Hello,
I’m trying to use EWS to connect to a shared email (in this case shared@domain.com) and then from there it has a folder nested like…
Inbox>Symantec>Attacked Computers
I’m tying to pull emails from the ‘Attacked Computers’ folder from the shared email. If I change ‘$emailaccount = “me@domain.com”’ I can pull my emails and query inbox>SEP test but I cant seem to connect to shared@domain.com. It just brings up my own mailbox/folders.
So to sum it up:
- How can I connect to a shared mailbox?
- How can I target a specific folder in the shared mailbox’s inbox?
Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"
$EmailAccount = "shared@domain.com"
#Change the Exchange Version to work with your environment
$EWS = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1)
#Change the “UseDefaultCredentials” to false if you want to specify alternate creds
#$EWS.UseDefaultCredentials = $false
$EWS.AutodiscoverUrl($EmailAccount)
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
#folder needs to be symantec\attacked computers
$folderID = $inbox.FindFolders(10) | Where-Object { $_.DisplayName -eq "SEP Test"} | Select -ExpandProperty ID
$sepfolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,$folderID)
$mailitems = $sepfolder.finditems(500)
$mailitems.load()
$SEPmail = $mailitems | ? {$_.conversationtopic -like "*Security Alert by Number of Attacked Computers*"}
$sepmail | foreach {
if($_.body -notmatch "Disabled Device" -and $_.body -notmatch "Tamper Protection")
{
if($_.body -match "10.255.255.10")
{
#write-host "NESSUS ATTACK $($_.datetimereceived)" -foregroundcolor "green"
#do stuff
}
else
{
#write-host "ATTACK! $($_.datetimereceived)" -foregroundcolor "red"
if($_.datetimereceived -ge [DateTime]::Today.AddDays(-1).AddHours(00) -and $_.datetimereceived -lt [DateTime]::Today.AddDays(-1).AddHours(24))
{
$html = $_.body
$smtpServer = "10.255.255.125"
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = "SEPattack@domain.com"
$msg.To.Add(@("shared@domain.com"))
$msg.Subject = "WE BEEN ATTACKED!"
$msg.Body = $html
$msg.isbodyhtml = $true
$smtp.Send($msg)
}
}
}
}
Does it give you an error about the autodiscoverurl? Try using your own email address but the credentials for the target mb in the credentials property.
$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
$s.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials('username', $pass, 'domain')
$s.AutodiscoverUrl('someone@somewhere.com', { $true })
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
$incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'Incoming' }
$incomingFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, $incoming.id)
$drop = $inbox.findfolders(100) | ? { $_.displayname -eq 'Processed' }
$emails = $incomingfolder.FindItems(100) | ? { ($_.DateTimeReceived -gt [datetime]::today) }
This piece of code does work from my workstation, pulls up shared email, but im unsure on how to have it select inbox>symantec>attacked computers folder
Your code did give me an error about autodiscovery but i think it’s because I don’t know the password to the shared email. I share it with numerous others, we all have full permissions on the mb.
$exchVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1 #Specifies the version of Exchange in use in the environment
$exchService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($exchVersion) #connects to the Exchange service
$exchService.Url = "https://portal.domain.com/EWS/Exchange.asmx" #the url used to find the connection information for the shared mailbox
$mb = New-Object Microsoft.Exchange.WebServices.Data.Mailbox("support@domain.com") #specifies which mailbox EWS should connect to
$folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
$view = New-Object Microsoft.Exchange.WebServices.Data.ItemView("10") #speficies how many objects to return when the search is ran
$searchFilters = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.ContactSchema]::InternetMessageHeaders, "ironport") #searches for all emails sent from Johnathan
$list = $exchService.FindItems($folder, $searchFilters, $view) #searches the mailbox, using the specified filter and view
Use the findfolders method and then bind to that folder.
$folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
$folder | gm
TypeName: Microsoft.Exchange.WebServices.Data.FolderId
Name MemberType Definition
---- ---------- ----------
Equals Method bool Equals(System.Object obj)
GetHashCode Method int GetHashCode()
GetType Method type GetType()
SameIdAndChangeKey Method bool SameIdAndChangeKey(Microsoft.Exchange.WebServices.Data.ServiceId other)
ToString Method string ToString()
ChangeKey Property string ChangeKey {get;}
FolderName Property System.Nullable[Microsoft.Exchange.WebServices.Data.WellKnownFolderName] FolderName {g...
Mailbox Property Microsoft.Exchange.WebServices.Data.Mailbox Mailbox {get;}
UniqueId Property string UniqueId {get;}
I dont see the findfolders() method on this one ;/
$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
$incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'foldername' }