Enhance Exchange Email Monitoring Using PowerShell

For all Microsoft 365 users, Outlook serves as a central hub for connectivity to the exchange of ideas, information, and more. Yet, this platform helps for bustling activity and visible interactions, there is a crucial need for Exchange email monitoring to safeguard from cyber threats.

Monitoring emails through mail flow reports needs navigation to multiple admin portals like Microsoft 365 admin center, Exchange admin center, Security and Compliance center, etc. To avoid such navigations, admins can prefer using PowerShell. In addition to this, PowerShell also offers the advantages to customize email monitoring with advanced filters.

Without any further delay, let’s get into Exchange Online email monitoring using PowerShell to ensure the email security of Microsoft Outlook mailboxes.

The following list gives major benefits of Exchange Online monitoring in Microsoft 365.

• Fetches the summary on Exchange emails landing in the wrong hands.
• Safeguard your Microsoft 365 organization from spam, phishing, and malware attacks.
• Reveals the reasons why someone is following your organization through the mail.

Secure your organization’s communication gateway by keeping a vigilant eye on email activities.

You can utilize any of the provided methods to monitor email activity in Exchange Online based on your specific requirements.

• Get Microsoft 365 Mail Traffic Report Using PowerShell
• Find Who Sent Email from Delegated Mailbox Using PowerShell
• Find Inbox Rules with External User Forwarding
• Find Who Sent Email from Shared Mailbox Using PowerShell
• Export Exchange Online Spam, Malware, and Phishing Mails
• Enable External Tagging in Exchange Online with PowerShell
• Track Emails with Microsoft 365 Message Trace Using PowerShell

Note: The below scripts automatically connect to the required module, but when executing specific cmdlets, you must connect to the Exchange Online PowerShell module.

A Microsoft 365 admin can use the “Get-MailTrafficSummaryReport” PowerShell cmdlet to know about the mail flow summary among the users. The results obtained from the summary can allow admins to get to know about the inbound and outbound traffic status of mail among Microsoft 365 members.

Get-MailTrafficSummaryReport –Category TopMailRecipient | Select C1,C2

The above cmdlet displays only the top mail senders between the specified date, but using this with several filters retrieves details on the number of emails sent and received by users in Microsoft 365.

To get a more detailed summary, you can refer to the Exchange mail traffic report script which has 5+ email statistics reports like emails sent, emails received, spam received, and malware received count.

Sample Output of Mailbox Traffic Report Script

Users in your organization can send messages from another user’s mailbox using “SendAs” or “SendOnBehalf” permissions, if they’ve been granted delegated access. In case of any suspicious emails, it is essential for Microsoft 365 admins to know the actual sender for further investigations.

The below sample cmdlet “Search-UnifiedAuditLog” can partially retrieve the audit data of emails sent using the “SendAs” or “SendOnBehalf” delegated permission.

Search-UnifiedAuditLog -StartDate 02/18/2023 -EndDate 08/18/2023 -Operations SendOnBehalf, SendAs |ft

To overcome the situations with filters and partial data, refer Send As audit email script to get the mails sent using the “Send As” permission. Using the script, you can generate reports for custom periods and export them as a CSV file.

Sample Output of Send As Audit Email Script

In a Microsoft 365 organization, it is essential to be aware of external email forwarding to avoid data breaches. The “Get-InboxRule” cmdlet can be used to know the inbox rules configured with the mailboxes in your Microsoft 365.

Get-InboxRule -Mailbox [email protected]

This cmdlet gives the data about the inbox rules configured with the particular Exchange Online mailbox. To get only the inbox rule that forwards mail to external organizations use the external forwarding with inbox rules script. Also, the script helps to filter out forwarding rules that forward emails to external users by excluding guest accounts.

Sample Output of External Forwarding with Inbox Rules Script

You can also list all Outlook Mailboxes that forward mails to a specific user by using PowerShell.

The “Search-UnifiedAuditLog” cmdlet assists in determining the sender of an email from a shared mailbox, though it’s challenging and cannot be directly retrieved.

To address this challenge, you can delve into the PowerShell script written with filters to identify who sent emails from shared mailboxes. The script can extract email-sent activities from your organization’s shared mailboxes.

Sample Output of “Find Who Sent Email from Shared Mailbox” Script

Protecting the Exchange Online environment from threats is the first and foremost duty of every Microsoft 365 admin. To get such email details that are blocked by Exchange Online protection or marked as junk, you can use the PowerShell cmdlet “Get-MailDetailATPReport”.

$SpamEventTypes ="Advanced filter", "General filter" 
Get-MailDetailATPReport -StartDate 08/11/2023 -EndDate 08/18/2023 -Direction Inbound -PageSize 5000 -EventType $SpamEventTypes

The about cmdlet only retrieves incoming mails which are get filtered by the general or advanced filters. Yet, obtaining the intended report may pose complexity as it involves applying multiple filters and managing diverse parameter attributes within the cmdlet.

To simplify this process, export the spam and malware emails script to obtain comprehensive reports. This script also generates 9 types of reports to identify the incoming, outgoing, and intra-organizational threat emails.

Sample Output of Spam and Malware Emails Script

External tags in Exchange Online can alert the user from clicking malicious links or phishing emails sent by external senders. To enable this in your organization you can use the cmdlet “Set-ExternalInOutlook” with the “Enabled” Parameter as described below.

Set-ExternalInOutlook –Enabled $true 

PowerShell can be used to get know about the mail delivery status of the mails whether it is received, rejected, delivered, or quarantined. Admins can use the “Get-MessageTrace” cmdlet to trace Exchange Online emails as mentioned below.

Get-MessageTrace –SenderAddress [email protected] -StartDate 08/08/2023 -EndDate 08/18/2023

This cmdlet retrieves the mail delivery status for the emails sent from John between the specified date.

Note: The start date can’t be older than 10 days from the date of execution.

While the PowerShell strategies provide extensive email monitoring insights, they can be cumbersome for admins. To overcome this limitation, AdminDroid offers the power of Microsoft 365 granular reporting with few clicks.

The AdminDroid Exchange Online reporting tool offers 100+ extensive reports into Microsoft 365 mailboxes. These include the following major reports collection which have advanced graphics and vivid charts.

• Mailbox usage reports
• Archived and inactive mailboxes
• Exchange mailbox settings reports
• Mailbox permission summary
• EXO mailbox with forwarding
• Mailbox with inbox rules reports

In addition to reporting, Exchange Online auditing furnishes 65+ audit reports on Microsoft 365 mailbox actions, mailbox access permissions, mailbox configurations, etc. Additionally, the Exchange Online dashboard provides enriched data, enhancing your comprehension of Microsoft 365 mailboxes.

Moreover, the Exchange Online management tool delivers 170+ reports for monitoring, scheduling, and receiving alerts regarding suspicious email activities.

AdminDroid Microsoft 365 reporting tool also gives inclusive reports for other services like Teams, Azure AD, SharePoint, Yammer, Power BI, and more. Get access to a vast array of over 1800 comprehensive reports and enjoy 30+ visually captivating dashboards. Plunge into the depths of your Microsoft 365 environment with features spanning reporting, auditing, analytics, usage statistics, security, and compliance.

Experience the difference today by downloading the Office 365 reporting tool from AdminDroid and witness the impact firsthand.

Overall, I hope that the blog has provided you with the importance and the methods for Exchange Online email monitoring. Don’t hesitate to leave your thoughts in the comments section. We are always happy to welcome your queries!