How to Trace Emails Received from External Domains in Exchange Online

Most of us have seen or heard about email phishing attacks in Microsoft 365, and some have even fallen for one. The danger lies in how simple they are. One click on a malicious link is all it takes for sensitive data to be exposed, lost, or corrupted!

What makes email phishing even more alarming is that the majority of these attacks originate from external domains. Attackers often pose as legitimate contacts from outside the organization, which makes it harder to detect the threat at first glance.

That’s why tracking all Exchange Online emails received from external domains is a crucial step in strengthening Microsoft 365 email security. It helps you spot messages from unfamiliar or suspicious domains before any harm is done.

In this blog, we’ll walk you through how to trace all emails received from external domains using Message Trace in Microsoft 365. This helps you detect potential threats early and take swift action to manage external mail flow effectively.

Follow the methods below to monitor the inbound mail flow from external domains using the new Message Trace in Exchange Online.

• Audit the incoming emails report using EAC
• Trace external inbound emails using PowerShell

Here is how to trace emails from external domains using Message Trace in the Exchange admin center:

• Log in to the Exchange admin center.
• Navigate to Mail flow → Message trace.
• Click the + Start a trace button to open the Message Trace flyout pane.
• In the Sender field, enter the domain names you want to check for incoming emails (e.g., *@contoso.com).
• Set the Start date and End date for your desired time range. You can now query 10 days of data in near real-time from the past 30 days of historical data.
• Configure additional filters like Subject, Delivery Status, Sender, or Recipient as needed.
• Select the Report type based on your search.
  • If your selected time range is 10 days or less, choose Summary report and click Search.
  • For a time range longer than 10 days, select Enhanced summary report or Extended report.
    • Click Next, then click Prepare report.
    • Once ready, your reports will appear in the Downloadable reports section.

Microsoft introduced a new cmdlet, Get-MessageTraceV2, as part of the enhanced Message Trace in Exchange Online. To use this cmdlet, ensure you’re running the latest version of the Exchange Online PowerShell V3 module.

Connect to the Exchange Online PowerShell and run the following command to audit emails received from external domains.

The above cmdlet retrieves all inbound emails received from the external domain contoso.com between May 2 and May 12, 2025.

Note: You can use the cmdlet to query up to 30 days of historical data, with a maximum of 10 days per query.

While the above methods can help trace inbound emails from external domains, they often fall short in large organizations. The message trace allows searching for only one domain at a time, so you must repeat the process every time you want to trace emails from a different domain. Each request requires manually setting filters and following several steps, which can be time-consuming.

Also, you can only retrieve 10 days of data per query in real time. To cover a broader date range, you need to run the same command multiple times with different time windows.

To streamline this process, we’ve developed a PowerShell script that does the heavy lifting for you. With just a few clicks, you can instantly retrieve emails received from all external domains. This saves time and ensures consistent, accurate results, no matter the size of your environment.

Download Script: MailsReceivedFromExternalDomains.ps1

• Exports emails received from external domains into a CSV file.
• Supports exporting emails within a specified 30-day time range.
• Lists emails received from a specific external domain.
• Finds emails received from a specific external user.
• Audit emails received by a specific user from external domains.
• Allows filtering the mail flow report based on mail status.
• The script automatically verifies and installs the Exchange Online PowerShell module (if not installed already) upon your confirmation.
• The script can be executed with an MFA-enabled account.
• It can be executed with Certificate-based Authentication (CBA) too.
• The script is scheduler friendly.

The external inbound emails report looks like the screenshot below.

The script exports all emails received from external domains along with attributes like MessageTraceId, Received Time, Sender Address, Recipient Address, Subject, Status, Sender Domain, Recipient Domain, Sender IP, Recipient IP, and Mail Size.

1. Download the script.
2. Start Windows PowerShell.
3. Select any of the methods below to execute the script.

Method 1: Execute the script with an MFA or non-MFA account.

The above format exports a report of all emails sent to your organization from an external tenant in the last 30 days.

Note: Microsoft states that the new cmdlet supports tracing messages from the past 90 days. However, current behavior allows data retrieval for only the last 30 days. We’ll update the script to support exporting emails received from external domains for the last 90 days once extended data becomes accessible.

Method 2: Execute the script by explicitly mentioning credentials.

The above method supports only non-MFA accounts. If the admin account has MFA, you need to disable MFA using CA policy to run this script using this method.

Method 3: Run the script using certificate-based authentication.

To use certificate-based authentication, you must register the app in Entra ID which helps you to connect Exchange Online using certificate. Depending on the requirements, you can use either create self-signed certificate or choose to use a CA certificate.

This method is scheduler friendly. You can automate the script execution to periodically export all inbound external emails in Microsoft 365 using any of the following method.

• Task Scheduler
• Azure Automation

With built-in filters crafted for real scenarios, this script takes the guesswork out of reporting. Here’s how it helps.

1. Trace external inbound emails for a custom period
2. Audit emails from specific external domains
3. Find emails received by a specific user
4. Track emails received from a specific external sender
5. Filter external mail report by delivery status

By default, the PowerShell script exports all inbound emails from external domains for the last 30 days in Exchange Online. However, you can narrow down the scope using the -StartDate and -EndDate parameters to specify a custom time frame within that 30-day limit.

The above format fetches all external inbound emails received in your Microsoft 365 tenant between April 5 and April 20, 2025.

Sometimes, tracking down emails from specific external domains becomes essential, whether for compliance, investigation, or business continuity. Here, you can use the -ExternalDomainName parameter to get mails sent from a specific external domain.

The cmdlet exports emails from the domain contoso.com to your Microsoft 365 organization.

Imagine a scenario where you suspect that a user’s account might be compromised, possibly through a malicious email from an external sender. Before escalating the incident, it’s crucial to understand what emails the user has received and whether any of them came from suspicious or unknown domains.

In such cases, you can use the -RecipientAddress parameter to trace all external inbound emails received by that specific user. This helps isolate potential phishing attempts or unauthorized communications that may have led to the compromise.

This format lists all emails sent from external domains to emily@o365droid.com.

Handy Tip: If you suspect an account compromise, disable it and revoke user sessions to secure the compromised mail-enabled account in Microsoft 365.

Let’s say you spot a suspicious email in a user’s Outlook inbox sent from an external address you’ve never seen before. Naturally, the next step is to check whether the same sender has contacted anyone else in your organization. Manually searching through mailboxes for such emails can be tedious and inefficient, especially in larger environments.

That’s where our PowerShell script comes in handy! Just execute the script with the -SenderAddress parameter to get all emails received from a specific external user.

This format retrieves the past 30 days of mail received from the account learningkorean@contoso.com.

External emails don’t always land where they should. Some are delivered without issue, while others get quarantined, rejected, or failed due to policy restrictions. Therefore, it’s critical to track the delivery status of every external message to identify gaps and troubleshoot delivery failures effectively.

Here, you can use the -MailStatus parameter to filter external inbound emails by delivery outcome.

This filters the report to only show failed messages from external sources, ideal for diagnosing mail flow problems and ensuring important emails don’t fall through the cracks.

You can also set the -MailStatus parameter to the following values:

• Delivered – Email was successfully delivered to the recipient’s mailbox.
• Failed – The message couldn’t be delivered due to errors or policy violations.
• GettingStatus – Delivery status is still being processed or not yet finalized.
• FilteredAsSpam – The email was flagged as spam filtering policies.
• Quarantined – Message was intercepted and held in quarantine due to malware, phishing, or policy rules.

You can also combine one or more filters, like sender domain, recipient address, delivery status, and time range, to get highly tailored mail flow reports that match your exact requirements.

We hope this guide will simplify your efforts to monitor inbound emails from external domains and help you investigate mail flow scenarios more efficiently. If you have any questions or feedback, feel free to share them with us in the comments section.