The following steps were taken with the help of Powershell and the associated modules (Exchange).

Due to recent events (a customer was the victim of a malware attack) we are exposed to an increased amount of spam.

More precisely, the mentioned customer was a victim of malware "Emotet"

Emotet reads contact relationships and email content from the mailboxes of infected systems. The perpetrators use this information to further spread the malware. This is how it works: Recipients receive emails with authentic-looking but fictitious content from senders they have recently contacted. Because the names and email addresses of the sender and recipient are correctly specified in the subject, salutation and signature, these messages appear authentic to many. Therefore, they tempt people to open the malicious attachment or the URL contained in the message carelessly.

Source: https://www.bsi-fuer-buerger.de/BSIFB/DE/Service/Aktuell/Informationen/Artikel/emotet.html

To ensure that all measures have been taken to protect us from being infected, I researched how to do this best.

n the first step I tried to identify the spam mails. Maybe there will be a property that is useable to block the mails.

I have checked both servers (onpremise and online), because we have established a hybrid mail infrastructure.

Exchange:

How to display the mail history of the last 48h:

$end = get-date
$start = $end.AddHours(-48)
Get-MessageTrackingLog -ResultSize Unlimited -Start $start -End $end | select-object eventid,timestamp,source,messageid,sender,recipients,messagesubject | Out-Gridview

# eventid = The message event type
# timestamp = UTC date-time of the message tracking event
# source = The Exchange transport component responsible for the message tracking event
# messageid = The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.
# sender = The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.
# recipients = The e-mail addresse of the message recipient
# messagesubject = The message's subject found in the Subject: header field

# Source: https://docs.microsoft.com/en-us/previous-versions/office/exchange-server-2007/bb124375(v=exchg.80)?redirectedfrom=MSDN

Exhange online:

How to display the mail history of the last 48h:

$end = get-date
$start = $end.AddHours(-48)
Get-MessageTrace -Start $start -End $end -PageSize 5000| select-object Received, SenderAddress, RecipientAddress, Subject, Status, FromIP, MessageID | Out-Gridview

# Status = Delivery status
# Received = UTC date and time of arrival of the message
# SenderAddress = The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.
# MessageID = The value of the Message-Id: field found in the message's header fields. If the Message-Id: header field does not exist or is blank, an arbitrary value is assigned. This value is constant for the lifetime of the message.
# Subject = The message's subject found in the Subject: header field
# RecipientAddress = The e-mail addresse of the message recipient

Source: https://blogs.technet.microsoft.com/eopfieldnotes/2014/12/16/message-trace-the-powershell-way/

I have tried to make the queries from the parameter output similar.

Now I could see that the spam mails only come to us via Exchange Online.
In addition, I was able to identify some IP addresses that I wanted to include in a block list.

But this topic will be covered in the 2nd part of this series.....