Scripts/Get-MailItemsAccessed.ps1
Function Get-Sessions { <# .SYNOPSIS Find SessionID(s) in the Audit Log. .DESCRIPTION Find SessionID(s) in the Audit Log. You can filter based on IP address or Username. The first step is to identify what sessions belong to the threat actor. With this information you can go to the next step and find the MessageID(s) belonging to those sessions. Output is saved in: Output\MailItemsAccessed\ .PARAMETER UserIds The unique identifier of the user. .PARAMETER StartDate startDate is the parameter specifying the start date of the date range. .PARAMETER EndDate endDate is the parameter specifying the end date of the date range. .PARAMETER IP The IP address parameter is used to filter the logs by specifying the desired IP address. .PARAMETER OutputDir outputDir is the parameter specifying the output directory. Default: Output\MailItemsAccessed .PARAMETER LogLevel Specifies the level of logging: None: No logging Minimal: Critical errors only Standard: Normal operational logging Default: Standard .PARAMETER Encoding Encoding is the parameter specifying the encoding of the CSV output file. Default: UTF8 .PARAMETER Output "Y" or "N" to specify whether the output should be saved to a file. Default: Y .EXAMPLE Get-Sessions -StartDate 1/4/2024 -EndDate 5/4/2024 Collects all sessions for all users between 1/4/2024 and 5/4/2024. .EXAMPLE Get-Sessions -StartDate 1/4/2024 -EndDate 5/4/2024 -UserIds HR@invictus-ir.com Collects all sessions for the user HR@invictus-ir.com. #> [CmdletBinding()] param( [Parameter(Mandatory=$true)]$StartDate, [Parameter(Mandatory=$true)]$EndDate, [string]$OutputDir = "Output\MailItemsAccessed", [string]$UserIds, [string]$IP, [string]$Encoding = "UTF8", [string]$Output = "Yes", [ValidateSet('None', 'Minimal', 'Standard')] [string]$LogLevel = 'Standard' ) Set-LogLevel -Level ([LogLevel]::$LogLevel) $summary = @{ TotalEvents = 0 UniqueSessions = @{} OperationCount = 0 StartTime = Get-Date ProcessingTime = $null QueryType = "All Events" } if (!(test-path $OutputDir)) { New-Item -ItemType Directory -Force -Name $OutputDir > $null write-logFile -Message "[INFO] Creating the following directory: $OutputDir" } else { if (!(Test-Path -Path $OutputDir)) { Write-Error "[Error] Custom directory invalid: $OutputDir exiting script" -ErrorAction Stop Write-LogFile -Message "[Error] Custom directory invalid: $OutputDir" -Level Minimal } } if ($UserIds -and $IP) { $summary.QueryType = "User and IP Filter" } elseif ($UserIds) { $summary.QueryType = "User Filter" } elseif ($IP) { $summary.QueryType = "IP Filter" } Write-LogFile -Message "=== Starting Session Collection ===" -Color "Cyan" -Level Minimal if ($UserIds -And !$IP){ try { $amountResults = (Search-UnifiedAuditLog -StartDate $StartDate -UserIds $UserIds -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly provide more specific details, such as specifying a user or IP address." -Color "Red" -Level Minimal } else { $mailItemRecords = (Search-UnifiedAuditLog -UserIds $UserIds -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -Operations "MailItemsAccessed") $Results = @() foreach($rec in $mailItemRecords) { $AuditData = ConvertFrom-Json $Rec.Auditdata $Line = [PSCustomObject]@{ TimeStamp = $AuditData.CreationTime User = $AuditData.UserId Action = $AuditData.Operation SessionId = $AuditData.SessionId ClientIP = $AuditData.ClientIPAddress OperationCount = $AuditData.OperationCount } $summary.TotalEvents++ if ($AuditData.SessionId) { $summary.UniqueSessions[$AuditData.SessionId] = $true } if ($AuditData.OperationCount) { $summary.OperationCount += $AuditData.OperationCount } $Results += $Line } $Results | Sort SessionId, TimeStamp | Format-Table Timestamp, User, Action, SessionId, ClientIP, OperationCount -AutoSize } if (($Output -eq "Yes") -and $results.Count -gt 0) { $filePath = "$OutputDir\Sessions-$UserIds.csv" $Results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" -Level Standard } } elseif($IP -And !$UserIds){ $Results = @() try { $amountResults = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly provide more specific details, such as specifying a user." -Color "Red" -Level Minimal } else{ $MailItemRecords = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -ResultSize 5000 -Operations "MailItemsAccessed") ForEach($Rec in $MailItemRecords){ $AuditData = ConvertFrom-Json $Rec.Auditdata $Line = [PSCustomObject]@{ TimeStamp = $AuditData.CreationTime User = $AuditData.UserId Action = $AuditData.Operation SessionId = $AuditData.SessionId ClientIP = $AuditData.ClientIPAddress OperationCount = $AuditData.OperationCount } f($AuditData.ClientIPAddress -eq $IP){ $summary.TotalEvents++ if ($AuditData.SessionId) { $summary.UniqueSessions[$AuditData.SessionId] = $true } if ($AuditData.OperationCount) { $summary.OperationCount += $AuditData.OperationCount } $Results += $Line } } $Results | Sort SessionId, TimeStamp | Format-Table Timestamp, User, Action, SessionId, ClientIP, OperationCount -AutoSize } if (($Output -eq "Yes") -and $results.Count -gt 0) { $filePath = "$OutputDir\Sessions-$IP.csv" $Results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" -Level Standard } } elseif($IP -And $UserIds){ $Results = @() try { $amountResults = (Search-UnifiedAuditLog -UserIds $UserIds -FreeText $IP -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal break } if($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly provide a more specific time window." -Color "Red" -Level Minimal } else{ $MailItemRecords = (Search-UnifiedAuditLog -UserIds $UserIds -FreeText $IP -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -Operations "MailItemsAccessed") foreach($Rec in $MailItemRecords){ $AuditData = ConvertFrom-Json $Rec.Auditdata $Line = [PSCustomObject]@{ TimeStamp = $AuditData.CreationTime User = $AuditData.UserId Action = $AuditData.Operation SessionId = $AuditData.SessionId ClientIP = $AuditData.ClientIPAddress OperationCount = $AuditData.OperationCount } if($AuditData.ClientIPAddress -eq $IP){ $summary.TotalEvents++ if ($AuditData.SessionId) { $summary.UniqueSessions[$AuditData.SessionId] = $true } if ($AuditData.OperationCount) { $summary.OperationCount += $AuditData.OperationCount } $Results += $Line } } $Results | Sort SessionId, TimeStamp | Format-Table Timestamp, User, Action, SessionId, ClientIP, OperationCount -AutoSize } if (($Output -eq "Yes") -and $results.Count -gt 0) { $filePath = "$OutputDir\Sessions-$UserIds-$IP.csv" $Results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" -Level Standard } } else{ $Results = @() try { $amountResults = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly provide more specific details, such as specifying a user." -Color "Red" -Level Minimal } else { $MailItemRecords = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -Operations "MailItemsAccessed") foreach($Rec in $MailItemRecords) { $AuditData = ConvertFrom-Json $Rec.Auditdata $Line = [PSCustomObject]@{ TimeStamp = $AuditData.CreationTime User = $AuditData.UserId Action = $AuditData.Operation SessionId = $AuditData.SessionId ClientIP = $AuditData.ClientIPAddress OperationCount = $AuditData.OperationCount } $summary.TotalEvents++ if ($AuditData.SessionId) { $summary.UniqueSessions[$AuditData.SessionId] = $true } if ($AuditData.OperationCount) { $summary.OperationCount += $AuditData.OperationCount } $Results += $Line } $Results | Sort SessionId, TimeStamp | Format-Table Timestamp, User, Action, SessionId, ClientIP, OperationCount -AutoSize } if (($Output -eq "Yes") -and $results.Count -gt 0) { $filePath = "$OutputDir\Sessions.csv" $Results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding } } $summary.ProcessingTime = (Get-Date) - $summary.StartTime if ($Results.Count -gt 0) { Write-LogFile -Message "`n=== Session Analysis Summary ===" -Color "Cyan" -Level Standard Write-LogFile -Message "Query Information:" -Level Standard Write-LogFile -Message " Filter: $($summary.QueryType)" -Level Standard Write-LogFile -Message " Time Range: $StartDate to $EndDate" -Level Standard Write-LogFile -Message "`nEvent Statistics:" -Level Standard Write-LogFile -Message " Total Events: $($summary.TotalEvents)" -Level Standard Write-LogFile -Message " Unique Sessions: $($summary.UniqueSessions.Count)" -Level Standard Write-LogFile -Message " Total Operations: $($summary.OperationCount)" -Level Standard Write-LogFile -Message "`nExported File:" -Level Standard Write-LogFile -Message " - $filePath" -Level Standard Write-LogFile -Message "`nProcessing Time: $($summary.ProcessingTime.ToString('mm\:ss'))" -Color "Green" -Level Standard Write-LogFile -Message "===================================" -Color "Cyan" -Level Standard } } function Get-MessageIDs { <# .SYNOPSIS Find the InternetMessageID(s). .DESCRIPTION Find the InternetMessageID(s). You can filter on SessionID(s) or IP addresses. After you identified the session(s) of the threat actor, you can use this information to find all MessageID(s). belonging to the sessions. With the MessageID(s) you can identify what emails were exposed to the threat actor. Output is saved in: Output\MailItemsAccessed\ .PARAMETER StartDate startDate is the parameter specifying the start date of the date range. .PARAMETER EndDate endDate is the parameter specifying the end date of the date range. .PARAMETER OutputDir outputDir is the parameter specifying the output directory. Default: Output\MailItemsAccessed .PARAMETER Encoding Encoding is the parameter specifying the encoding of the CSV output file. Default: UTF8 .PARAMETER Sessions The sessions parameter is used to filter the logs by specifying the desired session id. .PARAMETER IP The IP address parameter is used to filter the logs by specifying the desired IP address. .PARAMETER Output "Yes" or "No" to specify whether the output should be saved to a file. Default: Yes .PARAMETER LogLevel Specifies the level of logging: None: No logging Minimal: Critical errors only Standard: Normal operational logging Default: Standard .PARAMETER Download To specifiy whether the messages and their attachments should be saved. .EXAMPLE Get-MessageIDs -StartDate 1/4/2024 -EndDate 5/4/2024 Collects all sessions for all users between 1/4/2024 and 5/4/2024. .EXAMPLE Get-MessageIDs -StartDate 1/4/2024 -EndDate 5/4/2024 -IP 1.1.1.1 Collects all sessions for the IP address 1.1.1.1. .EXAMPLE Get-MessageIDs -StartDate 1/4/2024 -EndDate 5/4/2024 -IP 1.1.1.1 -Download Collects all sessions for the IP address 1.1.1.1 and downloads the e-mails and attachments. #> [CmdletBinding()] param( [Parameter(Mandatory=$true)]$StartDate, [Parameter(Mandatory=$true)]$EndDate, [string]$OutputDir = "Output\MailItemsAccessed", [string]$IP, [string]$Encoding = "UTF8", [string]$Sessions, [string]$Output = "Yes", [switch]$Download, [ValidateSet('None', 'Minimal', 'Standard')] [string]$LogLevel = 'Standard' ) Set-LogLevel -Level ([LogLevel]::$LogLevel) $summary = @{ TotalEvents = 0 StartTime = Get-Date ProcessingTime = $null QueryType = "All Events" } if (!(test-path $OutputDir)) { New-Item -ItemType Directory -Force -Name $OutputDir > $null } else { if (!(Test-Path -Path $OutputDir)) { Write-LogFile -Message "[Error] Custom directory invalid: $OutputDir" -Level Minimal } } Write-LogFile -Message "=== Starting Message IDs Collection ===" -Color "Cyan" -Level Minimal if ($Download.IsPresent) { $requiredScopes = @("Mail.ReadWrite") $graphAuth = Get-GraphAuthType -RequiredScopes $requiredScopes } if (!$Sessions -And !$IP){ try { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if ($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly lower the time window." -Color "Red" -Level Minimal return } else { $results=@() $MailItemRecords = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -Operations "MailItemsAccessed" forEach ($Rec in $MailItemRecords){ $summary.TotalEvents++ $AuditData = ConvertFrom-Json $Rec.Auditdata $InternetMessageId = $AuditData.Folders.FolderItems $TimeStamp = $AuditData.CreationTime $SessionId = $AuditData.SessionId $ClientIP = $AuditData.ClientIPAddress $userId = $AuditData.UserId $sizeInBytes = $AuditData.SizeInBytes if ($AuditData.OperationCount -gt 1){ $summary.OperationCount += $AuditData.OperationCount foreach ($message in $InternetMessageId){ $iMessageID = $message.InternetMessageId $sizeInBytes = $message.SizeInBytes $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } else { $SessionID = "" $iMessageID = $AuditData.Folders.FolderItems.InternetMessageId $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } } $results | Sort TimeStamp | Format-Table Timestamp, User, IPaddress, SessionID, InternetMessageId, SizeInBytes -AutoSize if (($Output -eq "Yes") -and $results.Count -gt 0) { $date = [datetime]::Now.ToString('yyyyMMddHHmmss') $filePath = "$OutputDir\$date-MessageIDs.csv" $results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" -Level Standard } } elseif ($IP -And $Sessions){ try { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if ($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly lower the time window." -Color "Red" -Level Minimal return } else { $results=@() $MailItemRecords = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -ResultSize 5000 -Operations "MailItemsAccessed" forEach ($Rec in $MailItemRecords){ $summary.TotalEvents++ $AuditData = ConvertFrom-Json $Rec.Auditdata $InternetMessageId = $AuditData.Folders.FolderItems $TimeStamp = $AuditData.CreationTime $SessionId = $AuditData.SessionId $ClientIP = $AuditData.ClientIPAddress $userId = $AuditData.UserId $sizeInBytes = $AuditData.SizeInBytes if($SessionId){ if($Sessions.Contains($SessionId)){ if($ClientIP -eq $IP){ if ($AuditData.OperationCount -gt 1){ foreach ($message in $InternetMessageId){ $iMessageID = $message.InternetMessageId $sizeInBytes = $message.SizeInBytes $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } else { $SessionID = "" $iMessageID = $AuditData.Folders.FolderItems.InternetMessageId $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } } } } } $results | Sort TimeStamp | Format-Table Timestamp, User, IPaddress, SessionID, InternetMessageId, SizeInBytes -AutoSize if (($Output -eq "Yes") -and $results.Count -gt 0) { $date = [datetime]::Now.ToString('yyyyMMddHHmmss') $filePath = "$OutputDir\$date-MessageIDs.csv" $results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" -Level Standard } } elseif ($Sessions -And !$IP){ try { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $Sessions -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if ($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly lower the time window." -Color "Red" -Level Minimal return } else { $results=@() $MailItemRecords = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -ResultSize 5000 -FreeText $Sessions -Operations "MailItemsAccessed" forEach ($Rec in $MailItemRecords){ $summary.TotalEvents++ $AuditData = ConvertFrom-Json $Rec.Auditdata $InternetMessageId = $AuditData.Folders.FolderItems $TimeStamp = $AuditData.CreationTime $SessionId = $AuditData.SessionId $ClientIP = $AuditData.ClientIPAddress $userId = $AuditData.UserId $sizeInBytes = $AuditData.SizeInBytes if($SessionId){ if($Sessions.Contains($SessionId)){ if ($AuditData.OperationCount -gt 1){ foreach ($message in $InternetMessageId){ $iMessageID = $message.InternetMessageId $sizeInBytes = $message.SizeInBytes $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } else { $SessionID = "" $iMessageID = $AuditData.Folders.FolderItems.InternetMessageId $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } } } } $results | Sort TimeStamp | Format-Table Timestamp, User, IPaddress, SessionID, InternetMessageId, SizeInBytes if (($Output -eq "Yes") -and $results.Count -gt 0) { $filePath = "$OutputDir\MessageIDs-$Sessions.csv" $results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" -Level Standard } } elseif (!$Sessions -And $IP){ try { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" -Level Minimal Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" -Level Minimal throw } if ($amountResults -gt 4999){ write-logFile -Message "[WARNING] A total of $amountResults events have been identified, surpassing the maximum limit of 5000 results for a single session. To refine your search, kindly lower the time window." -Color "Red" -Level Minimal } else { $results=@() $MailItemRecords = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -ResultSize 5000 -Operations "MailItemsAccessed" forEach ($Rec in $MailItemRecords){ $summary.TotalEvents++ $AuditData = ConvertFrom-Json $Rec.Auditdata $InternetMessageId = $AuditData.Folders.FolderItems $TimeStamp = $AuditData.CreationTime $SessionId = $AuditData.SessionId $ClientIP = $AuditData.ClientIPAddress $sizeInBytes = $AuditData.SizeInBytes $userId = $AuditData.UserId if($ClientIP -eq $IP){ if ($AuditData.OperationCount -gt 1){ foreach ($message in $InternetMessageId){ $iMessageID = $message.InternetMessageId $sizeInBytes = $message.SizeInBytes $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } else { $SessionID = "" $iMessageID = $AuditData.Folders.FolderItems.InternetMessageId $resultObject = [PSCustomObject]@{ Timestamp = $TimeStamp User = $userId IPaddress = $ClientIP SessionID = $SessionId InternetMessageId = $iMessageID SizeInBytes = $sizeInBytes } $results += $resultObject if ($Download.IsPresent){ if (![string]::IsNullOrWhiteSpace($iMessageID)) { DownloadMails($iMessageID,$userId) } } } } } } $results | Sort TimeStamp | Format-Table Timestamp, User, IPaddress, SessionID, InternetMessageId, SizeInBytes if (($Output -eq "Yes") -and $results.Count -gt 0) { $date = [datetime]::Now.ToString('yyyyMMddHHmmss') $filePath = "$OutputDir\$date-MessageIDs.csv" $results | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding } } $summary.ProcessingTime = (Get-Date) - $summary.StartTime if ($Results.Count -gt 0) { Write-LogFile -Message "`n=== Session Analysis Summary ===" -Color "Cyan" -Level Standard Write-LogFile -Message "Time Range: $StartDate to $EndDate" -Level Standard Write-LogFile -Message "Total MailItemsAccessed Events processed: $($summary.TotalEvents)" -Level Standard Write-LogFile -Message "Output Directory: $OutputDir" -Level Standard Write-LogFile -Message "`nProcessing Time: $($summary.ProcessingTime.ToString('mm\:ss'))" -Color "Green" -Level Standard Write-LogFile -Message "===================================" -Color "Cyan" -Level Standard } } function DownloadMails($iMessageID,$UserIds){ if ($iMessageID -is [array]) { $iMessageID = $iMessageID[0] } if (-not (Get-Variable -Name fileCounter -ErrorAction SilentlyContinue)) { $script:fileCounter = 1 } if ([string]::IsNullOrWhiteSpace($iMessageID)) { Write-LogFile -Message "[WARNING] Invalid or empty message ID provided" -Color "Red" -Level Minimal return } if ($outputDir -eq "" ){ $outputDir = "Output\MailItemsAccessed\Emails" if (!(test-path $outputDir)) { New-Item -ItemType Directory -Force -Name $outputDir > $null } } try { try { $onlyMessageID = $iMessageID.Split(" ")[0] } catch { Write-logFile -Message "[WARNING] Unable to download message with unknown ID '$iMessageID'." -Color "Yellow" -Level minimal } $getMessage = Get-MgUserMessage -Filter "internetMessageId eq '$onlyMessageID'" -UserId $userId -ErrorAction stop $messageId = $getMessage.Id $attachment = $getMessage.Attachments if ($getMessage.ReceivedDateTime -is [DateTime]) { $ReceivedDateTime = $getMessage.ReceivedDateTime.ToString("yyyyMMdd_HHmmss") } else { $ReceivedDateTime = "unabletogetdate" # Fallback to custom string } $subject = $getMessage.Subject $subject = $subject -replace '[\\/:*?"<>|]', '_' do { $filePath = "$outputDir\$($script:fileCounter.ToString('D3'))-$ReceivedDateTime-$subject.eml" $script:fileCounter++ } while (Test-Path $filePath) try { Get-MgUserMessageContent -MessageId $messageId -UserId $userId -OutFile $filePath Write-logFile -Message "[INFO] Output written to $filePath" -Color "Green" } catch { if ($_.Exception.Message -like "*Cannot bind argument to parameter 'MessageId' because it is an empty string*") { Write-logFile -Message "[WARNING] Unable to download message with ID '$iMessageID' was likely deleted." -Color "Red" -Level minimal } else { throw } } if ($attachment -eq "True"){ Write-logFile -Message "[INFO] Found Attachment file!" -Level Standard $attachment = Get-MgUserMessageAttachment -UserId $userIds -MessageId $iMessageID $filename = $attachment.Name Write-logFile -Message "[INFO] Downloading attachment" -Level Standard Write-logFile -Message "[INFO] Name: $filename" -Level Standard Write-logFile -Message "[INFO] Size: $($attachment.Size)" -Level Standard $base64B = ($attachment).AdditionalProperties.contentBytes $decoded = [System.Convert]::FromBase64String($base64B) $filename = $filename -replace '[\\/:*?"<>|]', '_' do { $filePath = "$outputDir\$($script:fileCounter.ToString('D3'))-$ReceivedDateTime-$filename" $script:fileCounter++ } while (Test-Path $filePath) Set-Content -Path $filePath -Value $decoded -Encoding Byte Write-logFile -Message "[INFO] File Attachment Successfully Written to $filePath" -Color "Green" -Level Standard } } catch { Write-logFile -Message "[WARNING] The 'Mail.ReadWrite' is an application-level permission, requiring an application-based connection through the 'Connect-MgGraph' command for its use." -Color "Red" -Level minimal Write-Host "[WARNING] Error Message: $($_.Exception.Message)" -Level minimal throw } } |