The script below isn't flawless, but it may assist in identifying phishing messages sent via direct send. Please note it may produce false positives, particularly with third-party mail clients like the iPhone Mail app.
cls
# Configurable variables
$domain = "yourdomain.com" #<----------replace with your domain
#set match
$domainRegex = "@" +[regex]::Escape($domain) + ">" # Escaped for regex match (e.g., yourdomain\.com>)
# Set the number of days back to check
$days = 0
$hoursBack = if ($days -gt 0) { ($days * 24) + 24 } else { 24 }
# Base date is midnight of the chosen day
$baseDate = (Get-Date).AddDays(-$days).Date
$allResults = @()
# Loop through each 2-hour window
for ($i = 0; $i -lt $hoursBack; $i += 2) {
$startDate = $baseDate.AddHours($i)
$endDate = $baseDate.AddHours($i + 2)
Write-Output "Checking messages between $startDate and $endDate"
$results = Get-MessageTracev2 -StartDate $startDate -EndDate $endDate `
-RecipientAddress "*@$domain" `
-WarningAction SilentlyContinue -ResultSize 5000 |
Where-Object {
$_.SenderAddress -eq $_.RecipientAddress -and
$_.MessageId -match $domainRegex
}
$allResults += $results
}
# Display results
$allResults |
Select-Object MessageId, Received, SenderAddress, RecipientAddress, Subject, Status |
Format-Table -AutoSize