnly -LogLevel Full

Archive mailbox scope

By default, in case that as specific Exchange mailbox has an archive, the archive is always searched.

To exclude the Archive from the search, use the DoNotIncludeArchive parameter

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DoNotIncludeArchive -LogLevel Full

Writing advanced \ combined search filters.

An additional part that I would like to briefly, mention is the subject of defining a more advanced or more sophisticated search query that combines two or more “filter” or search conditions.

To define two or more filters, we can use the logical operators such as – “OR”,”AND” and more.

In the following diagram, we can see some example of the syntax that we use for defining a more advanced Search Query.

Example 1

Look for all mail items, that answer the following search criteria’s:

E-mail items that have attachment + in addition, the mail subject is “Test”

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery HasAttachment -eq $true and subject:Test -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 2

Look for all mail items, that answers the following search criteria’s:

E-mail message mail items or calendar mail items or Contact

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery kind:email OR kind:meetings -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 3

Look for all mail items, that answers the following search criteria’s:

Mail items that have the subject Test + sent from [email protected] + sent on a specific date 30/07/2017

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery Subject:"Test" AND From:"[email protected]" AND Sent:"30/07/2017" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Search and Delete mail items from Multiple Exchange mailboxes (Bulk) using the Search-Mailbox PowerShell cmdlets

Download Now!5 Downloads

In case you want to get more detailed information about how to use the o365info menu PowerShell script, you can read the following article

Additional reading

General information

Search-Mailbox

Search for and delete messages – Admin help

Search-Mailbox in Exchange 2013

Mailbox Search and permissions

Assign eDiscovery permissions in Exchange

Mailbox Search and Search query syntax

Keyword Query Language (KQL) syntax reference

Search-Mailbox (Exchange 2013, 2016, Online): Attributes

Exchange – Search For Keyword

Search-Mailbox and Date format

Search-Mailbox SearchQuery not working

Mailbox search and mail items deletion

Exchange Search-Mailbox Delete More Than 10,000 Items

Search for and delete messages – Admin help

Mailbox search and mail items deletion

Exchange Search-Mailbox Delete More Than 10,000 Items

Search for and delete messages – Admin help

Getting started with Office 365 PowerShell

Restore Exchange Online mailbox | Article series index

Now it’s Your Turn! It is important for us to know your opinion on this article

Configure your WordPress site to send E-mail via S...

Full Access Mailbox permission – Everything You Al...

How to configure the details of the Technical Cont...

Detect spoof E-mail and send the spoof E-mail to A...

Reviewing the characters of Exchange Online mailbo...

#Bulk Delete #Bulk Delete mail items #Copy mail items #Delete mail items #Delete mail with virus #Powershell #Search-Mailbox

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/using-the-search-mailbox-powershell-command-recover-mail-items-from-recovery-mail-folder-the-dumpster-part-3-5/

Using the Search-Mailbox PowerShell command | Recover mail items from Recovery mail folder (the Dumpster) | Part 3#5

In the current article, we will review how to use the PowerShell cmdlet Search-Mailbox for -recover mail item stored in the Recovery mail folder (also named the Dumpster).The recovery mail folder considers as a “system folder” and it’s not visible to the user (mailbox owner).

Article Series table of content | Click to expand

Using the Search-Mailbox PowerShell command | Article Series

Using the Search-Mailbox PowerShell command – Introduction | Part 1#5

Using the Search-Mailbox PowerShell command | Perform a search + save a copy of search results | Part 2#5

Using the Search-Mailbox PowerShell command | Recover mail items from Recovery mail folder (the Dumpster) | Part 3#5

Search and Delete mail items from Multiple Exchange mailboxes (Bulk) using the Search-Mailbox PowerShell cmdlets | Part 4#5

Search and Delete mail items from the Exchange mailbox using the Search-Mailbox PowerShell cmdlets | Single mailbox | Part 5#5

PowerShell | Help & additional information

The purpose of the Recovery mail folder is to serve as a “container” for Soft Deleted mail items and Hard deleted mail items.

Using the Search-Mailbox PowerShell cmdlet enables Exchange administrator, to “look at” the content of the Recovery mail folder + Copy ALL the recovery mail folder content to a Target Mailbox or, only specific items stored in the Recovery mail folder.

Note – in case that you want more information about the “Recovery mail folder” you can read the article – Recover deleted mail items in the Exchange Online environment | Single item recovery | 2#7

The parameter “SearchDumpsterOnly”

By default, the Search-Mailbox PowerShell cmdlet will perform a search in all the mailbox folders (inbox, etc.), including the Recovery mail folder (the Dumpster).

In a scenario in which we want to restrict the search scope only to the Recovery mail folder (the Dumpster), we can use the following cmdlet parameter – SearchDumpsterOnly

Using this parameter is suitable for a scenario in which we need to help users to recover mail items that were deleted and stored in the Recovery mail folder (the Dumpster).

Scenario 1 – emails that were disappearing

A user that report about “emails that were disappeared”, and we need to check if these mail items are deleted (as mentioned, the user cannot access the specific folder in the “Recovery mail folder store” which stored Hard Deleted mail items).

Scenario 2 – restore (recover) mail items that saved by In-Place Hold or Litigation Hold.

In case that we use the option of – In-Place Hold or Litigation Hold, mail items that deleted by the user will be saved in the Recovery mail folder (the Dumpster).

Only the Exchange administrator can access this special folder and one of the methods that Exchange administrator can use for “fetching” data from the Recovery mail folder (the Dumpster) is by using the Search-Mailbox PowerShell cmdlet.

Recovery mail folder (the Dumpster) and deleted mail items “Lifetime”

An additional detail that I would like to mention is, that by default, the Recovery mail folder (the Dumpster) stored deleted mail items for a period of 14 days. At the end of this period, Soft Deleted and Hard deleted mail items older than 14 days, will be permanently deleted without any option to recover this mail item!

In other words, the Search-Mailbox PowerShell cmdlet can serve as a utility for viewing and export the content of the Recovery mail folder (the Dumpster) but, cannot help us to recover old mail items.

Note – The exception to this “14 days rule” is an Exchange mailbox with Litigation Hold or In-Place Hold.

Additional reading

Litigation Hold versus In-Place Hold in Exchange Online

In-Place Hold and Litigation Hold in Exchange 2016

Hold in Office 365

In-Place Archive, In-Place Hold, Litigation Hold and In-place eDiscovery in Exchange Online

Scenario description

The Goals

The goals we seek to achieve are:

View + Copy mail items stores in a specific Exchange mailbox in the Recovery mail folder (the Dumpster).

The search is implemented by defining a specific Search Query (search criteria), that will help us to locate specific mail items that answer the Search Query.

The Search Results will be copied to a Target Mailbox and saved in a dedicated folder (Target Folder).

In addition, we want to create a detailed report (Log), about each mail items that appear in the Search Results (the Log \ Report file will be saved in the Target Folder)

Source mailbox + Target mailbox (and Target Folder)

The Source Mailbox (the mailbox on which we perform the search) is Bob’s mailbox

The Target Mailbox which we use for storing the search result (the mail items) is Adele’s

The Target Folder name will be – Search Results – Bob -Recovered mail items.

The mailbox search scope

In the current scenario, we restrict the Search-Mailbox cmdlet to perform a search in the “Source Mailbox” only in the Recovery mail folder (the Dumpster).

Primary mailbox

The Search-Mailbox cmdlet will perform a search only for mail items stored in the Recovery mail folder (the Dumpster).

Archive mailbox

In case that the Source Mailbox has Archive mailbox,

The Search-Mailbox cmdlet will perform a search only for mail items stored in the Archive Mailbox Recovery mail folder (the Dumpster).

An example of the outcome of search results

In the following screenshot, we can see an example of a scenario in we use the Search-Mailbox cmdlet to perform a search on Bob’s mailbox – Recovery mail folder and copy the Search results to Adele’s mailbox.

The Search-Mailbox cmdlet creates a New folder (Target Folder) and store all the Search Results (copy the mail items) in this folder (the Target folder).

In our scenario, Bob mailbox has an archive mailbox + Bob Mailbox uses In-Place Hold.

The search results folder hierarchy includes two separated “spaces”:

Archive mailbox (A in screenshot)

Primary mailbox (B in screenshot)

To understand better the result that we got, let’s review the Primary mailbox (B in the screenshot)

In our case, we perform a search that “ignore” the content of the mailbox and relates only to the Recovery mail folder (the Dumpster).

Under the Primary mailbox store, we can see the Recoverable Items store.

The Recoverable item’s store includes the following sub folders:

Deletions: this is the folder that store – Soft Deleted mail items

Purges: this is the folder that store – Hard Deleted mail items

DiscoveryHolds: this is the folder that store – mail items that saved by the In-Place policy.

Using the Search-Mailbox for performing a search | PowerShell command syntax

In the following section, we will demonstrate various type of scenario in which we use the Search-Mailbox cmdlet + the parameter SearchDumpsterOnly, for “fetching” mail items from the Recovery mail folder (the Dumpster).

Search and Copy mail items from Recovery Folder (Dumpster) | ALL mail items.

In this example, we use the Search-Mailbox cmdlet without any “Search query filters.

In this scenario, our goal is to copy all the mail items that exist in the Source Mailbox in the Recovery mail folder (the Dumpster) the Target Mailbox.

Search + Save a copy ALL mail items | Search Query – NO Filter (no Search Query)

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items from Recovery Folder (Dumpster) | Search query Filter – specific Type of Mail item

In this scenario, we want to locate (search) and copy only a specific type of mail items from the Source Mailbox stored in Recovery mail folder (the Dumpster).

Search + Save a copy of mail items | Search Query filter – Calendar items

Search for mail items stored in Recovery mail folder (the Dumpster), look for a specific type of mail items – Calendar items PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery "Kind:meetings" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery "Kind:meetings" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Contact items

Search for mail items stored in Recovery mail folder (the Dumpster), look for a specific type of mail items – Contacts items

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery "Kind:contacts" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery "Kind:contacts" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Note

By default, if not specified, the Search-Mailbox cmdlet will look for all types of message types.

When using the option the “kind” search filter, valid values can be one or more of the following:

Meetings

Tasks

Notes

Docs

Journals

Contacts

Search and Copy mail items from Recovery Folder (Dumpster) | Search query Filter – Text String

In this section, we use Search Query that looks for mail items that include a specific text string.

General note – because we use the quotation marks, the search will fetch only results in which all the words in the text string that we define appear.

For example, in our example, we look for the text string: “A meeting in New York.” Mail items that include the words “New York” or “meeting” will not appear in the Search Results.

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail SUBJEC

In the following example, we look for mail items stored in Recovery mail folder (the Dumpster) that include a specific TEXT string that appears in E-mail Message Subject line.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery Subject:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail BODY

Search for mail items stored in Recovery mail folder (the Dumpster), that include a specific TEXT string that appears in E-mail Message Body.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery body:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail BODY or Mail Subject

Search for mail items stored in Recovery mail folder (the Dumpster), that include a specific TEXT string that appears in E-mail Message Body or Mail Subject.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery "<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery "A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Additional PowerShell command syntax that we can use for performing a search that includes two types of search criteria is: PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery Subject:"A meeting in New York" OR body:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items from Recovery Folder (Dumpster) | Search query Filter – specific Date or Date Range

General information about the subject of “Date and Date format.”

The subject of the date format that we use in the Search-Mailbox query is a little tricky because the date format is affected the Windows OS Date format, the Exchange Online Mailbox Date format, etc.

Case 1 – most of the time, the date format that you need to use in the Search Query is your Windows OS Date format.

Case 2 – when using a date format in Search-Mailbox queries needs to be in a format that conforms to the Exchange server’s Regional settings.

In case that you get an error such as – “The KQL parser threw an exception,”, use the “month name” instead of the format of “month number.”

For example, instead of using the Date format – 07/21/2017 use the following format – 02/July/2017

You can read more information about this subject in the article: eDiscovery search error when you use KQL format for dates in Exchange 2013 in Office 365 Dedicated

Search + Save a Copy of mail items | Search Query – Emails SENT on a Specific Date

Search for mail items stored in Recovery mail folder (the Dumpster), that sent on a specific date.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery sent:mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery sent:21/07/2017 -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails SENT in a specific Date Range

Search for mail items stored in Recovery mail folder (the Dumpster), that sent on a specific Date Range.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery sent:mm/dd/yyyy..mm/dd/yyyy -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery sent:21/06/2017..07/21/2017 -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails RECEIVED in a specific Date Range

Search for mail items stored in Recovery mail folder (the Dumpster), that Received on a specific date range.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery Received:mm/dd/yyyy..mm/dd/yyyy -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery Received:21/06/2017..21/07/2017 -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails SENT in a specific Date + Emails RECEIVED in a specific Date

Search for mail items stored in Recovery mail folder (the Dumpster), that Sent or Received on a specific date range.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery sent:mm/dd/yyyy OR Received: mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery sent:30/07/2017 OR Received:30/07/2017-TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items from Recovery Folder (Dumpster) | Search query Filter – sender or by Recipient

In this section, we would like to search mail items that were sent from a specific sender or reach to a specific recipient.

Search + Save a copy of mail items | Filter scope – Email sent by a specific SENDERR

Search for mail items stored in Recovery mail folder (the Dumpster), that was Sent from a specific Sender (the FROM mail felid).

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery from:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery from:"[email protected]" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Filter scope – Emails sent TO a specific RECIPIENT

Search for mail items stored in Recovery mail folder (the Dumpster), that was Received by a specific recipient (sent to a specific recipient – the TO mail felid).

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery to:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery to:"[email protected]" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items from Recovery Folder (Dumpster) | Search query Filter – E-mail Attachments

In this section, we would like to search mail items that have an attachment.

Search + Save a copy of mail items | Filter scope – Emails that include a specific attachment file name

Search for mail items stored in Recovery mail folder (the Dumpster), that have an attachment with a specific file name.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery attachment:"<Attachment file name>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery attachment:"Customer.pdf" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Filter scope – specific attachment type (suffix)

Search for mail items stored in Recovery mail folder (the Dumpster), that have an attachment with a specific File extension.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery Attachment -like "*.<suffix>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery Attachment -like "*.PDF"-TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Filter scope – Emails with Attachment

Search for mail items stored in Recovery mail folder (the Dumpster), that have an attachment with, that have an attachment.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery HasAttachment -eq $true -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery -SearchQuery HasAttachment -eq $true-TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items from Recovery Folder (Dumpster) | Search query Filter – Additional search queries

Search + Save a copy of mail items | Filter scope – E-mail items size greater than X MB

Search for mail items stored in Recovery mail folder (the Dumpster), that their size is “bigger” (greater) than a specific size.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery Size -gt <size in KB or MB>-TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchDumpsterOnly -SearchQuery -SearchQuery Size -gt 5MB-TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Writing advanced \ combined search filters.

An additional part that I would like to briefly, mention is the subject of defining a more advanced or more sophisticated search query that combines two or more “filter” or search conditions.

To define two or more filters, we can use the logical operators such as – “OR”,”AND” and more.

In the following diagram, we can see some example of the syntax that we use for defining a more advanced Search Query.

Example 1

Look for all mail items, that answer the following search criteria’s:

E-mail items that have attachment + in addition, the mail subject is “Test”

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery HasAttachment -eq $true and subject:Test -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 2

Look for all mail items, that answers the following search criteria’s:

E-mail message mail items or calendar mail items

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery kind:email OR kind:meetings -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 3

Look for all mail items, that answers the following search criteria’s:

Mail items that have the subject Test + sent from [email protected] + sent on a specific date 30/07/2017

Search-Mailbox <Source Mailbox> -SearchDumpsterOnly -SearchQuery Subject:"Test" AND From:"[email protected]" AND Sent:"30/07/2017" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Using the Search-Mailbox PowerShell command | Recover mail items from Recovery mail folder (the Dumpster)

Download Now!5 Downloads

In case you want to get more detailed information about how to use the o365info menu PowerShell script, you can read the following article

Additional reading

General information

Search-Mailbox

Search for and delete messages – Admin help

Search-Mailbox in Exchange 2013

Mailbox Search and permissions

Assign eDiscovery permissions in Exchange

Mailbox Search and Search query syntax

Keyword Query Language (KQL) syntax reference

Search-Mailbox (Exchange 2013, 2016, Online): Attributes

Exchange – Search For Keyword

Search-Mailbox and Date format

Search-Mailbox SearchQuery not working

Mailbox search and mail items deletion

Exchange Search-Mailbox Delete More Than 10,000 Items

Search for and delete messages – Admin help

Mailbox search and mail items deletion

Exchange Search-Mailbox Delete More Than 10,000 Items

Search for and delete messages – Admin help

Getting started with Office 365 PowerShell

Restore Exchange Online mailbox | Article series index

Now it’s Your Turn! It is important for us to know your opinion on this article

Using PowerShell for view and export information a...

Bulk Import Contacts to Exchange Online (Office 36...

Manage E-mail attachment policy in Office 365 R...

Manage Distribution Group using PowerShell in Offi...

Configure your WordPress site to send E-mail via E...

#Copy mail items #Powershell #Recover mail items #Search mail items #Search-Mailbox

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/using-search-mailbox-powershell-command-perform-search-save-copy-search-results-part-2-5/

Using the Search-Mailbox PowerShell command | Perform a search + save a copy of search results | Part 2#5

In the current article, we will review how to use the Search-Mailbox PowerShell cmdlet for performing a search on a specific Exchange mailbox + copy the search results to a “destination mailbox” (Target Mailbox).

Article Series table of content | Click to expand

Using the Search-Mailbox PowerShell command | Article Series

Using the Search-Mailbox PowerShell command – Introduction | Part 1#5

Using the Search-Mailbox PowerShell command | Perform a search + save a copy of search results | Part 2#5

Using the Search-Mailbox PowerShell command | Recover mail items from Recovery mail folder (the Dumpster) | Part 3#5

Search and Delete mail items from Multiple Exchange mailboxes (Bulk) using the Search-Mailbox PowerShell cmdlets | Part 4#5

Search and Delete mail items from the Exchange mailbox using the Search-Mailbox PowerShell cmdlets | Single mailbox | Part 5#5

PowerShell | Help & additional information

Scenario description

The Goals

The goals we seek to achieve are:

Perform a search in a specific Exchange mailbox (Bob Mailbox). The search is implemented by defining a specific Search Query (search criteria), that will help us to locate specific mail items that answer the Search Query.

The Search Results (mail items) will be copied to a Target Mailbox and saved in a dedicated folder (Target Folder).

In addition, we want to create a detailed report (Log), about each mail items that appear in the Search Results (the Log \ Report file will be saved in the Target Folder)

Source mailbox + Target mailbox (and Target Folder)

The Source Mailbox (the mailbox on which we perform the search) is Bob’s mailbox

The Target Mailbox which we use for storing the search result (the mail items) is Adele’s

The Target Folder name will be – Search Results – Bob.

The mailbox search scope

By default, the Search-Mailbox cmdlet performs a search in the “Source Mailbox” that includes the following “Mailbox spaces”:

Primary mailbox

The Search-Mailbox cmdlet will perform a search that relates to all folders and sub folders in the Primary mailbox.

Recovery mail folder – by default, the Search-Mailbox cmdlet will also search for mail items stored in the Recovery mail folder (the Dumpster).

Archive mailbox

In case that the Source Mailbox has Archive mailbox,

The Search-Mailbox cmdlet will perform a search that relates to all folders and sub folders in the Archive mailbox.

Recovery mail folder – by default, the Search-Mailbox cmdlet will also search for mail items stored in the mailbox archive Recovery mail folder (the Dumpster).

In the following screenshot, we can see an example to a scenario in which the Source Mailbox belongs to Bob, and the Target mailbox is – Adele’s mailbox.

The Search-Mailbox cmdlet creates a New folder (Target Folder) and stores all the Search Results (copy the mail items) in this folder (the Target folder).

The search results folder hierarchy includes two separated “spaces”:

Archive mailbox (A in screenshot)

Primary mailbox (B in screenshot)

Each of the “mailbox spaces” (Archive and Primary) includes a dedicated folder named – Recoverable Items, that store the Search Results that were “fetched” from the Recovery mail folder -the Dumpster (number 2 in the diagram), that include Soft deleted + Hard deleted mail items.

Using the Search-Mailbox for performing a search | PowerShell command syntax

As mentioned, the Search-Mailbox cmdlet is a very powerful PowerShell cmdlet, that can use many types of Search Query filter that will help us to “fetch” (find and copy) a very specific mail items.

In the following section, we review a couple of examples to the various Search Query that we can use.

Search and Copy mail items | ALL mail items

In this example, we use the Search-Mailbox cmdlet without any “filter” or Search query filters.

In this scenario, our goal is to copy all the mail items that exist in the Source Mailbox to the Target Mailbox. The search results will include all the mail items from the Primary Mailbox, Archive Mailbox (if exists) and the Recovery mail folder (the Dumpster).

Search + Save a copy ALL mail items | Search Query – NO Filter (no Search Query)

PowerShell command syntax

Search-Mailbox <Source Mailbox> -TargetMailbox <Destination mailbox>-TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items | Search query Filter – specific Type of Mail item

In this scenario, we want to locate (search) and copy only a specific type of mail items from the Source Mailbox.

Search + Save a copy of mail items | Search Query filter – Calendar items

Search for specific type of mail items – Calendar items

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery "Kind:meetings" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery "Kind:meetings" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Contact items

Search for specific type of mail items – Contacts items PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery "Kind:contacts" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery "Kind:contacts" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Note

By default, if not specified, the Search-Mailbox cmdlet will look for all types of message types.

When using the option the “kind” search filter, valid values can be one or more of the following:

Meetings

Tasks

Notes

Docs

Journals

Contacts

Search and Copy mail items | Search query Filter – Text String

In this section, we use Search Query that looks for mail items that include a specific text string.

General note – because we use the quotation marks, the search will fetch only results in which all the words in the text string that we define appear.

For example, in our example, we look for the text string: “A meeting in New York.” Mail items that include the words “New York” or “meeting” will not appear in the Search Results.

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail SUBJECT

Search for mail items with a specific TEXT string that appears is an E-mail Message Subject line. PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery Subject:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail BODY

Search for mail items with a specific TEXT string that appears is an E-mail Body.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery body:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail BODY or Mail Subject

Search for mail items with a specific TEXT string that appears is an E-mail Message Subject line or Mail Subject. PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery "<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery "A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Additional PowerShell command syntax that we can use for performing a search that includes two types of search criteria is:

PowerShell command Example

Search-Mailbox Bob -SearchQuery Subject:"A meeting in New York" OR body:"A meeting in New York" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items | Search query Filter – specific Date or Date Range

General information about the subject of “Date and Date format.”

The subject of the date format that we use in the Search-Mailbox query is a little tricky because the date format is affected the Windows OS Date format, the Exchange Online Mailbox Date format, etc.

Case 1 – most of the time, the date format that you need to use in the Search Query is your Windows OS Date format.

Case 2 – when using a date format in Search-Mailbox queries needs to be in a format that conforms to the Exchange server’s Regional settings.

In case that you get an error such as – “The KQL parser threw an exception,”, use the “month name” instead of the format of “month number.”

For example, instead of using the Date format – 07/21/2017 use the following format – 02/July/2017

You can read more information about this subject in the article: eDiscovery search error when you use KQL format for dates in Exchange 2013 in Office 365 Dedicated

Search + Save a Copy of mail items | Search Query – Emails SENT on a Specific date

Search for mail items with Sent on a specific Date.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery sent:mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery sent:21/07/2017 -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails SENT in a specific Date Range

Search for mail items with Sent on a specific Date Range.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery sent:mm/dd/yyyy..mm/dd/yyyy -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery sent:21/06/2017..07/21/2017 -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails RECEIVED in a specific Date Range

Search for mail items that was Received on a specific Date range. PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery Received:mm/dd/yyyy..mm/dd/yyyy -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery Received:21/06/2017..21/07/2017 -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails SENT in a specific Date + Emails RECEIVED in a specific Date

Search for mail items that was Sent or Received on a specific Date range.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery sent:mm/dd/yyyy OR Received: mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery sent:30/07/2017 OR Received:30/07/2017-TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items | Search query Filter – sender or by Recipient

In this section, we would like to search mail items that were sent from a specific sender or reach to a specific recipient.

Search + Save a copy of mail items | Filter scope – Email sent by a specific SENDER

Search for mail items that was Sent from a specific Sender (the FROM mail felid). PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery from:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery from:"[email protected]" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Filter scope – Emails sent TO a specific RECIPIENT

Search for mail items that were Received from a specific recipient (sent to a specific recipient – the TO mail felid)

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery to:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery to:"[email protected]" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items | Search query Filter – E-mail Attachments

In this section, we would like to search mail items that have an attachment.

Search + Save a copy of mail items | Filter scope – Emails that include a specific attachment file name

Search for mail items, that have an attachment with a specific File extension.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery attachment:"<Attachment file name>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery attachment:"Customer.pdf" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Filter scope – specific attachment type (suffix)

Search for mail items, that have an attachment with a specific file name suffix.

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery Attachment -like "*.<suffix>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery Attachment -like "*.PDF" -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search + Save a copy of mail items | Filter scope – Emails with Attachment

Search for mail items, that have an attachment. PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery HasAttachment -eq $true -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery -SearchQuery HasAttachment -eq $true -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search and Copy mail items | Search query Filter – Additional search queries

Search for mail items, that their size is “bigger” (greater) than a specific size.

Search + Save a copy of mail items | Filter scope – E-mail items size greater than X MB

PowerShell command syntax

Search-Mailbox <Source Mailbox> -SearchQuery Size -gt <size in KB or MB> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command Example

Search-Mailbox Bob -SearchQuery -SearchQuery Size -gt 5MB -TargetMailbox Adele -TargetFolder “Search Results - Bob” -LogLevel Full

Search-Mailbox | Mailbox Search scope| The Recovery mail folder (Dumpster) and Archive Mailbox

In the following section, I would like to briefly review the subject of “Mailboxes search scope.”

As mentioned, the Search-Mailbox cmdlet will perform by default search in all the following mailbox locations:

Primary mailbox

Primary mailbox – Recovery mail folder (the Dumpster)

Archive mailbox

Archive mailbox – Recovery mail folder (the Dumpster)

The Search-Mailbox cmdlet enables us to define a specific mailbox search scope or to exclude a specific mailbox scope from the search results.

Mailbox scope Recovery mail folder (the Dumpster)

By default, the Search-Mailbox cmdlets will perform a search in the Primary mailbox + in the Recovery mail folder (the Dumpster).

For example, in case that we don’t define a specific mailbox scope filter the search task will include the Primary mailbox space + the Recovery mail folder (the Dumpster)

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

Exclude the Recovery mail folder (dumpster) search

In case that we want to exclude the Recovery mail folder (the Dumpster) from the search, we can use the parameter SearchDumpster and set the switch to $False, for example –SearchDumpster:$False

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -SearchDumpster:$false -LogLevel Full

Search Dumpster Only

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -SearchDumpsterOnly -LogLevel Full

Archive mailbox scope

By default, in case that as specific Exchange mailbox has an archive, the archive is always searched.

To exclude the Archive from the search, use the DoNotIncludeArchive parameter

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DoNotIncludeArchive -LogLevel Full

Writing advanced \ combined search filters.

An additional part that I would like to briefly, mention is the subject of defining a more advanced or more sophisticated search query that combines two or more “filter” or search conditions.

To define two or more filters, we can use the logical operators such as – “OR”, “AND” and more.

In the following diagram, we can see some example of the syntax that we use for defining a more advanced Search Query.

Example 1

Look for all mail items, that answer the following search criteria’s:

E-mail items that have attachment + in addition, the mail subject is “Test”

Search-Mailbox <Source Mailbox> -SearchQuery HasAttachment -eq $true and subject:Test -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 2

Look for all mail items, that answers the following search criteria’s:

E-mail message mail items or calendar mail items or Contact

Search-Mailbox <Source Mailbox> -SearchQuery kind:email OR kind:meetings -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 3

Look for all mail items, that answers the following search criteria’s:

Mail items that have the subject Test + sent from [email protected] + sent on a specific date 30/07/2017

Search-Mailbox <Source Mailbox> -SearchQuery Subject:"Test" AND From:"[email protected]" AND Sent:"30/07/2017" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Using the Search-Mailbox PowerShell command | Perform a search + save a copy of search results

Download Now!3 Downloads

In case you want to get more detailed information about how to use the o365info menu PowerShell script, you can read the following article

Additional reading

General information

Search-Mailbox

Search for and delete messages – Admin help

Search-Mailbox in Exchange 2013

Mailbox Search and permissions

Assign eDiscovery permissions in Exchange

Mailbox Search and Search query syntax

Keyword Query Language (KQL) syntax reference

Search-Mailbox (Exchange 2013, 2016, Online): Attributes

Exchange – Search For Keyword

Search-Mailbox and Date format

Search-Mailbox SearchQuery not working

Mailbox search and mail items deletion

Exchange Search-Mailbox Delete More Than 10,000 Items

Search for and delete messages – Admin help

Mailbox search and mail items deletion

Exchange Search-Mailbox Delete More Than 10,000 Items

Search for and delete messages – Admin help

Getting started with Office 365 PowerShell

Restore Exchange Online mailbox | Article series index

Now it’s Your Turn! It is important for us to know your opinion on this article

Implementing SPF Fail policy using Exchange Online...

Send mail to Exchange Online | Part 1#4

Directory synchronization – Links and Resou...

Reviewing the characters of Exchange Online mailbo...

Managing Mailbox Time Zone and Language setting by...

#Copy mail items #Powershell #Search mail items #Search-Mailbox

0 notes

o365info-blog · 8 years ago

Text

New Post has been published on o365info.com

New Post has been published on http://o365info.com/using-the-search-mailbox-powershell-command-introduction-part-1-5/

Using the Search-Mailbox PowerShell command - Introduction | Part 1#5

The current article series deal with a very useful and powerful PowerShell command named – Search-Mailbox . I relate to the Search-Mailbox PowerShell command as a “Swiss Knife” because we can use the Search-Mailbox PowerShell command for many types of scenarios.

Article Series table of content | Click to expand

Using the Search-Mailbox PowerShell command | Article Series

Using the Search-Mailbox PowerShell command – Introduction | Part 1#5

Using the Search-Mailbox PowerShell command | Perform a search + save a copy of search results | Part 2#5

Using the Search-Mailbox PowerShell command | Recover mail items from Recovery mail folder (the Dumpster) | Part 3#5

Search and Delete mail items from Multiple Exchange mailboxes (Bulk) using the Search-Mailbox PowerShell cmdlets | Part 4#5

Search and Delete mail items from the Exchange mailbox using the Search-Mailbox PowerShell cmdlets | Single mailbox | Part 5#5

What does the Search-Mailbox PowerShell command do?

The Search-Mailbox PowerShell command as the name suggests, serve as a tool for the Exchange administrator to perform a search in Exchange mailboxes (or multiple mailboxes) for specific mail items.

The term “mail items” relate to any type of mailbox items such as – E-mail message, calendar meeting, contact, task and so on.

The Search-Mailbox PowerShell command has four distinct and special characters. 1. The search result

Associatively, we can assume that the term “Search Results” translates into some kind of index, which list all the search findings (Log file etc.). The interesting thing about the Search-Mailbox “Search Results” is that the “Search Results” realized as a copy of the original mail items that answer our search query.

For example, if we use the Search-Mailbox PowerShell command to look for E-mail message with a specific text string in Bob’s mailbox, the Search-Mailbox PowerShell command enables us to copy the mail items that answer our query (the “Search Results”) to another store (the Target mailbox which will be discussed later).

2. The “action” that can be implemented when using Search-Mailbox

As mentioned in the former section the Search-Mailbox PowerShell command can help us to look (search) for specific mail items stored in Exchange mailbox and copy this mail item to another store (another Exchange mailbox).

An addition “action” that can be implemented by the Search-Mailbox PowerShell command is a very interesting and powerful action – Deletion of mail items (Deletion of the “Search Results”).

Besides of a new Office 365 PowerShell command named – New-ComplianceSearchAction, the Search-Mailbox PowerShell command is the only command that enables Exchange administrator to “remove” (Delete) specific mail items from Exchange mailbox or Multiple Exchange mailboxes.

Note – you can read more information about how to deleted mail items using the PowerShell command New-ComplianceSearchAction in the article – Search for and delete email messages in your Office 365 organization – Admin Help

3. he Exchange mailbox “space”

The Search-Mailbox PowerShell command enabled us to define specific “location” of the Exchange mailbox in which the search action will be implemented.

For example, we can instruct the Search-Mailbox PowerShell cmdlet to perform a search only in the special hidden mailbox folder named – the Recovery mail folder (the Dumpster) that serves as a dedicated store for Soft Deleted and Hard Deleted mail items.

4. The search query

The Search-Mailbox cmdlet enable us to define almost every possible parameter for defining our search query such as – sender, recipient, date, the type of the mail item, specific Text string and much more.

In addition, we can use a very sophisticated search query that combines many different types of filters such as – show only calendar items from a specific date that have a specific subject.

Search-Mailbox command structure

The Search-Mailbox cmdlet consists of three parts

Part A – In this part, we define the “objects” that we want to address. The object is Exchange mailbox

Part B – In this part, we define the specific characters of the search query that we need to perform. For example, search for mail items that include a specific text string.

Part C – In this part, we define the specific “action” that we want to apply to the Search Results we get from the former parts.

Search scope

The term “Search Scope” relates to the Exchange mailboxes that we “address” when we perform the search. The specific mailbox or the mailboxes defined as “Source Mailbox.”

Scenario 1 – Searching mail items | Single Exchange mailbox

In this scenario, the PowerShell command syntax is implemented as follows:

Search-Mailbox <Source Mailbox> -SearchQuery

Scenario 2 – Searching mail items | Multiple Exchange mailboxes

In this scenario, the PowerShell command syntax is implemented by “declaring” the search scope, meaning the Exchange mailboxes for which the search task will be carried out.

Then we “pipe” the Exchange mailbox group to the Search-Mailbox PowerShell command.

There many options that we can use for defining a specific “group” of Exchange mailboxes.

Example 1 – Perform Multiple mailbox search | All types of Exchange mailboxes

For example, to perform a search for mail items in all existing Exchange mailboxes, we can use the following command syntax: