In this guide, I’m diving into the most efficient ways to scan any exchange mail servers for information using “Message Trace” to trace messages in Exchange (On-Prem), Exchange Online (Office 365). I hope this will help you obtain useful information in the times of phishing emails, allowing you to search and identify messages more quickly using PowerShell. There is a bit of Cyber Security involvement in dealing with phishing emails so just putting this out there 🙂

Contents:

• Finding messages based on senders addresses
• Filtering your searches based on Time and Date
• Searching for emails using the IP Address property and filtering Time Period
• Obtaining message ID’s and using the Get-MessageTrace commands

If you don’t already have access to a test environment, there is a Microsoft Developer Program where you can obtain a Free Microsoft 365 E5 sandbox. Read more here.

Tracing messages in Exchange can be a complex task, but there are several best practices and tools you can use to make it more efficient. In this post, we’ll explore some of these practices and how they can help you with message tracing in Exchange.

1. Use the Exchange Admin Center (EAC)

The EAC provides a graphical user interface that makes it easy to perform message tracing tasks. You can use it to search for messages based on various criteria, such as sender, recipient, subject, and date range. This can save time and make it easier to find the information you need.

2. Use PowerShell

PowerShell provides a powerful command-line interface for managing Exchange. You can use it to perform message tracing tasks more efficiently than using the EAC, especially when dealing with large amounts of data. Some useful cmdlets for message tracing include Get-MessageTrackingLog, Get-MessageTrace, and Search-MessageTrackingReport.

Finding messages based on Senders Address

You can use the Get-MessageTrace command to do other searchers than just the MessageID property.

To get messages based on the sender’s email address, you can use the Get-MessageTrace cmdlet with the -SenderAddress parameter. Here’s an example command to retrieve all messages from the sender “sender@example.com”:

Get-MessageTrace -SenderAddress sender@example.com | Get-MessageTraceDetail | Select MessageID, Date, Event, Action, Detail, Data | Out-GridView

3. Use filtering

When performing message tracing tasks, it’s important to filter the results to narrow down the data you’re working with. This can save time and make it easier to find the information you need. For example, you can filter messages based on sender, recipient, subject, or date range.

Filtering your searches based on Time / Date

To filter messages based on a specific time and date range, you can use the -Start and -End parameters with the Get-MessageTrace cmdlet. Here’s an example command to retrieve messages that were sent between April 1, 2023 at 12:00 AM and April 30, 2023 at 11:59 PM:

$start = Get-Date "April 1, 2023 12:00 AM"
$end = Get-Date "April 30, 2023 11:59 PM"
Get-MessageTrace -Start $start -End $end | Get-MessageTraceDetail | Select MessageID, Date, Event, Action, Detail, Data | Out-GridView

Searching for an email from an IP Address during a Time Period

To search for any email from an IP address during a specific time period, you can use the Get-MessageTrace cmdlet with the -Start, -End, and -IPAddress parameters. Here’s an example command to retrieve all messages sent from IP address 192.168.1.1 between April 1, 2023 at 12:00 AM and April 30, 2023 at 11:59 PM:

$start = Get-Date "April 1, 2023 12:00 AM"
$end = Get-Date "April 30, 2023 11:59 PM"
Get-MessageTrace -Start $start -End $end -IPAddress "192.168.1.1" | Get-MessageTraceDetail | Select MessageID, Date, Event, Action, Detail, Data | Out-GridView

Obtaining message ID’s and using the Get-MessageTrace commands

Obtain the message header / .EML file, extract the Message ID and use the script below to output a Grid View of other messages showing their tracing information.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

$MessageID = Read-Host -Prompt "Enter Message ID:"

Get-MessageTrace -MessageId $MessageID  | Get-MessageTraceDetail | Select  MessageID, Date, Event, Action, Detail, Data | Out-GridView

# If running in the console, wait for input before closing.
if ($Host.Name -eq "ConsoleHost")
{
    Write-Host "Press any key to continue..."
    $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyUp") > $null

}

4. Use message tracking logs

Exchange stores message tracking logs that can be used to trace messages. These logs contain detailed information about the path of the message through the Exchange system, including delivery status, timestamps, and server names. Using these logs can help you get a better understanding of how messages are being processed.

5. Use third-party tools

There are several third-party tools available that can help you with message tracing in Exchange. These tools provide additional features and functionality that may not be available in the native Exchange tools. Some examples include Promodag Reports, Netwrix Auditor for Exchange, and SolarWinds Server & Application Monitor.

In conclusion, the key to efficiently tracing messages in Exchange is to use a combination of tools and techniques that are best suited for the task at hand. This may involve using the EAC, PowerShell, filtering, message tracking logs, or third-party tools, depending on the complexity of the task and your specific requirements.

By following these best practices, you’ll be able to trace messages more efficiently and effectively, ultimately improving the performance of your Exchange environment.

Other ways to trace messages in exchange online

• https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc?view=o365-worldwide
• https://learn.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results