Audit report of emails with Specific File attachment Extension In Microsoft 365

Background

You may be familiar with the recent malware attacks that specifically target Microsoft OneNote files. These attacks involve sending .one file attachments to users, which are found to contain malicious software.

This malware is capable of pilfering credentials associated with cryptocurrency wallets, Discord data, and web browser information, including stored cookies. It’s a concerning threat that underscores the importance of cybersecurity.

If your organization’s users don’t utilize Microsoft OneNote, the Initial step should be to block emails with .One file attachments.

If your organization has users who use Microsoft OneNote, you can educate them not to open emails with .one file attachments from suspicious senders. Additionally, advise them not to share OneNote files via email, either internally or externally. It’s safer to store project-related documents in a SharePoint site and access them from there to minimize risks.

If you’ve made the decision to block emails with .one file attachments, it’s important to identify users who might have received such attachments before the block was implemented. You should track these users and inform them about those specific emails. If the emails came from suspicious senders, you can easily identify them in the report.

In this blog post, we’ll guide you on how to search for emails with a specific email attachment. For the demonstration, we’ll be searching for emails with .one file attachment extensions. However, you can apply these steps to search for emails with various file attachment extensions such as .png, .jpg, .exe, or any other extension you need.

After completing the search, you can export the content search report in either CSV files or PST files based on your requirements.

The first step is to search for all emails received by internal users that contain a specific file attachment extension, such as “<filename>.one.” We will utilize the Microsoft Purview portal and the Content Search Tool to perform this search.

Example:

  • If an email contains a “Financereport.one” file as an attachment, the report will display the details of that email.

To perform a content search in Microsoft 365, you must be a member of the eDiscovery Manager role group or have the required permissions for conducting eDiscovery searches. This role group is accessible through the Microsoft 365 Defender Portal.

The eDiscovery Manager role has the authority to conduct searches and impose holds on mailboxes, SharePoint Online sites, and OneDrive locations.

Based on my experience, Compliance administrators should also be able to execute the steps outlined in the blog post. But If you have a Compliance administrator role and you encounter any issues, ensure that you are part of the eDiscovery Manager role and attempt the process again.

Start Content Search from Microsoft Purview Portal

To start a Content search on the Microsoft Purview portal, follow below steps:

  • Open the Microsoft Purview portal in any web browser and sign in with admin credentials.
  • Navigate to the “Content Search” Under Solutions on the left-hand side menu of the portal.
  • Click on the “Search” tab.
  • Click on “+ New Search” link.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal

Name and Description

Provide Name and Description of the Search.

  • Name: Find all emails with .one file attachment extension
  • Description: Provide a useful description.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal
  • In the Locations configuration, choose the locations you wish to search. Since our focus is mainly on email searches, enable Exchange mailboxes. Uncheck the option labeled “Add App Content for On-Premise Users
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal
  • Here’s the search query: “Received>=2023-02-17 AND AttachmentNames:.one” This query will search for all the emails received by users after February 17, 2023, with attachments having the “.one” file extension.

To know more about the Searchable email properties. Please follow this link Searchable email properties.

  • You can customize the search query to meet your specific requirements. For example, you can change the date or search for different file attachment extensions like .jpg, .exe, .png, etc.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal
  • Click “Next” to review your search criteria, and then click the “Submit” button once you have verified that the search criteria are accurate.
Start Content Search from Microsoft Purview Portal
Start Content Search from Microsoft Purview Portal

Verify Content Search Results

The time it takes to complete the content search process can vary depending on the number of users and mailboxes, as well as the volume of data in your organization. It may take anywhere from a few minutes to a couple of hours to finish the search.

You can locate your search using the Content Search tool > Search tab and click on it to open the Information pane on the right-hand side. From there, you can access the Summary Tab to monitor the progress of your search.

As you can see, the search I initiated has now been completed. It identified 47 items, emails, or users with emails containing the .one file attachment extension.

Verify Content Search Results
Verify Content Search Results

Export Content Search Results to a CSV File

With the content search now completed, you can proceed with the export process. You have the option to export the search results in either .csv or .pst file format. If you choose to export the results in .csv format, it will contain information about the emails. In the next section, we’ll explore the details that are included in the export.

If you wish to obtain a copy of the emails along with their contents, you should export the search results in a .PST file. We will cover both methods of exporting the data.

Let’s begin by exploring how to export the search results in CSV files.

  • Sign in to Microsoft Purview portal
  • Navigate to the “Content Search” under Solutions.
  • Locate the search you previously created. For instance, if you named your search “Find all emails with .one file attachment extension” click on it to open the Search Information pane on the right-hand side.
  • Click on the “Actions” button.
  • Click on Export report.
  • You can also click on the Review sample button to see a preview of the report.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • Export Report – On the Export report page. Select one of the Output options:
    • All items, excluding ones that have unrecognized format, are encrypted, or weren’t indexed for other reasons – This option only exports information about indexed items.
    • All items, excluding ones that have unrecognized format, are encrypted, or weren’t indexed for other reasons – This option exports information about indexed and unindexed items.
    • Only items that have an unrecognized format, are encrypted, or weren’t indexed for other reasons – This option only exports information about unindexed items.
  • Enable de-duplication for Exchange content – If there are any duplicate emails found, only one copy of the email will be exported. You can select this checkbox if you want to reduce the number of duplicate data. If you want to export all the data, then keep this option unchecked.
  • Click on Generate report once you have selected the Output options.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • After you click on Generate report, An Export job will be created. You can track the job and its status from Export Tab of Content Search tool.
  • Navigate to the Export tab and click on the export job that you’ve created.
  • You can monitor the job from this interface, and once it’s completed, click on the “Download report” link to download it to your computer.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • For downloading the report, it’s best to use the Microsoft Edge browser, as it downloads and installs the eDiscovery Export tool to facilitate the report download. This tool has better compatibility with the Microsoft Edge browser.
  • After clicking on the “Download Report” link, you’ll find a few pop-ups. Click “Allow” and then proceed by clicking “Install” to install the eDiscovery Export tool.
  • Once you have installed the eDiscovery Export tool, it will launch automatically. You’ll need to copy the export key generated during the export process and paste it into the eDiscovery Export tool.
  • Choose a location to export the files. For the customized PST file name, you can keep the default setting. I’ve left it as “Exchange.pst” but it will be ignored as we are downloading the results in CSV files.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File
  • The export process has been completed successfully.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File

Go to the export location to check your downloaded reports. In my case, since I had provided a folder name as “ExportReport_1“, the reports are downloaded in this folder. You will find the following four files in this folder.

  • Export Summary – Summary of the Content search report.
  • manifest.xml – Contains information about each item that was included in the search results.
  • Results.csv – Detailed information about each email. This report is helpful as it helps in tracking the emails in the user’s inbox. Results.csv file contains below columns:
    • ExportedItem Id
    • Item Identity
    • Document ID
    • Selected
    • Duplicate to Item
    • Original Path
    • Location
    • Location Name
    • Target Path
    • Document Path
    • Subject or Title
    • Sender or Created by
    • Recipients in To line
    • Recipients in Cc line
    • Recipients in Bcc line
    • To – Expanded
    • CC – Expanded
    • BCC – Expanded
    • DG Expansion Result
    • Sent Has Attachments
    • Importance Is Read
    • Modified by Type
    • Received or Created
    • Modified Date
    • Size (KB)
    • Decode Status
    • Compliance Tag
    • Summary Preservation Original Url
  • trace.log – Detailed logging information about the export process. Use this log file to troubleshoot any issues during the export process.
Export Content Search Results to a CSV File
Export Content Search Results to a CSV File

Export the Content Search Results in a PST File

Now that we have learned how to export the content search results in a CSV file, which contains information about the emails, if you want to download the search results in a PST file, you can follow the process below:

  • Sign in to the Microsoft Purview portal
  • Navigate to the “Content Search” under Solutions on the left-hand side menu of the portal.
  • Locate the search you previously created, such as “Find all emails with .one file attachment extension” Click on it to open the Search Information pane, located on the right-hand side.
  • Click on the “Actions” button.
  • Click on Export results.

When you click on “Export results” this time, it will download the searched emails in a .PST file, or multiple .PST files, depending on your export preferences.

Select one of the Output Options and then select Export Exchange Content as:

  • One PST file for each mailbox – This will generate a separate .PST file for each user mailbox including the archive mailbox
  • One PST file containing all messages – Generate one .PST for all search results.
  • One PST file containing all messages in a single folder: Exports search results to a single PST file where all messages are located in a single folder.
  • Individual messages: Exports search results as individual email messages, using the .msg format. If you select this option, email search results are exported to a folder in the file system.
  • Enable de-duplication for Exchange content – If there are any duplicate emails found, only one copy of the email will be exported. You can select this checkbox if you want to reduce the number of duplicate data. If you want to export all the data, then Keep this option unchecked.
Export the Content Search Results in a PST File
Export the Content Search Results in a PST File

You can start the export process and then go to the Export tab to check the export job status and its progress. Similar to how we exported the search results in a CSV file, you can use the eDiscovery Export tool to download the data in a CSV file. Please note that you still need to provide the export key and export location.

FAQs

Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.

While exporting the content search results, you may encounter the error message “Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.”

This issue may occur if you have provided an incorrect Export key in the eDiscovery Export Tool. Ensure that you accurately copy the Export key generated during the export process and paste it into the eDiscovery Export Tool. Click “Start” to initiate the eDiscovery Export Process.

Export failed with error: The export can't be performed. Make sure the export content hasn't expired.
Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.
  • Copy the Export Key and paste it into the eDiscovery Export Tool
Export failed with error: The export can't be performed. Make sure the export content hasn't expired.
Export failed with error: The export can’t be performed. Make sure the export content hasn’t expired.

Conclusion

In this blog post, we’ve learned how to conduct a content search. We specifically searched for emails with a particular file extension that users received after a specific date. You can adapt the query to search for data from different dates or for different file extensions as needed.

Next, we explored the export process, which allows you to export the data in either a CSV or PST file, depending on your needs. You can analyze the information in the “Results.csv” file and then reach out to each user who received a file attachment that may potentially contain malware. This process helps enhance your organization’s security.

Leave a Comment