Advanced Hunting - Search for Message Header Items

Iron Contributor

In the applications i develop I add a custom header (X-test-Header) to all messages be sent that contains information. 

 

Question: Can I leverage Advanced Hunting to search for email containing my custom headers? If so, how will the query look like to achieve that results? 

 

Thank You,

-Larry

3 Replies
Currently we do not support querying the header details in Advanced Hunting. Your ask has been noted and team will look into it for future enhancements.

@Ajaj_Shaikh Please, do you support now querying the header details in Advanced Hunting? It will be very useful for us. We do have some phishing emails which are hard to find out...

Sorry, there's nothing new in the EmailEvents schema that will help. You can sort-of pick up SCL and some of the others via ConfidenceLevel or infer it from the action taken by the product under your configuration, but that's not new.

You can write an Exchange mail flow rule that can pick up headers, though...

Apply this rule if

sender's address domain portion belongs to any of these domains:
'icloud.com' or 'me.com' or 'mac.com'

Do the following

Prepend the subject with '[BAD APPLE] '
and set message header 'X-redacted-Apple' with the value 'false' <-- not essential
and Deliver the message to the hosted quarantine.
and Stop processing more rules

Except if

'X-Mailer' header contains ''Apple' or 'iPhone' or 'iPad' or 'Outlook' or 'iCloud MailClientcurrent''
or 'X-MS-Exchange-MessageSentRepresentingType' header matches the following patterns:
'1' or '2'
or Includes these patterns in the From address:
'MAILER-DAEMON@\S*\.me'

Some leakage via MailClientcurrent, but it did the trick for me. The vector has since gone out of fashion from our viewpoint.