Re: Exporting From" address vs Envelope Sender in CES Message Tracking

Tony Kilbarger · ‎08-12-2020

We have a team that occasionally sees an email that made it in to users that contains some brand new or uncaught phishing or malware. Currently, they use message tracking to find the copies that came in, they export that result to a csv, then send it to our O365 team to hopefully delete the messages from users mailboxes. The issue is the Microsoft cmdlet they use to delete the email takes as input the From header value in the email and not the envelope sender (or as Microsoft calls it the return-path). Many times that is ok as they match, but often with phishing and bad actor stuff, they purposely do not match. Microsoft added as a feature request to add the return-path as input to the cmdlet but that will take time. My question is, can I some way add the from field to the exported data in a message trace? Other ideas how we can give our Risk Management team the ability to search for email and extract the from header along with the to, subject, etc? Thanks.

marc.luescherFRE · ‎08-12-2020

Hi Tony,

there are a few options you have to do so.

We usually use the full message ID from message tracking to deleted messages from O365 and this worked every time.

With the next release of the CES SMA (coming this week I think) you will have the option to give the O365 team direct access to the SMA, so they can directly delete a message from within CES. They just mark the message in message tracking and assuming you have the Graph API integration with O365 working, the selected messages will be deleted in all O365 end user mailboxes. A few steps less to do...

I hope that helps

Marc

Tony Kilbarger · ‎08-13-2020

Marc, what version is that for SMA? Can you point me to some documentation on that feature? That sounds like our Security folks would be very interested in that feature.

Regards,