Update 8/12/2025: Added the FAQ to the post. Also, to help shed more light on the Direct Send feature, we published a newer post called Direct Send vs sending directly to an Exchange Online tenant.
...
Updated Oct 06, 2025
Version 13.0
Blog Post
The script below isn't flawless, but it may assist in identifying phishing messages sent via direct send. Please note it may produce false positives, particularly with third-party mail clients like the iPhone Mail app.
cls
# Configurable variables
$domain = "yourdomain.com" #<----------replace with your domain
#set match
$domainRegex = "@" +[regex]::Escape($domain) + ">" # Escaped for regex match (e.g., yourdomain\.com>)
# Set the number of days back to check
$days = 0
$hoursBack = if ($days -gt 0) { ($days * 24) + 24 } else { 24 }
# Base date is midnight of the chosen day
$baseDate = (Get-Date).AddDays(-$days).Date
$allResults = @()
# Loop through each 2-hour window
for ($i = 0; $i -lt $hoursBack; $i += 2) {
$startDate = $baseDate.AddHours($i)
$endDate = $baseDate.AddHours($i + 2)
Write-Output "Checking messages between $startDate and $endDate"
$results = Get-MessageTracev2 -StartDate $startDate -EndDate $endDate `
-RecipientAddress "*@$domain" `
-WarningAction SilentlyContinue -ResultSize 5000 |
Where-Object {
$_.SenderAddress -eq $_.RecipientAddress -and
$_.MessageId -match $domainRegex
}
$allResults += $results
}
# Display results
$allResults |
Select-Object MessageId, Received, SenderAddress, RecipientAddress, Subject, Status |
Format-Table -AutoSize
Is there an date on when the Direct Send traffic report will be available? It is critical to assess the real impact of this before implementing that flag
