Just a quick post today on a recent script I had to put together.
The message trace feature within Exchange Online works pretty well but can be a challenge if you want to search based on a particular email subject. In a scenario where you want to know who received an email or a set of emails, you have to employ some tricks to be able to query large amounts of logs.
The script below allows you to search on a subject or variants of a subject going back X number of days. The output is logged to a CSV file showing the details of the trace log entry.
Some of the code in this script was inspired by the example at “Praveen’s Blog“.
Using The Script
The script takes three command line switches and all are mandatory. The parameters are as follows:
Number of days back to search.
Subject of message to search.
Name of CSV file to populate with results.
In the scenario where you’re looking for something like a phishing campaign, you might know that the emails all come through with a unique but patterned subject. So you may have subjects like “Invoice TUINV65988 from Tip Top Delivery” and “Invoice HXINV44152 from Tip Top Delivery” where the only difference is the “invoice” number. Using the asterisk in your subject line will allow you to search for variants.
So using the following would search 5 days back for an email with the subject “*Invoice*Tip Top*” and save the results in c:\scripts\output.csv:
.\Get-MessageTraceBySubject.ps1 -Days 5 -Subject "*Invoice*Tip Top*"
During the query, which can take an extended amount of time, you can see in the progress bar what date range is currently being evaluated. Messages are evaluated in batches of 5,000 per query.
The Get-MessageTrace cmdlet only returns a maximum of 5,000 results per query unless you use paging and then you can return up to 1,000 pages. So the theoretical limit on this query is 5,000,000 entries.
The script for this post can be found in the Microsoft Script Center at the following link: Get-MessageTraceBySubject.ps1
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.