Skip to content
/ Check-Mailbox-Compromise Public

Easily gather mailbox info within an exchange environment. this can help determine whether an account has been comprimised.

License

GPL-3.0 license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stevenservo-hub/Check-Mailbox-Compromise

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
Functions
Functions
 
 
LICENSE
LICENSE
 
 
MailboxCompromise.psm1
MailboxCompromise.psm1
 
 
README.md
README.md
 
 

Repository files navigation

MailboxCompromise Module

Synopsis of MailboxCompromise Tool

Overview

The MailboxCompromise tool is a PowerShell module designed to help administrators manage and secure Exchange Online mailboxes. It provides functionalities to check mailboxes for suspicious activities, reset user passwords, and revoke user sessions. As well as content and email searches to find a spreading compromised email. The tool can be run with various parameters to customize its behavior, making it flexible for different administrative needs. By default the tool will run a recursive search, going through all emails within the environment, this can be flagged to target indvidual users.

Features

  1. Check Mailboxes for Suspicious Activity

    • QuickRun: Checks inbox rules, suspicious login activity, and forwarding rules.
    • Verbose: Lists all custom permissions and audit logs for each mailbox.
    • UniqUser: Allows checking a specific user's mailbox.
    • Log Path: Specify a custom path for the log file.

  2. Reset User Password

    • PassReset: Resets the password for the specified user.

  3. Revoke User Sessions

    • Revoke-Sessions: Revokes all active sessions for a specified user.

Prerequisites

  • PowerShell 5.1 or later
  • Exchange Online Management Module: Ensure you have the Exchange Online Management module installed. You can install it using the following command: 
    Install-Module -Name ExchangeOnlineManagement -Force -AllowClobber

Installation

Clone the Repository: Clone the repository to your local machine using the following command:

git clone https://github.com/stevenservo-hub/Check-Mailbox-Compromise.git

Navigate to the Module Directory: Change to the directory where the module file is located:

cd Check-Mailbox-Compromise

Import the Module: Import the MailboxCompromise.psm1 module into your PowerShell session:

Import-Module ".\MailboxCompromise.psm1"

Usage

To use the Check-MailboxCompromise function, you need to provide the Exchange Online administrator’s User Principal Name (UPN). You can also specify the -QuickRun flag to perform a quick check.

Full Check Example

invoke-mailboxcheck -ExchangeAdmin "[email protected]"

output

User: [email protected] Mailbox 1 of 1

  • Has 1 rule(s):
    • Rule Name: Forward To example Enabled: True, Priority: 1, Action:
  • Has 1 forwarding rule(s).
    • Rule Name: Forward To example
      • Forward To:
  • No suspicious logins in the past 7 days.
  • No password changes found in the specified date range.
  • Has 1 delegate(s) with Full Access.
  • No mailbox-level forwarding.
  • No recent audit log entries.
  • Has 2 custom permission(s) set.
    • User: NT AUTHORITY\SELF, Access Rights: FullAccess, ReadPermission
    • User: NT AUTHORITY\SELF, Access Rights: FullAccess, ExternalAccount, ReadPermission
  • Auto-reply is disabled.

Quick Run Example

invoke-mailboxchecke -ExchangeAdmin "[email protected]" -QuickRun

Help

For detailed information about the function, you can use the Get-Help cmdlet:

Get-Help invoke-mailboxcheck -Detailed

About

Easily gather mailbox info within an exchange environment. this can help determine whether an account has been comprimised.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages