Is it listed? From Domain, to email, and even IP addresses including the ranges Exchange Online

Is what listed?

With the PowerShell script on Github you can find a domain name, email address, and IP address in Exchange Online that is located in one of the following places:

  • Transport rules
  • Anti Spam Policies
  • Anti-Phishing Policies
  • Inbound Connectors
  • Outbound Connectors
  • Connection Filter Policies
  • NEW: Inbox Rules (Briefly explained in Various Choices).

The script goes through all these options looking for what you have filled in and show’s it in red when it’s found and where it’s found.
It will go through subnets as well for more about that scroll down to Various Choices.

For a better explanation of the script you can scroll down or look at Github yourself.

Do you know other places that I should scan? Then please let me know in the comments.


The PowerShell script to find a Domain, Email, or IP address.

You can download the script yourself from Github.com.
Click here for the script.

In the script I use Get-IPRange function. This is a script from BarryCWT.
For more about Get-IPRange click here.


Requirements

You need to have the Exchange Online PowerShell module installed and be at least an Exchange Administrator in Office 365 with PowerShell enabled.


How does it work?

Below are the steps explained briefly and for dummies (including ExO module and login).


In short

For a domain only:

.\Isitlisted.ps1 -domains contoso.com -ListedAs blacklisted

For multiple domains:

.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -ListedAs Whitelisted

For an email only:

.\Isitlisted.ps1 -Emails [email protected] -ListedAs Whitelisted

For Multiple Emails:

.\Isitlisted.ps1 -Emails "[email protected]","[email protected]" -ListedAs blacklisted

For an IP only:

.\Isitlisted.ps1 -IPS "192.168.100.1" -ListedAs blacklisted

For multiple IPs:

.\Isitlisted.ps1 -IPS "192.168.100.1","10.0.0.2" -ListedAs Whitelisted

For multiple values including domains, emails, and IPs:

.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -Emails "[email protected]","[email protected]" -IPS "192.168.100.1","10.0.0.2" -ListedAs blacklisted

For Inbox Rules:

.\Isitlisted.ps1 -domains "contoso.com" -ListedAs blacklisted -Inboxrules

The longer version for the dummies among us.

Below is the first step; install module, we’ll go through all steps until using various choices is explained. If you have already installed the Exchange module and you know how to log in, you can continue scrolling to various choices.


Exchange Online Module

Make sure you have installed the Exchange online module. This is possible from the Exchange Admin Center. You need to do this in Internet Explorer though.
See the screenshot.

Is it listed? From Domain, to email, and even IP addresses including the ranges Exchange Online.
Is it listed? From Domain, to email, and even IP addresses including the ranges Exchange Online.

Logging in to Exchange Online with PowerShell.

After you’ve installed the module you can now log on with the following script (This is including MFA):

param(

[parameter(Mandatory=$True)][string]$username

)

Import-Module $((Get-ChildItem -Path $($env:LOCALAPPDATA + "\Apps\2.0\") -Filter Microsoft.Exchange.Management.ExoPowershellModule.dll -Recurse ).FullName|? {$_ -notmatch "_none_"}|select -First 1)

$EXOSession = New-ExoPSSession -UserPrincipalName $username

Import-PSSession $EXOSession

Did you download the script already? If not please download it.
Use the next cmdlet to open the directory containing .\isitlisted.ps1.
For me the path containing it is:

CD "C:\Users\Bas Wijdenes\OneDrive\Documents\Developer\PS\Office 365\EXO\"

Now that we’ve opened the right directory in PowerShell containing .\isitlisted.ps1, we can use one of the following options below.

We will go through all options, or you can test for yourself.


Various choices

Domains

The first option searches through Exchange Online for contoso.com and whether it is on a blacklist. If you are looking for a domain, use -domains.
You can change blacklisted in whitelisted to see if it is whitelisted in ExO.

.\Isitlisted.ps1 -domains contoso.com -ListedAs blacklisted

You can also indicate multiple domains. Do this with quotes as below. You can also use blacklisted.

.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -ListedAs Whitelisted

Email addresses

If you search for an email address use -Emails.

The script splits the email address at @ and then also searches for the domain.

.\Isitlisted.ps1 -Emails [email protected] -ListedAs Whitelisted

For multiple e-mail addresses you have to put them in quotes with a comma between the e-mail addresses.

The script will split the email addresses at @ and then also searches for the domains.

.\Isitlisted.ps1 -Emails "[email protected]","[email protected]" -ListedAs blacklisted

IP’s and Subnets

You can also use the script for an IP address or subnet.

The script automatically searches through the subnets with the Get-IPrange function.

If you want to fill in a subnet you can omit the / XX. So suppose you use 192.168.100.1/24 you can just fill it in as below.

.\Isitlisted.ps1 -IPS "192.168.100.1" -ListedAs blacklisted 


The same applies to multiple IPs such as domains and emails.
You can search on multiple IPs with quotes and a comma.

.\Isitlisted.ps1 -IPS "192.168.100.1","10.0.0.2" -ListedAs Whitelisted

For various choices

This is the same for above. The only thing you can not fill in twice is -Listedas, you have to choose between whitelisted or blacklisted.
For multiple values including domains, emails, and IPs you can use:

.\Isitlisted.ps1 -domains "contoso.com","Baswijdenes.com" -Emails "[email protected]","[email protected]" -IPS "192.168.100.1","10.0.0.2" -ListedAs blacklisted
Is it listed? From Domain, to email, and even IP addresses including the ranges Exchange Online.
Is it listed? From Domain, to email, and even IP addresses including the ranges Exchange Online.

Including Inbox rules

NEW: I added -Inboxrules to the script.
As the name suggests, the script also searches for the Domains or Emails in the Inbox rules of users.
These are then indicated in purple, this is because I can’t check whether it is black or white listed.

.\Isitlisted.ps1 -domains "contoso.com" -ListedAs blacklisted -Inboxrules

Extra’s

This is some extra information that has no content about the script. If you only want to use the script, this is the end of the blog post.


Feedback

I want to focus more on PowerShell and sharing my scripts.

I can learn from the feedback I receive from you, so if you have feedback I would love to hear it in a comment.


A little extra

This post contains PowerShell. Would you like to learn the basics better? I have created a new website to learn basic PowerShell in an ’emulator’ environment.
Click here to go learn Basic PowerShell.

Published by

Bas Wijdenes

My name is Bas Wijdenes and I work as a PowerShell DevOps Engineer. In my spare time I write about interesting stuff that I encounter during my work.

Leave a Reply

Your email address will not be published. Required fields are marked *