Forum Discussion
EntilZha
Mar 03, 2023Iron Contributor
Advanced Hunting - Search for Message Header Items
In the applications i develop I add a custom header (X-test-Header) to all messages be sent that contains information.
Question: Can I leverage Advanced Hunting to search for email containing my custom headers? If so, how will the query look like to achieve that results?
Thank You,
-Larry
- Ajaj_Shaikh
Microsoft
Currently we do not support querying the header details in Advanced Hunting. Your ask has been noted and team will look into it for future enhancements.- jkotfaldovaCopper Contributor
Ajaj_Shaikh Please, do you support now querying the header details in Advanced Hunting? It will be very useful for us. We do have some phishing emails which are hard to find out...
- ExMSW4319Steel ContributorSorry, there's nothing new in the EmailEvents schema that will help. You can sort-of pick up SCL and some of the others via ConfidenceLevel or infer it from the action taken by the product under your configuration, but that's not new.
You can write an Exchange mail flow rule that can pick up headers, though...
Apply this rule if
sender's address domain portion belongs to any of these domains:
'icloud.com' or 'me.com' or 'mac.com'
Do the following
Prepend the subject with '[BAD APPLE] '
and set message header 'X-redacted-Apple' with the value 'false' <-- not essential
and Deliver the message to the hosted quarantine.
and Stop processing more rules
Except if
'X-Mailer' header contains ''Apple' or 'iPhone' or 'iPad' or 'Outlook' or 'iCloud MailClientcurrent''
or 'X-MS-Exchange-MessageSentRepresentingType' header matches the following patterns:
'1' or '2'
or Includes these patterns in the From address:
'MAILER-DAEMON@\S*\.me'
Some leakage via MailClientcurrent, but it did the trick for me. The vector has since gone out of fashion from our viewpoint.