Audit report of emails with Specific File attachment Extension In Microsoft 365

by

As you might be aware of the recent malware attacks which involves Microsoft One Note files. It has been observed that .one file attachments are being sent to users which contains Malware. The malware has the capability to steal credentials related to cryptocurrency wallets, Discord data, as well as web browser data including cached cookies. 

If users in your organizations are not using Microsoft OneNote, then first thing you should do it to block emails with .One file attachment extension.

If there are users in your organizations which use Microsoft OneNote then you can either educate the users not to open any emails with .one file attachments from suspicious users and do not share one note files over the email internally or externally. Users can save all project related documents in a sharepoint site and open it from there to reduce the risk.

If you have decided to block the emails with .one file attachment extension now. There could be some users who may have received with .one file attachment extension before this block is in place. You should track those users and inform them about those specific emails. If its from a suspicious email address then you would be able to find that in the report.

In this blog post, we are going to search for all emails with specific email attachment. For the purpose of the demo, we will be using searching for emails with .one file attachment extension. However, you can use the given steps to search for emails with file attachment extension as .png or .jpg or .exe or any other extension.

Once our search is complete, we will be able to Export the content search report in CSV files or PST Files as per your requirement.

Search for all the emails with specific file attachment extension

First thing we are going to do is to search for all the emails which were received by internal users that contains a specific file attachment extension. For Example: <filename>.one. We will be using Microsoft Purview portal and Content Search Tool for this.

More Examples:

  • If an email containing Financereport.one file as an attachment, the email details will show in the report.
  • If an email containing Febsummarlog.one file as an attachment, the email details will show in the report.

Which Permissions are required for Content Search

To perform a content search in Microsoft 365, you need to be a member of the eDiscovery Manager role group or have been assigned the necessary permissions for performing eDiscovery searches. This role group is available in Microsoft 365 Defender Portal.

eDiscovery Manager role can perform searches and place holds on mailboxes, sharepoint online sites, and onedrive location. In my experience if you are a Compliance administrator, you should be able to perform the steps in the blog post. If it does not work, then please make sure you are a member of eDiscovery manager role and try again.

Steps to Start Content Search from Microsoft Purview Portal

Microsoft Purview is a data governance solution that enables you to discover and manage your organization’s data across various sources. Here are the steps to start a content search from the Microsoft Purview portal:

  1. Open the Microsoft Purview portal in any web browser and sign in with admin credentials.
  2. Navigate to the “Content Search” Under Solutions on the left-hand side menu of the portal.
  3. Click on the “Search” tab.
  4. Click on “+ New Search” link.
Steps to Start Content Search from Microsoft Purview Portal

Name and Description

After you click on + New Search, you will need to provide a Name and Description of the Search. Provide a meaningful name to be able to find your search later.

  • Name: Find all emails with .one file attachment extension
  • Description: This Content search is to find all the emails with .one email file attachment extension.
Content Search from Microsoft Purview Portal Name and description
  • In the Locations configuration, Select the locations where you want to search. As we are only interested in searching for emails, We will just Enable Exchange mailboxes. We will also uncheck “Add App Content for On-Premise Users.
Select Exchange Location Content Search from Microsoft Purview Portal
  • Provide the search query. Below search query is going to search for all the emails which were received by users after 17 Feb 2023 with AttachmentNames as .one. Search Query is: Received>=2023-02-17 AND AttachmentNames:”.one”
  • To know more about the Searchable email properties. Please follow this link Searchable email properties.
  • You can modify the search query as per your own requirement. For example, you could enter a different date or you could also search for a different file attachment extension for example: .jpg, .exe., .png etc.
Search Query Content Search from Microsoft Purview Portal
  • Click on next to Review your search and click on Submit button once you have verified your search criteria.
New Search Created Content Search from Microsoft Purview Portal

Verify the Search Results Summary

Once you start the Content search, depending upon the number of users / mailboxes and data in your organization, This could take from few minutes to couple of hours to complete the search process.

You can find your Search uisng Content Search tool > Search tab and click on it open its Information pane on the right hand side and go to the Summary Tab to check its progress.

As you can see that the Search which I had started has been completed now. It found 47 Items / Emails / Users with Emails having .one file attachment extension.

Verify the Search Results in Content Search Tool

Export the Content Search Results in a CSV File

Now the content search has been completed and we can start the Export process. You can either export the search results in .csv file or .pst file. If you Export the results in .csv file then it will just contain the Information about the emails. We will see what Information is exported in the next section.

If you want to Export copy of the emails with its contents, then you will need to export the search results in a .PST file. We will see both the ways to Export the data. Let’s first see how to export the search results in CSV files.

  • Open the Microsoft Purview portal in any web browser (preferably Microsoft Edge) and sign in with admin credentials.
  • Navigate to the “Content Search” under Solutions on the left-hand side menu of the portal.
  • Find the Search you created. For example: We created a Search called “Find all emails with .one file attachment extension“. Click on it to open the Search Information pane on the right hand side.
  • Click on “Actions” button.
  • Click on Export report.
  • You can also click on Review sample button to see a preview of the report.
Export the Search Results in a CSV File Content Search Tool in Microsoft Purview
  • Export Report – On the Export report page. Select one of the Output options:
    • All items, excluding ones that have unrecognized format, are encrypted, or weren’t indexed for other reasons – This option only exports information about indexed items.
    • All items, excluding ones that have unrecognized format, are encrypted, or weren’t indexed for other reasons – This option exports information about indexed and unindexed items.
    • Only items that have an unrecognized format, are encrypted, or weren’t indexed for other reasons – This option only exports information about unindexed items.
  • Enable de-duplication for Exchange content – If there are any duplicate emails found, only one copy of the email will be exported. You can select this checkbox if you want to reduce the number of duplicate data. If you want to export all the data, then keep this option unchecked.
  • Click on Genearte report once you have selected the Output options.
Export Content search report in CSV from Microsoft Purview
  • After you click on Generate report, An Export job will be created. You can track the job and its status from Export Tab of Content Search tool.
  • Go to Export Tab > Click on the Export Job Created.
  • You can monitor the job from here and once its completed, Click on Download report link to download it on your PC.
Export Key Copy Content Search Microsoft Purview

To Download the report, Its best to use Microsoft Edge browser as it downloads and Installs eDiscovery Export tool to download your report. This has got better compatibility with Microsoft Edge browser.

After you click on Download Report link, you will see few pop-ups, Click on on Allow and then Click on Install to Install eDiscovery Export tool.

After you have Installed eDiscovery Export tool, it will launch automatically. You need to copy the Export Key geneated by the Export process and paste it in eDiscovery Export tool. Provide a location to Export the files. In the Customized PST file name: Keep default. I have left it to Exchange.pst, It will be ignored as we are downloading the results in CSV files.

Copy Export Key to eDiscovery Export Tool

Export process has been completed successfully.

eDiscovery Export Tool results

Go to the Export location to check your downloaded reports.. In my case, As i had provided a folder name as ExportReport_1. The reports are downloaded in this folder. You will find below 4 files in this folder.

  • Export Summary – Summary of the Content search report.
  • manifest.xml – Contains information about each item which was included in the search results.
  • Results.csv – Detailed information about each email. This report is helpful as it helps in tracking the emails in users inbox. Results.csv file contains below columns:
    • ExportedItem Id
    • Item Identity
    • Document ID
    • Selected
    • Duplicate to Item
    • Original Path
    • Location
    • Location Name
    • Target Path
    • Document Path
    • Subject or Title
    • Sender or Created by
    • Recipients in To line
    • Recipients in Cc line
    • Recipients in Bcc line
    • To – Expanded
    • CC – Expanded
    • BCC – Expanded
    • DG Expansion Result
    • Sent Has Attachments
    • Importance Is Read
    • Modified by Type
    • Received or Created
    • Modified Date
    • Size (KB)
    • Decode Status
    • Compliance Tag
    • Summary Preservation Original Url
  • trace.log – Detailed logging information about the export process. Use this log file to troubleshoot any issues during the export process.
Export Search Results Files content search results

Export the Content Search Results in a PST File

Now, we have seen how to export the content search results in a CSV file. These are not the actual emails but Information about those emails. If you want to download the search results in a PST file, you can follow below process:

  • Open the Microsoft Purview portal in any web browser and sign in with admin credentials.
  • Navigate to the “Content Search” under Solutions on the left-hand side menu of the portal.
  • Find the Search you created. For example: We created a Search called “Find all emails with .one file attachment extension“. Click on it to Open the Search Information pane on the right hand side.
  • Click on “Actions” button.
  • Click on Export results.

When you click on Export results, this time it will download searched emails in a .PST file or multiple .PST files depending upon how you would want to export the emails.

Select one of the Output Options and then select Export Exchange Content as:

  • One PST file for each mailbox – This will generate a separate .PST file for each user mailbox including archive mailbox
  • One PST file containing all messages – Generate one .PST for all search results.
  • One PST file containing all messages in a single folder: Exports search results to a single PST file where all messages are located in a single folder.
  • Individual messages: Exports search results as individual email messages, using the .msg format. If you select this option, email search results are exported to a folder in the file system.

Enable de-duplication for Exchange content – If there are any duplicate emails found, only one copy of the email will be exported. You can select this checkbox if you want to reduce the number of duplicate data. If you want to export all the data, then Keep this option unchecked.

Export the Search Results in a PST File

You can start the Export process and then go to the Export tab to check Export job status and its progress. Similar to how we exported the Search results in CSV file, you can use the eDiscovery Export tool to download the data in a CSV file. Please note that you still need to provide the Export key and Export location.

Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.

While Exporting the Content search results, you may receive the error message “Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.“.

This could be due to the Incorrect Export key provided in the eDiscovery Export Tool. Make sure to copy the Export key which was geneated by the Export process and paste it in eDiscovery Export tool. Click on Start to start eDiscovery Export Process.

Export failed with error: The export can't be performed. Make sure the export content hasn't expired.
  • Copy Export Key and paste it in eDiscovery Export Tool.
Export Key copy to eDiscovery Export Tool

Conclusion

In this blog post, we have see how to perform a content search. We have searched for all the emails with a specific file extension which the users have received after a certain date. You can customize the query to search for data for a different date or you could search for a differen file extension as well.

Then, we looked into the Export process which exports the data in a CSV file or PST file depending upon your requirement. You can analyze the data given in Results.csv and reach out to each user who received a file attachment which could contain a malware.

READ NEXT