Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Sickening
Jul 15, 2007

Black summer was the best summer.

Okay folks, one of my teams has turn into a problem which we haven't found an resolution to yet. Here is the scenario...

1: A user gets phished who is privileged in 0365. The account is made a delegate to a sensitive mailbox. That user account is then used to read email in that inbox.
2: Search-MailboxAuditLog shows these actions. It however only shows the mail messages being accessed by messageid.

For the life of me, my team and I can't figure how in the hell to query office 365 to match up the messageid's to emails to know exactly what was read (or shown to be read) by the logs. You would figure that a content search would be useful, but alas messageid is not a defined parameter in the search (wtf?). Message trace works, but it only goes back so far and if the email is an old one it won't show up there.

Some of my top leaders want to know which specific email was read and is pushing pretty hard. I explained that its better to assume that an entire offline copy was cached and all email should be considered read in the mailbox at this point, but I was overruled.

I should be able to search a loving office 365 mailbox by message id! Help!

Adbot
ADBOT LOVES YOU

Sickening
Jul 15, 2007

Black summer was the best summer.

Old Binsby posted:

I think you were pretty much on the right track, if you do a delegate/admin search on that mailbox for the action messagebind (ie reading a message) you should get a true unique ID like Identity (?) besides message id, did you use --ShowDetails? I hate that it's a switch but it definitely should improve the results for you if you didnt before. Swap out -Mailboxes for -Identity, if you were using the mailboxes parameter because it's not compatible for some reason.

Messagebind is retired I think. We definitely are using -showdetails and -Identity in my searches and for email messages the subject lines are showing up blank in the auditlog search but contains messageid's. If subject lines were included in the audit log I wouldn't be in this position.

I don't understand the point of putting messageid's in an audit log but not giving you a way to search for them.

Sickening
Jul 15, 2007

Black summer was the best summer.

Old Binsby posted:

eh you're right. Searching for the MailItemsAccessed operation is the replacement. That also yields blank subject line entries in the output?

Yes it does. In fact, it contains TONS of blank fields.

DestFolderId DestFolderPathName FolderId FolderPathName FolderName MemberRights MemberSid MemberUpn
SourceItemIdsList SourceItemSubjectsList SourceItemAttachmentsList SourceItemFolderPathNamesList SourceFolderPathNamesList SourceItemInternetMessageIdsList ItemId ItemSubject ItemAttachments ItemInternetMessageId DirtyProperties

Sickening
Jul 15, 2007

Black summer was the best summer.

Will Styles posted:

You can do what you want with EWS + powershell. It's fairly involved so it if you want to learn it the turn around may be longer than what your company would like.

I didn't find anything that does exactly what you want from some quick googling, but theoretically you would pull in the mailbox that was compromised, iterate through every folder, filter for messages with a matching message-id, and return the pertinent details.

I found that too. That is probably going to be my last ditch effort.

This should be an easily searchable thing, especially since they are assigning the message ids.

Sickening
Jul 15, 2007

Black summer was the best summer.

Old Binsby posted:

thought about this a little more because itís weird and i forgot to ask: when you download the audit data from the mailbox as XML, is that half-empty too/is it even available for downloading ?

I didn't even go down that path. When I search the audit logs, i pipe it into a csv.

Sickening
Jul 15, 2007

Black summer was the best summer.

Old Binsby posted:

definitely preferable to diy xml mangling. I like out-gridview sometimes too

i asked out of curiosity only , not applicability per se. Your EWS search looks like it should do the trick probably. Did it? that xml file is a fairly direct/uninterpreted way of checking whether exchange is even making the records properly. if it does, a report/search coming up empty is permissions or powershell mishaps, if not, something serious is wrong or you actually didnít have it enabled the way you think you did.

I am not doing ews fuckery until I am forced to. Right now I have scripts ready to created mailbox rules to make copy of emails with certain message id's in the header so these folks can see what email was read at their leisure. I am ready to be done with it.

Sickening
Jul 15, 2007

Black summer was the best summer.

Submarine Sandpaper posted:

I may be blind but this came on my plate this morning and I cannot find explicit documentation stating whether or not an administrative search-mailbox -subject "blah" -deletecontent -searchdumpsteronly will actually remove the item for a user on litigation hold?

Holy poo poo, that is a great a question. I would hope that it wouldn't. I would also not be shocked that it does nothing but override retention policies.

Sickening
Jul 15, 2007

Black summer was the best summer.

Digital_Jesus posted:

Exchange/Office related question thats stumping me a bit here trying to clean up some of my predecessors leftover poo poo.

Office People Pane - I've got some users who can't see emails from the user in question at all. They can also see emails from some users that weren't even sent to them. Trying to figure out how to resolve this.

Example: I sent an email to one of my helpdesk guys. If he selects my name down in the people pane, he can't see anything from me, not even emails he was copied on or sent.
Example 2 (The one that concerns me): If said helpdesk guy opens up our directors name on the people pane, he can see dozens and dozens of emails that he wasn't copied on which is obviously a huge problem.

He doesn't have delegation rights or access to that mailbox, so thats not it. Anyone point me in the direction of somewhere I can gander? Google-Fu is getting me a ton of "Turn the people pane on or off" or "Why the people pane doesn't work" but not much "Why you can read the CIO's email when they didn't send it to you".

Are you sure this person doesn't have access to the mailbox? While you have probably checked for a direct delegation assignment, this smells to me like a security group delegation has been done and the person in question is apart of it.

I would check the CIO mailbox for all delegation. If there is a group delegation there of any kind that is the issue.

Sickening
Jul 15, 2007

Black summer was the best summer.

Digital_Jesus posted:

The CIO has no group delegation, or any delegation at all except one specific user who is not the person in question.

I've gone through this dudes security groups too. Other users mailboxes are doing this too, but there doesn't seem to be a pattern across departments or anything.

Is it possible the users who's email can be read have accidentally enabled something stupid in their outlook profiles?

The first thing I would do is test. Can this user open owa and open the CIO mailbox? Once that is ruled out, you know its for sure a feature issue you have to get fixed.

I would also take a quick look at the admin log report. Lets say the helpdesk person in question has been snooping and the data in the peoples tab was cached when he delegated himself access and snooped previously. That would also explain why its inconsistent.

And just to be clear, the people's pane should ONLY show the mail that exists in that persons mailbox. Showing other peoples mail and such leads me to believe that the data exists in the OST and someone has just gotten caught.

Sickening fucked around with this message at 13:53 on Jun 12, 2019

Sickening
Jul 15, 2007

Black summer was the best summer.

incoherent posted:

There are far worst threats than microsoft MITMing your email.

I would assume that any org that chooses on prem vs cloud email are idiots at this point even from a security aspect of things.

Sickening
Jul 15, 2007

Black summer was the best summer.

angry armadillo posted:

So this seems like a reasonable thread to post this:

Managing exchange mailboxes, please tell me how you do it.

It's not my decision on how we do it in our place, but if you haven't read the ticket came in thread, our exchange server died and the CIO wasn't happy with how my line manager, manages mailboxes (say that out loud )

Specifically, we run exchange 2003, it used to be standard edition and we nearly hit the 65gb limit. At this point my boss went round some of the biggest mailboxes and archived all their mail into personal folders on a network share.

The he realised the info store wasn't going down in size because he needed to do an offline defrag. This was going to take longer than a weekend so he never bothered. Eventually we hit the limit and used the email crash as a way of getting an order for exchange 2003 enterprise signed off... So now we pretty much just let users have big mail boxes.

- I'd say we have around 300 users and a mailbox store of 160gb, which from what I have discussed elsewhere isn't that big. However refer to the above about the CIO not being happy - he said he wanted us to reduce it by 50%.

His reasoning will be that he does a lot of work with the company that own us, and because they own us our policies on basically everything have to be in line as possible with theirs - their mailbox policy is 10mb of space each or 40mb if you are an exec. Archive or delete anything else. (though they have around 600k users worldwide, I'm not sure how that breaks down regionally, but I guess that is why they are a touch on the militant side perhaps?)


As much as it isn't my decision on how we change our policy, I can see 'buying enterprise and ignoring the problem' isn't a solution. There is a 'post-server-crash' meeting this week and I'd at least like to look half informed when I open my mouth.


So any knowledge would be appreciated

I don't think anything anyone can say here is going to help you. You are running an exchange version that went end of life 6 years ago. Honestly I am shocked it took that long to go end of life considering that it was over 10 years old at that point.

The reasonable thing to do would be to migrate that to exchange online (o365) but I would also assume you haven't paid for your email system is more than a decade as well and you don't want to start paying for it.

There isn't any productive thing to talk about in your situation besides "migrate to something feasible to support".

Adbot
ADBOT LOVES YOU

Sickening
Jul 15, 2007

Black summer was the best summer.

Thanks Ants posted:

I thought I'd missed something but angry armadillo's post was from 2011.

The app must have royally hosed up. I saw 1 update to the post and I swear I replied to that post.

Amazing!

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply