This PowerShell script automates reporting of phishing emails detected by Microsoft's Exchange Online Protection (EOP) to CISA. Agencies must report all phishing emails to CISA, as required by M-21-31.
- Downloads quarantined emails marked as
PhishingorHigh Confidence Phishingfrom EOP and sends them to CISA's federal phishing reporting mailbox. Emails released from quarantine are not sent. - Encrypts quarantined emails into a zip archive (using 7zip command line tool)
- Supports user and app-based execution methods.
- Tracks sent emails to ensure submissions are not duplicated.
- Rate limiting to stay under Exchange Online's sending limits. This is ~28,000 submissions/day capacity.
- Allows users to specify the day to search.
- PowerShell v5.1 or higher (PowerShell 7 might work)
- Module:
ExchangeOnlineManagement3.0.0 or higher - Module:
Microsoft.Graph.Users.Actions - Microsoft commercial and GCC are supported. (GCC-High/DOD are not supported.)
- The ability to send encrypted zip files outbound. (Some Data Loss Prevention/email security appliances block this functionality.)
The user needs:
Security Adminor higher to download the emails- An Exchange mailbox to send the emails
The Microsoft Graph PowerShell application needs:
- Delegated permission
Mail.Sendin Microsoft Graph
In this method, the script authenticates and send emails as the user specified in SenderUPN.
The executing application needs:
- Application permission
Exchange.ManageAsAppin Office 365 Exchange Online - Application permission
Mail.Sendin Microsoft Graph Security Adminor higher to download the emails
In this method, the script sends emails as the user specified in SenderUPN. The application is used for authentication.
To run the script unattended you need to create and permission an application in AAD. See App-only authentication for unattended scripts in Exchange Online PowerShell and Security & Compliance PowerShell for instructions.
Warning An application with the
Mail.Sendapplication permission can send mail as any user. You should treat the application as highly privileged. Additionally, you can limit the mailboxes the app can access via Application Access Policies.
Download this repository.
- Click "Code"
- Click "Download as zip"
- Extract to a folder
- Open a PowerShell terminal in that folder.
- See examples below.
.\Report-Phishing.ps1 -SenderUPN "[email protected]" -RecipientUPN "[email protected]".\Report-Phishing.ps1 -DateToReport "2023-01-01" -SenderUPN "[email protected]" -RecipientUPN "[email protected]".\Report-Phishing.ps1 -SenderUPN "[email protected]" -RecipientUPN "[email protected]" -AppId <AppId> -CertificateThumb <CertificateThumbprint>The Azure Active Directory (AAD) client ID (sometimes called Application ID) to use when authenticating as an application. Required when application authentication is used.
| Type | GUID |
| Mandatory | No |
| Default Value | None |
| ParameterSet | AppAuthCert and AppAuthSecret |
The certificate thumprint associated with the AAD application specified in AppId. The certificate must be installed locally. Required when application authentication is used.
| Type | String |
| Mandatory | No |
| Default Value | None |
| ParameterSet | AppAuthCert |
The client application's, specified in AppId, secret key.
| Type | String |
| Mandatory | No |
| Default Value | None |
| ParameterSet | AppAuthSecret |
The day to search for quarantined phishing emails. Includes the entire day in local time zone.
| Type | DateTime |
| Mandatory | No |
| Default Value | Current day |
| ParameterSet | All |
The email address the phishing email will be sent to. This should always be [email protected]. This parameter is included so you can test functionality before sending.
| Type | MailAddress |
| Mandatory | Yes |
| Default Value | None |
| ParameterSet | All |
The email address the phishing email will be sent from. With user authentication, this is always the user's email address. With application authentication, it can be any Exchange Online mailbox.
| Type | MailAddress |
| Mandatory | Yes |
| Default Value | None |
| ParameterSet | All |