Audit report of Emails with Specific File Attachment Extension In Microsoft 365

Background

You may be familiar with the recent malware attacks targeting Microsoft OneNote files. These attacks involve sending .one file attachments to users, which are found to contain malicious software.

This malware can pilfer credentials associated with cryptocurrency wallets, Discord data, and web browser information, including stored cookies. It’s a concerning threat that underscores the importance of cybersecurity.

If your organization’s users don’t utilize Microsoft OneNote, the first step should be to block emails with .One file attachments.

If your organization has users who use Microsoft OneNote, you can educate them not to open emails with .one file attachments from suspicious senders. Additionally, advise them not to share OneNote files via email, either internally or externally. It’s safer to store project-related documents in a SharePoint site and access them from there to minimize risks.

If you’ve decided to block emails with .one file attachments, it’s important to identify users who might have received such attachments before the block was implemented. You should track these users and inform them about those specific emails. If the emails came from suspicious senders, you can easily identify them in the report.

In this blog post, we’ll guide you in searching for emails with a specific attachment. For the demonstration, we’ll search for emails with .one file attachment extensions. However, you can apply these steps to search for emails with various file attachment extensions, such as .png, .jpg, .exe, or any other extension you need.

After completing the search, you can export the content search report as CSV or PST files, depending on your requirements.

The first step is to search for all emails internal users receive that contain a specific file attachment extension, such as <filename>.one. We will utilize the Microsoft Purview portal and the Content Search Tool to perform this search.

Example:

  • If an email contains a Financereport.one file as an attachment, the report will display the details of that email.

To perform a content search in Microsoft 365, you must be a member of the eDiscovery Manager role group or have the required permissions to conduct eDiscovery searches. This role group is accessible through the Microsoft 365 Defender Portal.

The eDiscovery Manager role has the authority to conduct searches and impose holds on mailboxes, SharePoint Online sites, and OneDrive locations.

Based on my experience, Compliance administrators should also be able to execute the steps outlined in the blog post. But If you have a Compliance administrator role and encounter any issues, ensure that you are part of the eDiscovery Manager role and attempt the process again.

Start Content Search from Microsoft Purview Portal

To start a Content search on the Microsoft Purview portal, follow the below steps:

  • Open the Microsoft Purview portal in any web browser and sign in with admin credentials.
  • Navigate to Content Search Under Solutions on the portal’s left-hand menu.
  • Click on the Search tab.
  • Click on the + New Search link.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal

Name and Description

Provide Name and Description of the Search.

  • Name: Find all emails with .one file attachment extension
  • Description: Provide a useful description.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal
  • In the Locations configuration, choose the locations you wish to search. Since our focus is mainly on email searches, enable Exchange mailboxes. Uncheck the option labeled “Add App Content for On-Premise Users
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal
  • Here’s the search query: “Received>=2023-02-17 AND AttachmentNames:.one” This query will search for all the emails received by users after February 17, 2023, with attachments having the “.one” file extension.

To know more about the Searchable email properties. Please follow this link Searchable email properties.

Note
  • You can customize the search query to meet your specific requirements. For example, you can change the date or search for different file attachment extensions like .jpg, .exe, .png, etc.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal
  • Click “Next” to review your search criteria, and then click the “Submit” button once you have verified that the search criteria are accurate.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal

Verify Content Search Results

The time it takes to complete the content search process can vary depending on the number of users and mailboxes and your organization’s data volume. Finishing the search may take a few minutes to a couple of hours.

You can locate your search using the Content Search tool > Search tab and click on it to open the Information pane on the right-hand side. From there, you can access the Summary Tab to monitor the progress of your search.

As you can see, the search I initiated has now been completed. It identified 47 items, emails, or users with emails containing the .one file attachment extension.

Verify Content Search Results
Verify Content Search Results

Export Content Search Results to a CSV File

With the content search now completed, you can proceed with the export process. You can export the search results in either .csv or .pst file format. If you export the results in .csv format, it will contain information about the emails. In the next section, we’ll explore the details included in the export.

If you wish to obtain a copy of the emails and their contents, export the search results as a .PST file. We will cover both methods of exporting the data.

Let’s begin by exploring how to export the search results in CSV files.

  • Sign in to the Microsoft Purview portal.
  • Navigate to the Content Search under Solutions.
  • Locate the search you previously created. For instance, if you named your search Find all emails with .one file attachment extension, click on it to open the Search Information pane on the right.
  • Click on the Actions button.
  • Click on Export report.
  • You can also click on the Review sample button to see a preview of the report.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • Export Report – On the Export report page. Select one of the Output options:
    • All items, excluding ones with unrecognized format, are encrypted or weren’t indexed for other reasons – This option only exports information about indexed items.
    • All items, excluding ones with unrecognized format, are encrypted or weren’t indexed for other reasons – This option exports information about indexed and unindexed items.
    • Only items with an unrecognized format are encrypted or weren’t indexed for other reasons – This option only exports information about unindexed items.
  • Enable de-duplication for Exchange content – If duplicate emails are found, only one copy of the email will be exported. Select this checkbox to reduce the number of duplicate data. Keep this option unchecked if you want to export all the data.
  • Click on Generate report once you have selected the Output options.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • After you click on Generate report, An Export job will be created. You can track the job status from the Export Tab of the Content Search tool.
  • Navigate to the Export tab and click on the export job that you’ve created.
  • You can monitor the job from this interface. Once completed, click the Download Report link to download it to your computer.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • It’s best to use the Microsoft Edge browser to download the report. This browser downloads and installs the eDiscovery Export tool to facilitate the report download, and it is more compatible with it.
  • You’ll find a few pop-ups after clicking on the Download Report link. Click Allow and then proceed by clicking Install to install the eDiscovery Export tool.
  • Once you have installed the eDiscovery Export tool, it will launch automatically. You’ll need to copy the export key generated during the export process and paste it into the eDiscovery Export tool.
  • Choose a location to export the files. You can keep the default setting for the customized PST file name. I’ve left it as Exchange.pst, but it will be ignored as we are downloading the results in CSV files.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • The export process has been completed successfully.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File

Go to the export location to check your downloaded reports. Since I provided a folder named ExportReport_1, the reports are downloaded in this folder. You will find the following four files in this folder.

  • Export Summary – Summary of the Content search report.
  • manifest.xml – Contains information about each item included in the search results.
  • Results.csv – Detailed information about each email. This report is helpful as it helps in tracking the emails in the user’s inbox. Results.csv file contains the following columns:
    • ExportedItem Id
    • Item Identity
    • Document ID
    • Selected
    • Duplicate to Item
    • Original Path
    • Location
    • Location Name
    • Target Path
    • Document Path
    • Subject or Title
    • Sender or Created by
    • Recipients in To line
    • Recipients in Cc line
    • Recipients in Bcc line
    • To – Expanded
    • CC – Expanded
    • BCC – Expanded
    • DG Expansion Result
    • Sent Has Attachments
    • Importance Is Read
    • Modified by Type
    • Received or Created
    • Modified Date
    • Size (KB)
    • Decode Status
    • Compliance Tag
    • Summary Preservation Original Url
  • trace.log – Detailed logging information about the export process. Use this log file to troubleshoot any issues during the export process.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File

Export the Content Search Results in a PST File

Now that we have learned how to export the content search results in a CSV file, which contains information about the emails, if you want to download the search results in a PST file, you can follow the process below:

  • Sign in to the Microsoft Purview portal
  • Navigate to the “Content Search” under Solutions on the left-hand side menu of the portal.
  • Locate the search you previously created, such as Find all emails with .one file attachment extension. Click on it to open the Search Information pane, which is located on the right side.
  • Click on the “Actions” button.
  • Click on Export results.

When you click Export results this time, it will download the searched emails in a .PST file or multiple .PST files, depending on your export preferences.

Select one of the Output Options and then select Export Exchange Content as:

  • One PST file for each mailbox – This will generate a separate .PST file for each user mailbox, including the archive mailbox
  • One PST file containing all messages – Generate one .PST for all search results.
  • One PST file containing all messages in a single folder: Exports search results to a single PST file where all messages are in a single folder.
  • Individual messages: This option exports search results as email messages using the .msg format. If you select this option, the results are exported to a folder in the file system.
  • Enable de-duplication for Exchange content – If duplicate emails are found, only one copy of the email will be exported. You can select this checkbox to reduce the number of duplicate data. If you want to export all the data, Keep this option unchecked.
Export the Content Search Results in a PST File
Export the Content Search Results in a PST File

You can start the export process and then go to the Export tab to check the export job status and progress. Similar to how we exported the search results in a CSV file, you can use the eDiscovery Export tool to download the data in a CSV file. Please note that you must still provide the export key and location.

FAQs

Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.

While exporting the content search results, you may encounter the error message Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.

This issue may occur if you have provided an incorrect Export key in the eDiscovery Export Tool. Ensure you accurately copy the Export key generated during the export process and paste it into the eDiscovery Export Tool. Click Start to initiate the eDiscovery Export Process.

Export failed with error: The export can't be performed. Make sure the export content hasn't expired.
Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.
  • Copy the Export Key and paste it into the eDiscovery Export Tool.
Export failed with error: The export can't be performed. Make sure the export content hasn't expired.
Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.

Conclusion

This blog post acquainted us with how to conduct a content search. We searched for emails that users received after a specific date with a particular file extension. You can adapt the query to search for data from different dates or for different file extensions as needed.

Next, we explored the export process, which allows you to export the data in a CSV or PST file, depending on your business requirements. You can analyze the information in the Results.csv file and then contact each user who received a file attachment that may contain malware. This process helps enhance your organization’s security.

Leave a Comment