Looking for Subject and InternetMessageHeaders from messages (neither part of EmailEvents)

Steel Contributor

I'm successfully doing queries with Start-MgSecurityHuntingQuery to find messages which are from a particular sender domain, and which have failed DMARC.  I would like to get these messages' Subject and InternetMessageHeaders.  I can't seem to find a Delegated permission way to get this done other than Mail.ReadBasic.Shared with FullAccess permission also granted.  Same could be done with Mail.Read and FullAccess, but I'm trying to avoid FullAccess, and I would like to do this with Delegated permissions.

 

Seems like some kind of Mail.ReadBasic.All but for delegated would be perfect, but don't see anything available.  Is anyone aware of a delegated permissions approach to getting the message subject and message headers?

 

If EmailEvents table would just get Subject and InternetMessageHeaders added, that would be fantastic.  Barring that, Mail.ReadBasic.Shared and some new AccessRight that I can add via Add-MailboxPermission could be another option.  Or just a flavor of Mail.ReadBasic.All that magically works with delegated.

 

When I use Defender's Threat Explorer, it seems like all this stuff is possible (minus message headers, which can be retrieved from the email's entity page.

1 Reply
Sometime since November 2nd, Subject has been added to the EmailEvents table in Advanced Hunting. So that's nice. Now it's just the headers. I did see this command in EXO PowerShell: Get-QuarantineMessageHeader (https://learn.microsoft.com/en-us/powershell/module/exchange/get-quarantinemessageheader?view=exchan...). It's not a total answer, but is something to work with for now.