Forum Discussion
Advanced Hunting - Search for Message Header Items
In the applications i develop I add a custom header (X-test-Header) to all messages be sent that contains information. Question: Can I leverage Advanced Hunting to search for email containing my...
Ajaj_Shaikh Please, do you support now querying the header details in Advanced Hunting? It will be very useful for us. We do have some phishing emails which are hard to find out...
Sorry, there's nothing new in the EmailEvents schema that will help. You can sort-of pick up SCL and some of the others via ConfidenceLevel or infer it from the action taken by the product under your configuration, but that's not new.
You can write an Exchange mail flow rule that can pick up headers, though...
Apply this rule if
sender's address domain portion belongs to any of these domains:
'icloud.com' or 'me.com' or 'mac.com'
Do the following
Prepend the subject with '[BAD APPLE] '
and set message header 'X-redacted-Apple' with the value 'false' <-- not essential
and Deliver the message to the hosted quarantine.
and Stop processing more rules
Except if
'X-Mailer' header contains ''Apple' or 'iPhone' or 'iPad' or 'Outlook' or 'iCloud MailClientcurrent''
or 'X-MS-Exchange-MessageSentRepresentingType' header matches the following patterns:
'1' or '2'
or Includes these patterns in the From address:
'MAILER-DAEMON@\S*\.me'
Some leakage via MailClientcurrent, but it did the trick for me. The vector has since gone out of fashion from our viewpoint.
You can write an Exchange mail flow rule that can pick up headers, though...
Apply this rule if
sender's address domain portion belongs to any of these domains:
'icloud.com' or 'me.com' or 'mac.com'
Do the following
Prepend the subject with '[BAD APPLE] '
and set message header 'X-redacted-Apple' with the value 'false' <-- not essential
and Deliver the message to the hosted quarantine.
and Stop processing more rules
Except if
'X-Mailer' header contains ''Apple' or 'iPhone' or 'iPad' or 'Outlook' or 'iCloud MailClientcurrent''
or 'X-MS-Exchange-MessageSentRepresentingType' header matches the following patterns:
'1' or '2'
or Includes these patterns in the From address:
'MAILER-DAEMON@\S*\.me'
Some leakage via MailClientcurrent, but it did the trick for me. The vector has since gone out of fashion from our viewpoint.
