Content Search – Security And Compliance – Search A Mailbox For Specific Content And Then Export Results

If you’re doing some compliance investigation work, you may need to search a user’s mailbox for specific words.

This is how To Search Email Content in Office 365 Security & Compliance for a specific user which sent email containing a specific word then export results.

Reference guides – Content search

Microsoft Docs Content Search

Microsoft Docs Export Search

Content Search : How to search a mailbox for specific keywords and export the data

Mircosoft 365 Admin Center -> Compliance Admin Center

Content Search > + New Search

New Search > Keywords “Blog” example > Specific Locations > Modify > Choose Users, Groups or Teams

Enter users name > Select > Choose

Done > Save > Save & Run > Save Search

This search will trigger a default alert email to be sent out

Next step, Export the results

Unable to preview results problem or export?

If you cannot preview, you need to add a role to the user account, eDiscovery Administrator role (Example) or eDiscovery Manager for specific cases / Compliance Admin / Compliance Data Administrator

You must sign out and sign in for the groups to take effect.

Now back to the search

After the you can see the preview, now you can click Export

Click Export > ReportsOnly or Export > Copy to clipboard export key > Download report > Install eDiscovery Export Tool

Export tool installs

Use the Export Key and Set a directory. 

File Downloads

Now you can open the report exported

MS-101: Microsoft 365 Mobility and Security – EXAM PASSED!!!

MS-101: Microsoft 365 Mobility and Security

EXAM PASSED!!!

#MS365 #Security #365Security #CertifiedProfessional #CloudSecurity #CloudFamily #CyberSecurity #Microsoft365 #MicrosoftCloud #Microsoft #alwaysbelearning #MS101 #EXAM #PASSED 

Outlook Credentials Flashing and Closing Constantly

Challenge : Outlook would connect to one MS365 mailbox but then started constantly flashing for authentication for the disconnected Hotmail mailbox, but the credentials window disappears before being able to click on the box to enter a password.

Cause : Unknown ? Clash of accounts? Glitch in the Matrix?

Solution : More of a workaround solution.

  • Close Outlook
  • Open Word > Create a blank document
  • File > Account > Sign Out

  • Then click sign in, Username and Password prompts. Log in and authenticate.
  • Close Word
  • Open Outlook and everything worked as normal.

“Encrypt” option in Outlook Error

Licenses and Limitations of Encryption and Exchange Online in you Microsoft 365 subscription.

Example Send a New message and there is an “Encrypt” button. Great feature but is there a gotcha you need to configure or another license version you require?

Slightly frustrating a button exists even if its not configured and gives your end users and error message.

“Your machine isn’t set up for Information Rights Management (IRM). To set up IRM, sign in to Office, open and existing IRM protected message or document, or contact your help desk.”

Reason

You created and new message in Outlook, clicked options, Encrypt, and Connect to Rights Management Servers and get templates

Solution

You received this message because RMS isn’t setup in your Microsoft 365 tenancy. Azure Information Protection is only included with certain licenses in Office 365. See License Data Sheet.

OME stands for Office 365 Message Encryption (OME).

OME is offered as part of “Office 365 Enterprise E3 and E5, Microsoft Enterprise E3 and E5, Microsoft 365 Business Premium, Office 365 A1, A3, and A5, and Office 365 Government G3 and G5.”

Microsoft provide this guide to choosing your activation method.

EXO V2 Module – Microsoft 365 Exchange Online – PowerShell Module

EXO v2 Exchange Online PowerShell Module download here

Some PowerShell commands to help you manage your Microsof 365 Exchange. 

More information on the Microsoft Site here

How to load the EXO v2 Module

Run PowerShell ( I used the ISE) as Administrator    (+ be connected to the Internet)

Install-Module -Name ExchangeOnlineManagement    #Execute this command

You will need to say “Yes to All” on Trust the repository prompt (Well that’s what I needed to do)

How do you connect to Exchange Online

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath C:\temp\logs –LogLevel All

Enter your tenancy credentials

(This will work and prompt for MFA enabled accounts.)

Example EXO V2 PowerShell Commands

Example 1 – Return Mailbox details for a specific user command (Settings you might see in Active Directory)

Get-EXOMailbox -Identity <ENTER EMAIL ADDRESS HERE> -Properties DisplayName,EmailAddresses,Alias

Example 2 – Return Mailbox details for a specific user command ( Settings like MAPI & POP status, Email Addresses)

Get-EXOCASMailbox -Identity “< ENTER EMAIL ADDRESS HERE >” 

Example 3 – Check User Permissions

Get-EXOMailboxPermission -Identity “< ENTER EMAIL ADDRESS HERE >”


Example 4 – What Devices have accessed the mailbox.

This showed multiple devices and which supported remote wipe. If you are reviewing security footprint and what devices have access corporate email, this is a good starting point.

Get-EXOMobileDeviceStatistics -Mailbox “< ENTER EMAIL ADDRESS HERE >” -ActiveSync


Then finally how to Disconnect

DisConnect-ExchangeOnline

Then select “Yes to All”

Disconnected Successfully

Office 365 – Anti Malware Policy/ Mail Flow rule – Detected PS1 file – Email Attachment

A good starting point for this exercise was to find the Microsoft Post on Mail Flow rules to inspect message attachments. Available here. There is also a good reference page on common blocking scenarios.

Recently some of our users received received PS1 files as attachments. We wanted to raise awareness to our users about PS1 files by adding an additional disclaimer in emails received with PS1 attached file types.

If you try to send a PS1 file as an attachment, you will often get a notification, but it allows you to send the email.

Users of Outlook might receive the email still and be notified of a potentially unsafe attachment. Which is good. But what if they weren’t using Outlook?

Web Mail “Outlook” will give you a “No Entry” sign

Challenge : How do we create a mail flow rule to add a disclaimer to inbound emails with PS1 files attached?

How to Guide : Create Mail Flow Rules

Start in “Microsoft 365 Admin Center” and browse to “Exchange” Admin Center

You can created new rules by selecting “Mail Flow” > “Rules” > “+”> “Create a new rule”

This example Appends the Disclaimer when a PS1 file is recieved

Additional options (Optional)

Rule is configured

.. Test Mail example sent to a Microsoft 365 Exchange Mail box – Disclaimer added. See example screen shot below.

Office 365 – Alert Policy – Detected Malware in File – OneDrive or SharePoint

Security and Compliance Admin Center in Office 365 you can create alert policys.

Todays challenge was to setup an Alert Policy so an admin is notifed if a user adds a file to OneDrive or SharePoint containing Malware.

Start in “Office 365 Security & Compliance > Alerts Dashboard > New Alert Policy

I started by creating an Alert, selecting Threat Management & High Severity

Set the Trigger “Detected malware in file”

Select the Admins to be notified. I set a daily limit notification limit of 5 so I’m not get overloaded with the same alert.

Then “Finish” you have the option to turn the policy on or off

View “Alert polices”

Enhance Security : Enforce Mobile Devices to Use Encryption and Password Policy connecting to Exchange Online (O365)

Features available to improve security with mobile devices by using encryption and a password policy when connecting to Exchange Online (O365). Anyone who has been a Active Directory Admin will by default expect to configure additional security, the same logic should apply for the Office 365 admin / Exchange Online Admin.

How to configure, start in Exchange Admin Center

Browse “Mobile” and edit the “Default”

To apply additional security settings to mobile services by default. I’ve highlighted some more restrictive settings to configure from the default.

  • Require Password
  • Require an Alphanumeric Password
  • Require Encryption
  • Min Password Length
  • Wipe Device on Sign-In Failures
  • Sign In time
  • Password Lifetime and Recycle Count