/
check-MailboxForwardingRules.ps1
80 lines (66 loc) · 3.6 KB
/
check-MailboxForwardingRules.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
################################################################################
## This script requires an encrypted password be setup. To configure
## the encrypted password, run the following command under the same
## user account as the scheduled script will run under:
## Read-Host -Prompt Password -AsSecureString | ConvertFrom-SecureString | Out-File $env:userprofile\o365securestring.txt
$adminAccount = "whatever@fqdn.tld"
$smtpServer = "mail.fqdn.tld"
$emailNotify = "ralphhogaboom@fqdn.tld"
$mailboxServer = "mb01.fqdn.tld"
#
$scriptName = ($MyInvocation.MyCommand.Name).Replace(".ps1","")
$scriptVersion = "12"
$logFileName = $PSScriptRoot + "\" + $scriptName + ".log"
remove-item $logFileName -ErrorAction SilentlyContinue
Start-Transcript $logFileName
$Pass = cat $env:userprofile\o365securestring.txt | convertto-securestring
$UserCredential = New-Object System.Management.Automation.PSCredential -ArgumentList $adminAccount, $Pass
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$mailboxServer/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Import-PSSession $Session
$domains = Get-AcceptedDomain
$mailboxes = Get-Mailbox -ResultSize Unlimited
$emailBody = $null
foreach ($mailbox in $mailboxes) {
$forwardingRules = $null
Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)" -foregroundColor Green
$rules = get-inboxrule -Mailbox $mailbox.primarysmtpaddress
$forwardingRules = $rules | Where-Object {$_.forwardto -or $_.forwardasattachmentto}
foreach ($rule in $forwardingRules) {
$recipients = @()
$recipients = $rule.ForwardTo | Where-Object {$_ -match "SMTP"}
$recipients += $rule.ForwardAsAttachmentTo | Where-Object {$_ -match "SMTP"}
$externalRecipients = @()
foreach ($recipient in $recipients) {
$email = ($recipient -split "SMTP:")[1].Trim("]")
$domain = ($email -split "@")[1]
if ($domains.DomainName -notcontains $domain) {
$externalRecipients += $email
}
}
if ($externalRecipients) {
if ($($rule.name) -eq 'My name is in the To or Cc box' -and $($mailbox.displayname) -eq "Ralph Hogaboom") {
# do nothing, etc. Add more with ElseIf to filter out known forwarders. Obv this only works in smaller institutions.
} else {
# finally, new stuff
$extRecString = $externalRecipients -join ", "
Write-Host "$($rule.Name) forwards to $extRecString" -ForegroundColor Yellow
$emailBody += "$($rule.Name) forwards to $extRecString for mailbox $($mailbox.displayname) - $($mailbox.primarysmtpaddress) `r`n"
$ruleHash = $null
$ruleHash = [ordered]@{
PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
DisplayName = $mailbox.DisplayName
RuleId = $rule.Identity
RuleName = $rule.Name
RuleDescription = $rule.Description
ExternalRecipients = $extRecString
}
$ruleObject = New-Object PSObject -Property $ruleHash
$ruleObject | Export-Csv c:\users\ralph.hogaboom\externalrules.csv -NoTypeInformation -Append
}
}
}
}
if ($emailBody.length -gt 0) {
send-mailmessage -from $emailNotify -to $emailNotify -subject "Suspicious rules found in mailbox in On Prem exchange server" -body $emailBody -SmtpServer $smtpServer
}
Stop-Transcript