Pulling data from a shared mailbox using EWS

This topic contains 5 replies, has 2 voices, and was last updated by  Dan Potter 1 year, 10 months ago.

  • Author
  • #46797



    I'm trying to use EWS to connect to a shared email (in this case shared@domain.com) and then from there it has a folder nested like...

    Inbox>Symantec>Attacked Computers

    I'm tying to pull emails from the 'Attacked Computers' folder from the shared email. If I change '$emailaccount = "me@domain.com"' I can pull my emails and query inbox>SEP test but I cant seem to connect to shared@domain.com. It just brings up my own mailbox/folders.

    So to sum it up:

    1. How can I connect to a shared mailbox?
    2. How can I target a specific folder in the shared mailbox's inbox?

    Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
    $EmailAccount = "shared@domain.com"
    #Change the Exchange Version to work with your environment
    $EWS = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1)
    #Change the “UseDefaultCredentials” to false if you want to specify alternate creds
    #$EWS.UseDefaultCredentials = $false
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    #folder needs to be symantec\attacked computers
    $folderID = $inbox.FindFolders(10) | Where-Object { $_.DisplayName -eq "SEP Test"} | Select -ExpandProperty ID
    $sepfolder =  [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,$folderID)
    $mailitems = $sepfolder.finditems(500)
    $SEPmail = $mailitems | ? {$_.conversationtopic -like "*Security Alert by Number of Attacked Computers*"}
    $sepmail | foreach {
    	if($_.body -notmatch "Disabled Device" -and $_.body -notmatch "Tamper Protection")
    		if($_.body -match "")
    			#write-host "NESSUS ATTACK $($_.datetimereceived)" -foregroundcolor "green"
    			#do stuff
    			#write-host "ATTACK! $($_.datetimereceived)" -foregroundcolor "red"
    			if($_.datetimereceived -ge [DateTime]::Today.AddDays(-1).AddHours(00) -and $_.datetimereceived -lt [DateTime]::Today.AddDays(-1).AddHours(24))
    				$html = $_.body
    				$smtpServer = ""
    				$msg = new-object Net.Mail.MailMessage
    				$smtp = new-object Net.Mail.SmtpClient($smtpServer)
    				$msg.From = "SEPattack@domain.com"
    				$msg.Subject = "WE BEEN ATTACKED!"
    				$msg.Body = $html
    				$msg.isbodyhtml = $true
    • This topic was modified 1 year, 10 months ago by  ertuu85.
  • #46808

    Dan Potter

    Does it give you an error about the autodiscoverurl? Try using your own email address but the credentials for the target mb in the credentials property.

    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
    $s.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials('username', $pass, 'domain')
    $s.AutodiscoverUrl('someone@somewhere.com', { $true })
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    $incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'Incoming' }
    $incomingFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, $incoming.id)
    $drop = $inbox.findfolders(100) | ? { $_.displayname -eq 'Processed' }
    $emails = $incomingfolder.FindItems(100) | ? { ($_.DateTimeReceived -gt [datetime]::today) }
    • This reply was modified 1 year, 10 months ago by  Dan Potter.
  • #46829


    This piece of code does work from my workstation, pulls up shared email, but im unsure on how to have it select inbox>symantec>attacked computers folder

    Your code did give me an error about autodiscovery but i think it's because I don't know the password to the shared email. I share it with numerous others, we all have full permissions on the mb.

    $exchVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1 #Specifies the version of Exchange in use in the environment
    $exchService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($exchVersion) #connects to the Exchange service
    $exchService.Url = "https://portal.domain.com/EWS/Exchange.asmx" #the url used to find the connection information for the shared mailbox
    $mb = New-Object Microsoft.Exchange.WebServices.Data.Mailbox("support@domain.com") #specifies which mailbox EWS should connect to
    $folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
    $view = New-Object Microsoft.Exchange.WebServices.Data.ItemView("10") #speficies how many objects to return when the search is ran
    $searchFilters = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.ContactSchema]::InternetMessageHeaders, "ironport") #searches for all emails sent from Johnathan
    $list = $exchService.FindItems($folder, $searchFilters, $view) #searches the mailbox, using the specified filter and view
  • #46867

    Dan Potter

    Use the findfolders method and then bind to that folder.

  • #46958

    $folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
    $folder | gm
       TypeName: Microsoft.Exchange.WebServices.Data.FolderId
    Name               MemberType Definition
    ----               ---------- ----------
    Equals             Method     bool Equals(System.Object obj)
    GetHashCode        Method     int GetHashCode()
    GetType            Method     type GetType()
    SameIdAndChangeKey Method     bool SameIdAndChangeKey(Microsoft.Exchange.WebServices.Data.ServiceId other)
    ToString           Method     string ToString()
    ChangeKey          Property   string ChangeKey {get;}
    FolderName         Property   System.Nullable[Microsoft.Exchange.WebServices.Data.WellKnownFolderName] FolderName {g...
    Mailbox            Property   Microsoft.Exchange.WebServices.Data.Mailbox Mailbox {get;}
    UniqueId           Property   string UniqueId {get;}

    I dont see the findfolders() method on this one ;/

  • #46960

    Dan Potter
    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    $incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'foldername' }

You must be logged in to reply to this topic.