Pulling data from a shared mailbox using EWS

This topic contains 5 replies, has 2 voices, and was last updated by  Dan Potter 1 year, 2 months ago.

  • Author
    Posts
  • #46797

    ertuu85
    Participant

    Hello,

    I'm trying to use EWS to connect to a shared email (in this case shared@domain.com) and then from there it has a folder nested like...

    Inbox>Symantec>Attacked Computers

    I'm tying to pull emails from the 'Attacked Computers' folder from the shared email. If I change '$emailaccount = "me@domain.com"' I can pull my emails and query inbox>SEP test but I cant seem to connect to shared@domain.com. It just brings up my own mailbox/folders.

    So to sum it up:

    1. How can I connect to a shared mailbox?
    2. How can I target a specific folder in the shared mailbox's inbox?

    Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
    
    $EmailAccount = "shared@domain.com"
    
    #Change the Exchange Version to work with your environment
    $EWS = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1)
    
    #Change the “UseDefaultCredentials” to false if you want to specify alternate creds
    #$EWS.UseDefaultCredentials = $false
    
    $EWS.AutodiscoverUrl($EmailAccount)
    
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    
    #folder needs to be symantec\attacked computers
    $folderID = $inbox.FindFolders(10) | Where-Object { $_.DisplayName -eq "SEP Test"} | Select -ExpandProperty ID
    $sepfolder =  [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,$folderID)
    $mailitems = $sepfolder.finditems(500)
    $mailitems.load()
    
    $SEPmail = $mailitems | ? {$_.conversationtopic -like "*Security Alert by Number of Attacked Computers*"}
    
    $sepmail | foreach {
    	
    	if($_.body -notmatch "Disabled Device" -and $_.body -notmatch "Tamper Protection")
    	{
    		if($_.body -match "10.255.255.10")
    		{
    			#write-host "NESSUS ATTACK $($_.datetimereceived)" -foregroundcolor "green"
    			#do stuff
    		}
    		else
    		{
    			#write-host "ATTACK! $($_.datetimereceived)" -foregroundcolor "red"
    			if($_.datetimereceived -ge [DateTime]::Today.AddDays(-1).AddHours(00) -and $_.datetimereceived -lt [DateTime]::Today.AddDays(-1).AddHours(24))
    			{
    				
    				$html = $_.body
    				
    				$smtpServer = "10.255.255.125"
    				$msg = new-object Net.Mail.MailMessage
    				$smtp = new-object Net.Mail.SmtpClient($smtpServer)
    				$msg.From = "SEPattack@domain.com"
    				$msg.To.Add(@("shared@domain.com"))
    				$msg.Subject = "WE BEEN ATTACKED!"
    				$msg.Body = $html
    				$msg.isbodyhtml = $true
    				$smtp.Send($msg)
    				
    				
    			}
    
    		}
    	}
    }
    
    • This topic was modified 1 year, 2 months ago by  ertuu85.
  • #46808

    Dan Potter
    Participant

    Does it give you an error about the autodiscoverurl? Try using your own email address but the credentials for the target mb in the credentials property.

    
    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
    $s.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials('username', $pass, 'domain')
    $s.AutodiscoverUrl('someone@somewhere.com', { $true })
    
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    $incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'Incoming' }
    $incomingFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, $incoming.id)
    $drop = $inbox.findfolders(100) | ? { $_.displayname -eq 'Processed' }
    
    $emails = $incomingfolder.FindItems(100) | ? { ($_.DateTimeReceived -gt [datetime]::today) }
    
    
    • This reply was modified 1 year, 2 months ago by  Dan Potter.
  • #46829

    ertuu85
    Participant

    This piece of code does work from my workstation, pulls up shared email, but im unsure on how to have it select inbox>symantec>attacked computers folder

    Your code did give me an error about autodiscovery but i think it's because I don't know the password to the shared email. I share it with numerous others, we all have full permissions on the mb.

    $exchVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1 #Specifies the version of Exchange in use in the environment
    $exchService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($exchVersion) #connects to the Exchange service
    
    $exchService.Url = "https://portal.domain.com/EWS/Exchange.asmx" #the url used to find the connection information for the shared mailbox
    
    $mb = New-Object Microsoft.Exchange.WebServices.Data.Mailbox("support@domain.com") #specifies which mailbox EWS should connect to
    $folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
    $view = New-Object Microsoft.Exchange.WebServices.Data.ItemView("10") #speficies how many objects to return when the search is ran
    $searchFilters = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.ContactSchema]::InternetMessageHeaders, "ironport") #searches for all emails sent from Johnathan
    
    $list = $exchService.FindItems($folder, $searchFilters, $view) #searches the mailbox, using the specified filter and view
    
  • #46867

    Dan Potter
    Participant

    Use the findfolders method and then bind to that folder.

  • #46958

    ertuu85
    Participant
    $folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
    
    $folder | gm
    
       TypeName: Microsoft.Exchange.WebServices.Data.FolderId
    
    Name               MemberType Definition
    ----               ---------- ----------
    Equals             Method     bool Equals(System.Object obj)
    GetHashCode        Method     int GetHashCode()
    GetType            Method     type GetType()
    SameIdAndChangeKey Method     bool SameIdAndChangeKey(Microsoft.Exchange.WebServices.Data.ServiceId other)
    ToString           Method     string ToString()
    ChangeKey          Property   string ChangeKey {get;}
    FolderName         Property   System.Nullable[Microsoft.Exchange.WebServices.Data.WellKnownFolderName] FolderName {g...
    Mailbox            Property   Microsoft.Exchange.WebServices.Data.Mailbox Mailbox {get;}
    UniqueId           Property   string UniqueId {get;}
    

    I dont see the findfolders() method on this one ;/

  • #46960

    Dan Potter
    Participant
    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    $incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'foldername' }
    
    

You must be logged in to reply to this topic.