Table of Contents
Is what listed?
With the PowerShell script on Github you can find a domain name, email address, and IP address in Exchange Online that is located in one of the following places:
- Transport rules
- Anti Spam Policies
- Anti-Phishing Policies
- Inbound Connectors
- Outbound Connectors
- Connection Filter Policies
- NEW: Inbox Rules (Briefly explained in Various Choices).
The script goes through all these options looking for what you have filled in and show’s it in red when it’s found and where it’s found.
It will go through subnets as well for more about that scroll down to Various Choices.
For a better explanation of the script you can scroll down or look at Github yourself.
Do you know other places that I should scan? Then please let me know in the comments.
The PowerShell script to find a Domain, Email, or IP address.
You can download the script yourself from Github.com.
Click here for the script.
In the script I use Get-IPRange function. This is a script from BarryCWT.
For more about Get-IPRange click here.
Requirements
You need to have the Exchange Online PowerShell module installed and be at least an Exchange Administrator in Office 365 with PowerShell enabled.
How does it work?
Below are the steps explained briefly and for dummies (including ExO module and login).
In short
For a domain only:
.\Isitlisted.ps1 -domains contoso.com -ListedAs blacklisted
For multiple domains:
.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -ListedAs Whitelisted
For an email only:
.\Isitlisted.ps1 -Emails [email protected] -ListedAs Whitelisted
For Multiple Emails:
.\Isitlisted.ps1 -Emails "[email protected]","[email protected]" -ListedAs blacklisted
For an IP only:
.\Isitlisted.ps1 -IPS "192.168.100.1" -ListedAs blacklisted
For multiple IPs:
.\Isitlisted.ps1 -IPS "192.168.100.1","10.0.0.2" -ListedAs Whitelisted
For multiple values including domains, emails, and IPs:
.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -Emails "[email protected]","[email protected]" -IPS "192.168.100.1","10.0.0.2" -ListedAs blacklisted
For Inbox Rules:
.\Isitlisted.ps1 -domains "contoso.com" -ListedAs blacklisted -Inboxrules
The longer version for the dummies among us.
Below is the first step; install module, we’ll go through all steps until using various choices is explained. If you have already installed the Exchange module and you know how to log in, you can continue scrolling to various choices.
Exchange Online Module
Make sure you have installed the Exchange online module. This is possible from the Exchange Admin Center. You need to do this in Internet Explorer though.
See the screenshot.
Logging in to Exchange Online with PowerShell.
After you’ve installed the module you can now log on with the following script (This is including MFA):
param(
[parameter(Mandatory=$True)][string]$username
)
Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|? {$_ -notmatch "_none_"}|select -First 1)
$EXOSession = New-ExoPSSession -UserPrincipalName $username
Import-PSSession $EXOSession
Did you download the script already? If not please download it.
Use the next cmdlet to open the directory containing .\isitlisted.ps1.
For me the path containing it is:
CD "C:\Users\Bas Wijdenes\OneDrive\Documents\Developer\PS\Office 365\EXO\"
Now that we’ve opened the right directory in PowerShell containing .\isitlisted.ps1, we can use one of the following options below.
We will go through all options, or you can test for yourself.
Various choices
Domains
The first option searches through Exchange Online for contoso.com and whether it is on a blacklist. If you are looking for a domain, use -domains.
You can change blacklisted in whitelisted to see if it is whitelisted in ExO.
.\Isitlisted.ps1 -domains contoso.com -ListedAs blacklisted
You can also indicate multiple domains. Do this with quotes as below. You can also use blacklisted.
.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -ListedAs Whitelisted
Email addresses
If you search for an email address use -Emails.
The script splits the email address at @ and then also searches for the domain.
.\Isitlisted.ps1 -Emails [email protected] -ListedAs Whitelisted
For multiple e-mail addresses you have to put them in quotes with a comma between the e-mail addresses.
The script will split the email addresses at @ and then also searches for the domains.
.\Isitlisted.ps1 -Emails "[email protected]","[email protected]" -ListedAs blacklisted
IP’s and Subnets
You can also use the script for an IP address or subnet.
The script automatically searches through the subnets with the Get-IPrange function.
If you want to fill in a subnet you can omit the / XX. So suppose you use 192.168.100.1/24 you can just fill it in as below.
.\Isitlisted.ps1 -IPS "192.168.100.1" -ListedAs blacklisted
The same applies to multiple IPs such as domains and emails.
You can search on multiple IPs with quotes and a comma.
.\Isitlisted.ps1 -IPS "192.168.100.1","10.0.0.2" -ListedAs Whitelisted
For various choices
This is the same for above. The only thing you can not fill in twice is -Listedas, you have to choose between whitelisted or blacklisted.
For multiple values including domains, emails, and IPs you can use:
.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -Emails "[email protected]","[email protected]" -IPS "192.168.100.1","10.0.0.2" -ListedAs blacklisted
Including Inbox rules
NEW: I added -Inboxrules to the script.
As the name suggests, the script also searches for the Domains or Emails in the Inbox rules of users.
These are then indicated in purple, this is because I can’t check whether it is black or white listed.
.\Isitlisted.ps1 -domains "contoso.com" -ListedAs blacklisted -Inboxrules
Extra’s
This is some extra information that has no content about the script. If you only want to use the script, this is the end of the blog post.
Feedback
I want to focus more on PowerShell and sharing my scripts.
I can learn from the feedback I receive from you, so if you have feedback I would love to hear it in a comment.
A little extra
This post contains PowerShell. Would you like to learn the basics better? I have created a new website to learn basic PowerShell in an ’emulator’ environment.
Click here to go learn Basic PowerShell.