Top 10 PowerShell Cmdlets for Monitoring Emails in Microsoft 365

Exchange Online provides various reports to help monitor email activities and audit messages for compliance requirements. As an Exchange admin, you may need to track:

• Employees’ emails
• Inbound and outbound mail traffic
• The number of spam and malware detections
• The number of emails sent and received by a specific user
• Emails that matched rules, policies, and more

If you rely on the admin portals to view this information, you may struggle to find the specific section you need. You often have to navigate through multiple portals such as the Microsoft 365 admin center, Exchange admin center, Microsoft Defender portal, and Microsoft Purview portal. Because of this, many admins prefer using PowerShell or a Microsoft 365 reporting tool to track email activities more efficiently.

This blog lists the top 10 Exchange Online PowerShell cmdlets that help in monitoring and reporting employees’ email activity. With these cmdlets, you can generate the following email reports.

1. Overall email traffic report
2. Inbound and outbound email traffic report
3. Exchange Online spam report
4. Phishing detection report
5. Malware detection report
6. Transport rule audit report
7. Redirected emails report
8. DLP detection report
9. Top senders and recipients report
10. Microsoft 365 message trace report

Note: Before running these cmdlets, ensure you have connected to the Exchange Online PowerShell module.

Email traffic reports help you analyze an organization’s email traffic such as the number of emails sent and received, spam volume, malware detections, spoofed messages, etc.

By default, this cmdlet retrieves email traffic statistics for the last 7 days. Using the -StartDate and -EndDate parameters, you can retrieve up to the past 90 days email statistics report.

Refer to the following section for the additional use cases for the ‘Get-MailFlowStatusReport’ cmdlet.

To retrieve incoming, outgoing, or internal organizational email traffic separately, use the -Direction parameter in the ‘Get-MailFlowStatusReport’ cmdlet.

This above cmdlet retrieves inbound email traffic statistics from October 05, 2025, to October 30, 2025.

This will retrieve the outbound email traffic statistics data for the past 7 days.

Execution of the above cmdlet retrieves the internal email traffic statistics of messages sent and received within the organization.

The -EventType param in the ‘Get-MailFlowStatusReport’ cmdlet helps you understand what happened to messages as they passed through filtering and protection layers.

The above example lists only the good mail received in the last month. You can also use event types such as EdgeBlockSpam, EmailMalware, EmailPhish, SpamDetections, or TransportRules.

Email protection reports help you identify spam and malware detected by Exchange Online Protection (EOP). Here’s how you can use PowerShell to generate a report on emails detected as spam.

The ‘Get-MailDetailSpamReport’ cmdlet shows the details of spam messages sent and received by your organization.

The above cmdlet lists spam messages detected in the last 10 days.

Note: Organizations with Defender for Office 365 subscriptions can get up to 30 days of data.

In some situations, emails sent from your organization are rejected or marked as spam by Microsoft 365. To identify those emails, execute the following cmdlet.

Sometimes, good inbound emails are also determined as spam by anti-spam filters. By checking those emails, you can whitelist a domain or specific email address.

To view inbound spam messages, use the following cmdlet.

To view spam emails sent by a specific user for a custom period, run the below. Make sure to replace <UserUPN> with the user’s user principal name and <YYYY-MM-DD> with the start and end dates.

To view spams received by a user, run the cmdlet with the –RecipientAddress param instead of –SenderAddress.

Phishing reports help you identify messages classified as phishing by Microsoft Defender for Office 365.

To view all phishing messages detected in your organization for the last 10 days, you can use the following cmdlet.

To list all the phishing emails received by your organization in the last 10 days, you can use the demonstration below.

Use the following cmdlet to get all the phishing emails sent from your organization.

To find the phishing emails sent by a specific user at a defined period, use the following cmdlet.

The ‘Get-MailDetailATPReport’ cmdlet helps to identify emails that contain malware.

To view all the sent and received malwares for past 10 days,

To view malwares sent from your organization,

To list detected malware emails received by your organization,

To view malwares sent by specific users on a defined period,

The ‘Get-MailDetailTranportRuleReport’ cmdlet shows details of messages that match the conditions defined by any transport rules.

The above PowerShell cmdlet shows the applied transport rule along with the email details for the last 10 days.

To view all the emails processed by specific transport rule,

The example below retrieves the messages sent by Jones@contono.com that matched the condition defined by the transport rule between November 25, 2025, and November 30, 2025.

To identify emails and Exchange transport rules that redirect the message to another email address, run the following cmdlet.

Most organizations configure DLP policies to secure their confidential email data. To identify emails that triggered any DLP rules (Data Loss Prevention policies) in the past 7 days, you can run the cmdlet below.

Top domain mail flow status insights can be obtained using the ‘Get-MailFlowStatusReport’ cmdlet. By supplying ‘Category’ value, you can get top senders and recipients reports.

To get top mail senders report,

The given example retrieves top mail senders and their mail count for the last 90 days. To view top senders for the custom period, you can use -StartDate and -EndDate params.

To list top mail recipients report,

This example shows the top mail recipient statistics between November 15, 2025, and November 30, 2025.

To view top spam recipients,

To display the top malware recipient report,

To get Office 365 top malware report,

In this report, column C1 is the malware name and column C2 is the number of appearances.

Most admins prefer message tracking to monitor email flow. With message tracing, admins can get complete information of the sent, received, purged, and deleted message. The information includes,

• Sender address
• Recipient address
• Sent/received date
• Email Subject
• Email delivery status
• Email size
• Source IP address (From IP)
• Message trace id, etc.

To get a message tracking report, run the below cmdlet

By default, the cmdlet retrieves past 48 hours of data. If you want to retrieve the last 10 days’s data, you can use –StartDate and –EndDate parameters. To search message data for more than 10 days, you can use Start-HistoricalSearch and Get-HistoricalSearch cmdlets.

The below example retrieves message trace information for messages sent by a specific user between the custom period.

To export message trace report as a CSV file,

If you want to filter the message trace details, you can send the output to grid view.

In this way, you can filter or narrow down the message trace details like

• Message trace by subject,

• Message trace by delivery status such as delivered, failed, pending, expanded, quarantined, filtered as spam, and unknown.

To generate more customized message trace report or cmdlet examples for most needed use cases, you can refer to the dedicated blog on message tracing using PowerShell.

Monitoring email activity through PowerShell is one of the toughest jobs because

• It requires different cmdlets for each email activity.
• Even after finding the right cmdlet, you need to use multiple filters and parameters to get the desired report.
• If your organization is large, you cannot retrieve all the data due to the PowerShell session expiry.

So, what if there is the easiest way to monitor employee emails?

A tool like AdminDroid will help you track email activities and get an in-depth view of your organization’s mail flow.

AdminDroid’s Microsoft 365 email monitoring tool provides 400+ pre-built email reports and smart dashboards that give you instant insights into your organization’s email activity. With features like Column Customization, Views, and Advanced Filters, you can create tailored reports in just a few clicks.

Each report provides AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner.

AdminDroid 365 goes beyond email reporting and provides complete control across your Microsoft 365 environment. Key capabilities include:

• 3500+ Extensive Reports: Explore detailed insights across Teams, Exchange Online, SharePoint Online, OneDrive, and more. This helps you analyze activities across mailboxes, emails, Teams, SPO sites, and users in detail.
• 100+ Smart Dashboards: Get a unified and comprehensive view of users, licenses, security, mailbox storage, activity trends, and more.
• 450+ Management Actions: Perform routine tasks like creating users, assigning managers, managing Teams, updating licenses, etc., without switching portals.
• 10+ Reminder Agents: Automatically notify admins or users about password expiry, MFA activations, and other critical events.
• 85+ In-built Alert Policy Templates: Receive real-time alerts on key activities across your tenant. You can also create custom policies as per your needs.
• Advanced Active Directory management: Get full control of your on-prem AD with 450+ reports and 70+ admin actions.

These are just a glimpse! Download AdminDroid today and explore the 15-day free trial to see how it simplifies Microsoft 365 and Active Directory management.

I hope this blog will help you monitor emails in the Microsoft 365 environment.