Export Office 365 Spam and Malware Reports using PowerShell

For Microsoft 365 admins, monitoring email traffic and analyzing email threats, including spam, malware, and phishing holds immense significance within Exchange Online. The mail protection reports offer essential action items for admins to tackle the threats effectively. If you’re looking for a comprehensive spam and malware report to address email threats including phishing, you’ve come to the right destination.

Exchange Online email security reports help in identifying the below factors,

1. Exchange Online spam detection report – To identify inbound and outbound spam emails that are filtered by Exchange Online Protection (EOP) and anti-spam policy.
2. Exchange Online malware detection report – To identify the incoming and outgoing malware emails that are quarantined by the EOP policies and mail flow rules.
3. Exchange Online phish detection report – To identify the incoming and outgoing Exchange Online phishing emails that are detected by the EOP policies and anti-phishing policy.

By using these reports, admins can modify the anti-spam, anti-malware, and anti-phishing policies to meet their organization’s needs.

To generate spam, malware, and phishing reports on Microsoft 365 emails, you can use any one of the methods below.

Microsoft 365 Defender: To get the details of emails that are detected by EOP using the Microsoft 365 Defender (security portal).

1. Log in to the Microsoft 365 Defender using the security administrator or global administrator account and head to the ‘Reports‘ tab. .
2. Go to ‘Email & collaboration reports’ under the ‘Email & collaboration’ section.
3. Select ‘View details’ in the ‘Threat protection status’ reports section.
4. Click the ‘View data by Overview’ dropdown and select the appropriate report to view the respective mail threat protection status.

Points to Remember: It doesn’t have a filter to identify sent and received emails separately and these reports need some additional hours for the message details to be reflected.

PowerShell: To get the email details that are blocked by EOP, you can use the PowerShell cmdlet “Get-MailDetailATPReport”. However, acquiring the desired report can become intricate due to the necessity of applying multiple filters and dealing with varying parameter attributes when using the cmdlet.

To overcome the above-mentioned difficulties, we have created a PowerShell script to generate reports on spam and malware emails.

Script Highlights:

• Generates 9 different email protection reports.
• Automatically installs the Exchange Online PowerShell module upon your confirmation when it is not available in the system.
• Supports both MFA and Non-MFA accounts.
• Specify date ranges to generate reports for custom periods.
• Supports filters to retrieve sent and received spams.
• Allows you to filter sent and received malwares.
• Tracks sent and received phishing emails.
• Facilitates the separation of internal spam, malware, and phishing emails.
• Exports the report to CSV.
• Scheduler-friendly. You can automate the report generation upon passing credentials as parameters.

Download Script: MailProtectionReport.ps1

The MailProtectionReport.ps1 script can generate the following reports based on the type of parameters you provide.

Report	Parameter
Spam emails received report	SpamEmailsReceived
Malware emails received report	MalwareEmailsReceived
Phishing emails received report	PhishEmailsReceived
Spam emails sent report	SpamEmailsSent
Malware emails sent report	MalwareEmailsSent
Phishing emails sent report	PhishEmailsSent
Intra-organizational spam mails	IntraOrgSpamMails
Intra-organizational malware mails	IntraOrgMalwareMails
Intra-organizational phishing mails	IntraOrgPhishMails

Once the execution is completed, you will be notified with the status of your execution.

The exported output has the attributes like Date, Sender Address, Recipient Address, Subject, Event Type, and Sender/Recipient Domain. Let’s take a deep dive into the script.

Script Execution – Best Practices:

1. Mention a parameter from the parameter list along with the execution. If not, the execution will be terminated.
2. Mention both the start date and end date when you need the report for a custom period.
3. Mention the date in the ‘MM/DD/YYYY’ format to avoid execution errors.

Spam emails are threats or unwanted email messages sent in bulk to a large number of recipients. Using the ‘SpamEmailsReceived’ switch param with the script, admins can get the inbound spam report. Microsoft 365 admins can use bulk sender insights to set bulk compliance level that prevent spam from overwhelming users’ mailboxes.

By referring to this report, the admin can take necessary actions for all the employees to ensure the organization’s data security.

Tip: To fully protect your organization from potential threats posed by spammers, consider configuring the Microsoft-recommended spam protection settings for comprehensive security.

Despite email security like creating mail flow rules, the employees receive malware emails in various new forms daily. So, the admins must take necessary actions by analyzing the received malware emails. To generate an inbound malware report, you can use the ‘MalwareEmailsReceived‘ parameter.

With this report, you can identify frequent malware senders and add them to the blocked list.

Phishing mail aims to trick recipients into disclosing sensitive information, such as login credentials, credit card details, or personal identification into the wrong hands. Admins can use the ‘PhishEmailsReceived’ param along with the script to identify the phishing mail senders.

Using this report, you can identify the phishing emails senders and block them.

A spam email is an unwanted junk email sent out in bulk to random recipients. The administrator is responsible for tracking the spam sent by their employees and blocking the senders to ensure spam protection. To get the report, run the script with the ‘SpamEmailsSent’ switch param.

Using the outbound spam report, admins can identify the spam email format, sender’s aim, and configure anti-spam policy.

Malware emails are sent purposefully to gain control over the employees’ machines. On downloading files and attachments, by clicking the forged requests and links, malware senders will easily achieve their aim.

Using the malware emails sent report, the admins can identify who are performing malpractices in the organization. To identify employees who sent malware, run the script with the ‘MalwareEmailsSent’ switch param.

On analyzing the outbound malware report, the admins can bring out the compromised accounts too.

Phishing emails may be intentionally sent by your organization’s user to deceive external recipients into divulging sensitive information. By using the ‘PhishEmailsSent’ param along with the script, admins can identify the senders who are sending phish emails to external organizations.

This report helps to eliminate the phish senders to prevent a bad impact on the organization.

Although there is external junk mail, users can also be affected by spam mail sent within the organizations. The ‘IntraOrgSpamMails’ parameter can be used with the script to identify the users who are sending spam emails among their organizations.

With the help of this report, admins can identify frequent spam senders and take necessary actions on them.

Just as identifying external sources of malware is crucial, equally important is identifying users who send malicious emails among internal users. To find such users, utilize the ‘IntraOrgMalwareMails’ parameter within the script.

Using these details admins can know the users who are sending malware within your organization and warn them.

Among your organization’s users, certain individuals might attempt to initiate phishing attacks in order to extract personal or security details from their colleagues. To obtain a report on intra-organizational phishing emails, admins can use the ‘IntraOrgPhishMails‘ parameter.

Admins can employ this report to scrutinize users potentially involved in deceptive email activities inside the organization. This enables necessary actions such as suspension or investigation.

By default, the script retrieves the last 30 days‘ data. When you want the email security report for a desired date frame, you can use ‘StartDate’ and ‘EndDate’ params.

Here, replace <RequiredReport> with the parameter which is required for the respective report and <MM/DD/YYYY> with the start and end date.

For example, the below format retrieves the intra-organizational malware mails report from 16th July 2023 to 11th August 2023.

Your specified period must not have a starting date 30 days before the current date.

Tip: To email these reports to specific users, use the Send-MgUserMail cmdlet from the Microsoft Graph PowerShell SDK.

You can also schedule the PowerShell Script to run at specified intervals, automating the process of generating reports. Since the script can retrieve up to 30 days of data, consider scheduling it to run monthly. This way, you can retrieve and store data regularly without any loss.

To use the non-MFA admin accounts, try the format below.

If the admin account has MFA, then they can’t use it directly for scheduling. Instead, you have to disable MFA based on the Conditional Access Policy to make it work.

The retrieval of email protection reports can be made much easier with the Microsoft 365 reporting tool called AdminDroid. The Exchange Online mail protection reports from AdminDroid encompasses the collection of reports on email threat protection and mail flow rule detection to keep you updated on email security.

• Microsoft 365 Spam Mail Reports
• Exchange Online Malware Reports
• Microsoft 365 Phishing Mail Reports
• Exchange Online Spoofing Reports
• Overall Email Statistics Reports
• Emails Sent and Received by Users Report
• Threat Protection Statistical Reports

Additionally, Admindroid’s Exchange Online mail traffic reports provides insights into mail activity, ensuring both security and business continuity within the organization.

• Top Mail Senders/Receivers
• Top Spam Senders/Receivers
• Top Malware Senders/Receivers
• Daily Overall User Email Traffic
• Daily Mail Traffic Summary by Users

Furthermore, administrators can gain overall crystal-clear metrics, changes and updates about users’ mail activity in their organization with Admindroid’s Microsoft 365 email monitoring tool.

AdminDroid goes beyond just providing email reports; it offers precise insights into MS Teams, Exchange, SharePoint, Yammer, Power BI, and all Microsoft 365 services. With over 1800+ reports and 30+ powerful dashboards, AdminDroid simplifies the auditing and reporting process for Microsoft 365 – all at your fingertips with just a few clicks.

Discover the advantages of AdminDroid by downloading it today and enjoy the benefits of a 15-day free premium edition trial.

Closing Lines

We hope our spam and malware reports will help to plan the email protection activities like,

• Threat detection,
• Anti-spam, anti-malware protection, and anti-phish protection,
• Exchange online protection policies and rules,
• Outbound and inbound email security,
• Blocking the spam, malware, and phish emails senders,
• Stopping spam and malware emails to the organization.

Mostly, spam and phishing emails arrive from external organizations; in such cases, you can add external email warnings message to get rid of spam and phishing. Feel free to leave your thoughts or doubts with us in the comments section.

Stay cautious of suspicious activities such as spam, malware and phishing mails in your user’s Outlook and ensure a secure communication experience. Happy emailing😃!