Pulling data from a shared mailbox using EWS

Hello,

I’m trying to use EWS to connect to a shared email (in this case shared@domain.com) and then from there it has a folder nested like…

Inbox>Symantec>Attacked Computers

I’m tying to pull emails from the ‘Attacked Computers’ folder from the shared email. If I change ‘$emailaccount = “me@domain.com”’ I can pull my emails and query inbox>SEP test but I cant seem to connect to shared@domain.com. It just brings up my own mailbox/folders.

So to sum it up:

  1. How can I connect to a shared mailbox?
  2. How can I target a specific folder in the shared mailbox’s inbox?
Add-Type -Path "C:\Program Files (x86)\Microsoft\Exchange\Web Services\2.1\Microsoft.Exchange.WebServices.dll"

$EmailAccount = "shared@domain.com"

#Change the Exchange Version to work with your environment
$EWS = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1)

#Change the “UseDefaultCredentials” to false if you want to specify alternate creds
#$EWS.UseDefaultCredentials = $false

$EWS.AutodiscoverUrl($EmailAccount)

$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,[Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)

#folder needs to be symantec\attacked computers
$folderID = $inbox.FindFolders(10) | Where-Object { $_.DisplayName -eq "SEP Test"} | Select -ExpandProperty ID
$sepfolder =  [Microsoft.Exchange.WebServices.Data.Folder]::Bind($ews,$folderID)
$mailitems = $sepfolder.finditems(500)
$mailitems.load()

$SEPmail = $mailitems | ? {$_.conversationtopic -like "*Security Alert by Number of Attacked Computers*"}

$sepmail | foreach {
	
	if($_.body -notmatch "Disabled Device" -and $_.body -notmatch "Tamper Protection")
	{
		if($_.body -match "10.255.255.10")
		{
			#write-host "NESSUS ATTACK $($_.datetimereceived)" -foregroundcolor "green"
			#do stuff
		}
		else
		{
			#write-host "ATTACK! $($_.datetimereceived)" -foregroundcolor "red"
			if($_.datetimereceived -ge [DateTime]::Today.AddDays(-1).AddHours(00) -and $_.datetimereceived -lt [DateTime]::Today.AddDays(-1).AddHours(24))
			{
				
				$html = $_.body
				
				$smtpServer = "10.255.255.125"
				$msg = new-object Net.Mail.MailMessage
				$smtp = new-object Net.Mail.SmtpClient($smtpServer)
				$msg.From = "SEPattack@domain.com"
				$msg.To.Add(@("shared@domain.com"))
				$msg.Subject = "WE BEEN ATTACKED!"
				$msg.Body = $html
				$msg.isbodyhtml = $true
				$smtp.Send($msg)
				
				
			}

		}
	}
}

Does it give you an error about the autodiscoverurl? Try using your own email address but the credentials for the target mb in the credentials property.

$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
$s.Credentials = New-Object Microsoft.Exchange.WebServices.Data.WebCredentials('username', $pass, 'domain')
$s.AutodiscoverUrl('someone@somewhere.com', { $true })

$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
$incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'Incoming' }
$incomingFolder = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, $incoming.id)
$drop = $inbox.findfolders(100) | ? { $_.displayname -eq 'Processed' }

$emails = $incomingfolder.FindItems(100) | ? { ($_.DateTimeReceived -gt [datetime]::today) }

This piece of code does work from my workstation, pulls up shared email, but im unsure on how to have it select inbox>symantec>attacked computers folder

Your code did give me an error about autodiscovery but i think it’s because I don’t know the password to the shared email. I share it with numerous others, we all have full permissions on the mb.

$exchVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2016_SP1 #Specifies the version of Exchange in use in the environment
$exchService = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService($exchVersion) #connects to the Exchange service

$exchService.Url = "https://portal.domain.com/EWS/Exchange.asmx" #the url used to find the connection information for the shared mailbox

$mb = New-Object Microsoft.Exchange.WebServices.Data.Mailbox("support@domain.com") #specifies which mailbox EWS should connect to
$folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to
$view = New-Object Microsoft.Exchange.WebServices.Data.ItemView("10") #speficies how many objects to return when the search is ran
$searchFilters = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+ContainsSubstring([Microsoft.Exchange.WebServices.Data.ContactSchema]::InternetMessageHeaders, "ironport") #searches for all emails sent from Johnathan

$list = $exchService.FindItems($folder, $searchFilters, $view) #searches the mailbox, using the specified filter and view

Use the findfolders method and then bind to that folder.

$folder = New-Object Microsoft.Exchange.WebServices.Data.FolderId([Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox, $mb) #specifies which folder in the the mailbox EWS should connect to

$folder | gm

   TypeName: Microsoft.Exchange.WebServices.Data.FolderId

Name               MemberType Definition
----               ---------- ----------
Equals             Method     bool Equals(System.Object obj)
GetHashCode        Method     int GetHashCode()
GetType            Method     type GetType()
SameIdAndChangeKey Method     bool SameIdAndChangeKey(Microsoft.Exchange.WebServices.Data.ServiceId other)
ToString           Method     string ToString()
ChangeKey          Property   string ChangeKey {get;}
FolderName         Property   System.Nullable[Microsoft.Exchange.WebServices.Data.WellKnownFolderName] FolderName {g...
Mailbox            Property   Microsoft.Exchange.WebServices.Data.Mailbox Mailbox {get;}
UniqueId           Property   string UniqueId {get;}

I dont see the findfolders() method on this one ;/

$s = New-Object Microsoft.Exchange.WebServices.Data.ExchangeService([Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2010_SP1)
$inbox = [Microsoft.Exchange.WebServices.Data.Folder]::Bind($s, [Microsoft.Exchange.WebServices.Data.WellKnownFolderName]::Inbox)
$incoming = $inbox.findfolders(100) | ? { $_.displayname -eq 'foldername' }