Pulling data from a shared mailbox using EWS

This topic contains 5 replies, has 2 voices, and was last updated by Profile photo of Dan Potter Dan Potter 2 months, 2 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #46797
    Profile photo of ertuu85
    ertuu85
    Participant

    Hello,

    I'm trying to use EWS to connect to a shared email (in this case [email protected]) and then from there it has a folder nested like...

    Inbox>Symantec>Attacked Computers

    I'm tying to pull emails from the 'Attacked Computers' folder from the shared email. If I change '$emailaccount = "[email protected]"' I can pull my emails and query inbox>SEP test but I cant seem to connect to [email protected]. It just brings up my own mailbox/folders.

    So to sum it up:

    1. How can I connect to a shared mailbox?
    2. How can I target a specific folder in the shared mailbox's inbox?

    Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
    
    $EmailAccount = "[email protected]"
    
    #Change the Exchange Version to work with your environment
    $EWS = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1)
    
    #Change the “UseDefaultCredentials” to false if you want to specify alternate creds
    #$EWS.UseDefaultCredentials = $false
    
    $EWS.AutodiscoverUrl($EmailAccount)
    
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    
    #folder needs to be symantec\attacked computers
    $folderID = $inbox.FindFolders(10) | Where-Object { $_.DisplayName -eq "SEP Test"} | Select -ExpandProperty ID
    $sepfolder =  [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,$folderID)
    $mailitems = $sepfolder.finditems(500)
    $mailitems.load()
    
    $SEPmail = $mailitems | ? {$_.conversationtopic -like "*Security Alert by Number of Attacked Computers*"}
    
    $sepmail | foreach {
    	
    	if($_.body -notmatch "Disabled Device" -and $_.body -notmatch "Tamper Protection")
    	{
    		if($_.body -match "10.255.255.10")
    		{
    			#write-host "NESSUS ATTACK $($_.datetimereceived)" -foregroundcolor "green"
    			#do stuff
    		}
    		else
    		{
    			#write-host "ATTACK! $($_.datetimereceived)" -foregroundcolor "red"
    			if($_.datetimereceived -ge [DateTime]::Today.AddDays(-1).AddHours(00) -and $_.datetimereceived -lt [DateTime]::Today.AddDays(-1).AddHours(24))
    			{
    				
    				$html = $_.body
    				
    				$smtpServer = "10.255.255.125"
    				$msg = new-object Net.Mail.MailMessage
    				$smtp = new-object Net.Mail.SmtpClient($smtpServer)
    				$msg.From = "[email protected]"
    				$msg.To.Add(@("[email protected]"))
    				$msg.Subject = "WE BEEN ATTACKED!"
    				$msg.Body = $html
    				$msg.isbodyhtml = $true
    				$smtp.Send($msg)
    				
    				
    			}
    
    		}
    	}
    }
    
    • This topic was modified 2 months, 2 weeks ago by Profile photo of ertuu85 ertuu85.
    #46808
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Does it give you an error about the autodiscoverurl? Try using your own email address but the credentials for the target mb in the credentials property.

    
    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
    $s.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials('username', $pass, 'domain')
    $s.AutodiscoverUrl([email protected]', { $true })
    
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    $incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'Incoming' }
    $incomingFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, $incoming.id)
    $drop = $inbox.findfolders(100) | ? { $_.displayname -eq 'Processed' }
    
    $emails = $incomingfolder.FindItems(100) | ? { ($_.DateTimeReceived -gt [datetime]::today) }
    
    
    • This reply was modified 2 months, 2 weeks ago by Profile photo of Dan Potter Dan Potter.
    #46829
    Profile photo of ertuu85
    ertuu85
    Participant

    This piece of code does work from my workstation, pulls up shared email, but im unsure on how to have it select inbox>symantec>attacked computers folder

    Your code did give me an error about autodiscovery but i think it's because I don't know the password to the shared email. I share it with numerous others, we all have full permissions on the mb.

    $exchVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1 #Specifies the version of Exchange in use in the environment
    $exchService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($exchVersion) #connects to the Exchange service
    
    $exchService.Url = "https://portal.domain.com/EWS/Exchange.asmx" #the url used to find the connection information for the shared mailbox
    
    $mb = New-Object Microsoft.Exchange.WebServices.Data.Mailbox("[email protected]") #specifies which mailbox EWS should connect to
    $folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
    $view = New-Object Microsoft.Exchange.WebServices.Data.ItemView("10") #speficies how many objects to return when the search is ran
    $searchFilters = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.ContactSchema]::InternetMessageHeaders, "ironport") #searches for all emails sent from Johnathan
    
    $list = $exchService.FindItems($folder, $searchFilters, $view) #searches the mailbox, using the specified filter and view
    
    #46867
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Use the findfolders method and then bind to that folder.

    #46958
    Profile photo of ertuu85
    ertuu85
    Participant
    $folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
    
    $folder | gm
    
       TypeName: Microsoft.Exchange.WebServices.Data.FolderId
    
    Name               MemberType Definition
    ----               ---------- ----------
    Equals             Method     bool Equals(System.Object obj)
    GetHashCode        Method     int GetHashCode()
    GetType            Method     type GetType()
    SameIdAndChangeKey Method     bool SameIdAndChangeKey(Microsoft.Exchange.WebServices.Data.ServiceId other)
    ToString           Method     string ToString()
    ChangeKey          Property   string ChangeKey {get;}
    FolderName         Property   System.Nullable[Microsoft.Exchange.WebServices.Data.WellKnownFolderName] FolderName {g...
    Mailbox            Property   Microsoft.Exchange.WebServices.Data.Mailbox Mailbox {get;}
    UniqueId           Property   string UniqueId {get;}
    

    I dont see the findfolders() method on this one ;/

    #46960
    Profile photo of Dan Potter
    Dan Potter
    Participant
    $s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
    $inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
    $incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'foldername' }
    
    
Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.