Phishing, spam, and malware-laden emails are still a major threat to organizations, even with security tools like Microsoft Defender for Office 365 in place. Attackers evolve their techniques to bypass filters, making it critical for IT professionals to quickly analyze and block these threats.
In this blog, we’ll explore how to quickly determine if an email is malicious and use PowerShell to identify, investigate, and stop phishing attempts in Microsoft Exchange Online.
πΉ 1. How to Identify a Suspicious Email Quickly
Before using PowerShell, here are quick ways to spot a malicious email:
β Check the sender’s email domain β Look for spoofed domains (e.g., @microsft-support.com instead of @microsoft.com).
β Hover over links (DO NOT CLICK) β If URLs contain random characters or redirect to unknown domains, they are likely phishing.
β Look for urgency or threats β Phrases like “Your account will be locked in 24 hours!” are red flags.
β Check for spelling errors & odd formatting β Professional companies donβt send typo-ridden emails.
β Check email headers for anomalies β Fake “From” addresses or mismatched domains are common in phishing emails.
π¨ Automate these checks with PowerShell!
πΉ 2. Investigating Suspicious Emails Using PowerShell
π Find Emails by Subject, Sender, or Date
To search for phishing emails across mailboxes:
powershellCopyEditSearch-Mailbox -Identity "[email protected]" -SearchQuery 'Subject:"Urgent Security Notice"' -TargetMailbox [email protected] -TargetFolder PhishingReports
π What this does:
- Searches all mailboxes for emails with “Urgent Security Notice” in the subject.
- Moves them to the PhishingReports folder in the [email protected] mailbox for further analysis.
π§ Check Email Headers for Spoofing & Authentication Failures
To inspect email headers and verify SPF, DKIM, and DMARC:
powershellCopyEditGet-MessageTrace -SenderAddress "[email protected]" -StartDate (Get-Date).AddDays(-3) -EndDate (Get-Date)
π What this does:
- Traces emails sent from [email protected] in the last 3 days.
- Helps identify whether attackers are spoofing legitimate domains.
π Identify Users Who Clicked on a Phishing Email
To find who clicked on malicious links in a phishing email, run:
powershellCopyEditGet-MailDetailATPReport -StartDate "03/01/2024" -EndDate "03/10/2024" -EventType Click
π What this does:
- Retrieves users who clicked on malicious URLs detected by Safe Links in Defender for Office 365.
π¨ Immediate Action: Force password reset for affected users.
powershellCopyEditSet-MsolUserPassword -UserPrincipalName "[email protected]" -NewPassword "SecureP@ssw0rd!" -ForceChangePassword $true
πΉ 3. Stopping Phishing, Spam, and Malware Attacks
π« Block the Sender or Entire Domain
To block the sender or domain at the organization level:
powershellCopyEditNew-TenantAllowBlockListItems -Block -Entries "[email protected]" -ListType Sender
π What this does:
- Adds [email protected] to the Tenant Allow/Block List, preventing future emails from this sender.
To block an entire domain (e.g., @malicious.com):
powershellCopyEditNew-TenantAllowBlockListItems -Block -Entries "@malicious.com" -ListType Domain
π‘οΈ Quarantine Suspicious Emails
To move all emails from a specific sender to Quarantine:
powershellCopyEditSet-HostedContentFilterPolicy -Identity Default -BlockedSenderDomains "malicious.com"
π What this does:
- Blocks all emails from
malicious.comand moves them to Quarantine.
π¨ To review quarantined emails:
powershellCopyEditGet-QuarantineMessage -StartReceivedDate (Get-Date).AddDays(-3) -EndReceivedDate (Get-Date)
π Block Malicious Attachments & URLs
To block email attachments containing malware:
powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableFileFilter $true -FileTypes exe,js,vbs,bat,cmd,scr
π What this does:
- Blocks dangerous file types commonly used in phishing and malware attacks.
To block all URLs in emails unless they are verified safe:
powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -ScanUrls $true
πΉ 4. Automating Phishing Incident Response
β Automatically Remove Phishing Emails from User Mailboxes
To remove an email that has already been delivered:
powershellCopyEditGet-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery "subject:'Important Update Required'" -DeleteContent
π What this does:
- Deletes all emails with “Important Update Required” in the subject across all mailboxes.
π Summary: Key PowerShell Commands for Email Security
| Task | PowerShell Command |
|---|---|
| Find phishing emails | Search-Mailbox -SearchQuery 'Subject:"Urgent Security Notice"' |
| Check email headers | Get-MessageTrace -SenderAddress "[email protected]" |
| Find users who clicked phishing links | Get-MailDetailATPReport -EventType Click |
| Block sender | New-TenantAllowBlockListItems -Block -Entries "[email protected]" |
| Block domain | New-TenantAllowBlockListItems -Block -Entries "@malicious.com" |
| Quarantine emails | Set-HostedContentFilterPolicy -BlockedSenderDomains "malicious.com" |
| Block malicious attachments | Set-MalwareFilterPolicy -EnableFileFilter $true -FileTypes exe,js,vbs,bat,cmd,scr |
| Delete phishing emails | `Get-Mailbox |
π Final Thoughts: Proactive Phishing Defense
Even with Microsoft Defender, attackers continue to find ways to bypass security filters. PowerShell automation helps identify, block, and remove phishing, spam, and malware attacks quickly.
β Best Practices:
β
Enable Microsoft Defender policies (Safe Links, Safe Attachments, Anti-Phishing)
β
Use PowerShell to monitor phishing trends & remove threats
β
Train employees on phishing awareness (Attack Simulation Training)
β
Regularly review email authentication (SPF, DKIM, DMARC)
π IT admins should take a proactive approachβblocking phishing before it reaches users saves hours of security incidents.
π¬ Have you encountered a phishing attack that bypassed Defender? What steps did you take to mitigate it? Share your experience!