tracking abuse of BCC

Iron Contributor

Apologies once again for the cross-post, but there are some aspects of this case that may be more applicable to Exchange Online than to MDO specialists.


I am looking at the BCC problem, where an attacker will send mail from the sending system to a third domain (often with an address chosen to make the deception convincing) BCC the victim address. Where a sending domain represents an obvious and sustained problem (not mentioning any Mountain View freemail providers here) it is easy to construct a mail flow rule:


if sender domain is {problem domain}

do {action}

except if To or CC includes a member of {your internal global distribution list}


{action} should of course be non-intrusive until you are sure that the rule is not going to be a problem. You may need also exceptions for acceptable spoofing, forwarding and any distribution groups accepting external mail. That is why testing is essential.


My problem is how to track the success of this rule. Both the PowerShell get-maildetailtransportrulereport commandlet and the equivalent KQL (Advanced Hunting) EmailEvents table give actual recipient address after BCC and distribution groups are resolved rather than the address of the third party that the detected item was primarily sent to. For the numbers in question, the GUI is impractical for anything other than spot checks.


Is there any way to programmatically list the external primary recipient of an inbound BCC?

0 Replies