1 00:00:02,659 --> 00:00:05,640 let me get this situated can you hear me 2 00:00:05,190 --> 00:00:08,670 okay 3 00:00:05,640 --> 00:00:10,050 all right if you can't see any of the 4 00:00:08,670 --> 00:00:12,540 screenshot just yell like raise your 5 00:00:10,050 --> 00:00:14,880 hand I may not see you but raise your 6 00:00:12,540 --> 00:00:18,630 hand some of them are a little dark so I 7 00:00:14,880 --> 00:00:19,800 can zoom in afterwards of all of these 8 00:00:18,630 --> 00:00:22,560 slides will be on a github repository 9 00:00:19,800 --> 00:00:24,390 and I'll sure that out but they're all 10 00:00:22,560 --> 00:00:26,220 in markdown so it's pretty easy to kind 11 00:00:24,390 --> 00:00:29,519 of follow along we're gonna go through a 12 00:00:26,220 --> 00:00:32,339 lot of data and a lot of information in 13 00:00:29,519 --> 00:00:35,480 a short period of time so all right so 14 00:00:32,340 --> 00:00:39,120 today I'm gonna talk about PI EWS and 15 00:00:35,480 --> 00:00:41,250 ews has exchange web services and this 16 00:00:39,120 --> 00:00:42,780 is a Python package that I wrote that 17 00:00:41,250 --> 00:00:46,879 actually allows you to interact with 18 00:00:42,780 --> 00:00:49,379 exchange web services on Linux Mac 19 00:00:46,879 --> 00:00:53,519 Windows pretty much any system that you 20 00:00:49,379 --> 00:01:08,090 want so before well a little bit about 21 00:00:53,520 --> 00:01:13,020 me yeah that is actually being is it 22 00:01:08,090 --> 00:01:14,729 hello okay so a little bit about me so I 23 00:01:13,020 --> 00:01:16,439 have a lot of background in digital 24 00:01:14,729 --> 00:01:18,060 forensics and it's a response as well as 25 00:01:16,439 --> 00:01:20,970 blue team and I like to automate 26 00:01:18,060 --> 00:01:22,170 anything that I can at all I mean it 27 00:01:20,970 --> 00:01:23,789 doesn't really matter what if I have to 28 00:01:22,170 --> 00:01:26,700 do it twice I'm gonna write a script for 29 00:01:23,790 --> 00:01:31,140 it I also like to call myself an open 30 00:01:26,700 --> 00:01:36,320 sorcerer right no one get it okay I 31 00:01:31,140 --> 00:01:39,920 thought that was funny I also like to 32 00:01:36,320 --> 00:01:44,429 take long walks down binary trees and 33 00:01:39,920 --> 00:01:46,590 yeah you can read them all right so a 34 00:01:44,430 --> 00:01:48,840 little bit about exchange in general but 35 00:01:46,590 --> 00:01:50,579 first before we before we dive in we 36 00:01:48,840 --> 00:01:52,740 need to understand yeah as a rose 37 00:01:50,579 --> 00:01:55,529 talking about this is rest versus soap 38 00:01:52,740 --> 00:01:57,869 anyone familiar with api's you use them 39 00:01:55,530 --> 00:02:00,750 on a daily basis right you should if you 40 00:01:57,869 --> 00:02:02,670 haven't man if you don't I have like a 41 00:02:00,750 --> 00:02:05,390 whole series coming out here soon that 42 00:02:02,670 --> 00:02:12,230 all all sure as well but 43 00:02:05,390 --> 00:02:15,280 rest is representable state transfer got 44 00:02:12,230 --> 00:02:18,859 any more of those rest api's you know 45 00:02:15,280 --> 00:02:21,950 and it's really all about HTTP methods 46 00:02:18,860 --> 00:02:25,550 so you your your sending an HDTV or 47 00:02:21,950 --> 00:02:27,739 request to either get data post data put 48 00:02:25,550 --> 00:02:29,570 data which is like a modify it as well 49 00:02:27,740 --> 00:02:31,790 as delete but all this is all in from 50 00:02:29,570 --> 00:02:34,160 like the client side and it affords it 51 00:02:31,790 --> 00:02:36,019 onto some DB or some system in the 52 00:02:34,160 --> 00:02:37,880 background and then it just returns all 53 00:02:36,020 --> 00:02:40,280 the data and JSON JSON is really nice 54 00:02:37,880 --> 00:02:45,380 and easy to use and it's pretty 55 00:02:40,280 --> 00:02:52,670 straightforward to kind of parse so-so 56 00:02:45,380 --> 00:02:54,799 is a little bit different and if you 57 00:02:52,670 --> 00:02:59,869 can't read that it's as a soap request 58 00:02:54,800 --> 00:03:03,590 thank you sorry this is a rest room now 59 00:02:59,870 --> 00:03:08,560 okay so it's the simple simple object 60 00:03:03,590 --> 00:03:08,560 access protocol it really it's just XML 61 00:03:08,590 --> 00:03:16,730 that is a good representation of XML so 62 00:03:13,360 --> 00:03:19,580 overall in a soap API is actually as 63 00:03:16,730 --> 00:03:21,679 these kind of forms or shapes and it's 64 00:03:19,580 --> 00:03:23,810 all based on a wrapped envelope and 65 00:03:21,680 --> 00:03:26,870 inside that envelope you actually have a 66 00:03:23,810 --> 00:03:29,720 header and you have metadata about that 67 00:03:26,870 --> 00:03:31,459 header attributes then you have a body 68 00:03:29,720 --> 00:03:33,140 element and that body element is 69 00:03:31,459 --> 00:03:36,980 actually going to contain the methods so 70 00:03:33,140 --> 00:03:40,268 instead of actually doing an HTTP GET 71 00:03:36,980 --> 00:03:42,470 post update you're always gonna post and 72 00:03:40,269 --> 00:03:46,070 the body is gonna tell it whether you 73 00:03:42,470 --> 00:03:48,830 want to get data or not and then each 74 00:03:46,070 --> 00:03:52,820 body and method has elements and 75 00:03:48,830 --> 00:03:55,670 variables and then all that in it again 76 00:03:52,820 --> 00:03:57,049 it's post only so you're now going to 77 00:03:55,670 --> 00:03:59,660 submit get requests you're now gonna 78 00:03:57,049 --> 00:04:05,000 sort of put you're always gonna send a 79 00:03:59,660 --> 00:04:09,769 post so let's dive into a little bit 80 00:04:05,000 --> 00:04:12,650 about exchange so exchange is complex if 81 00:04:09,769 --> 00:04:16,850 you have ever anyone here manage 82 00:04:12,650 --> 00:04:22,040 exchange or have managed it or use it 83 00:04:16,850 --> 00:04:23,930 anyone have Outlook so exchange is all 84 00:04:22,040 --> 00:04:25,880 about the clients connecting it and they 85 00:04:23,930 --> 00:04:27,710 connected over different protocols so 86 00:04:25,880 --> 00:04:29,060 whether you're actually sending it over 87 00:04:27,710 --> 00:04:31,940 pop or IMAP there's a whole other 88 00:04:29,060 --> 00:04:35,000 protocol but clients like your mobile 89 00:04:31,940 --> 00:04:38,120 device your outlook client your Mac or 90 00:04:35,000 --> 00:04:40,610 all send it over AWS and they'll 91 00:04:38,120 --> 00:04:43,490 actually connect to an iis server which 92 00:04:40,610 --> 00:04:47,740 then proxies back to the actual HTTP 93 00:04:43,490 --> 00:04:50,390 service of soap the soap 94 00:04:47,740 --> 00:04:52,430 EWS actually connects to the mailbox 95 00:04:50,390 --> 00:04:56,180 database so this is like a wrapper for 96 00:04:52,430 --> 00:04:58,520 accessing the the mailboxes all the data 97 00:04:56,180 --> 00:04:59,930 we turn those mailboxes and you have 98 00:04:58,520 --> 00:05:03,950 some delivery queues and some other 99 00:04:59,930 --> 00:05:06,020 stuff so here's an example with actually 100 00:05:03,950 --> 00:05:08,180 you know you can see I think it's almost 101 00:05:06,020 --> 00:05:10,669 all modern or smartphone outlook for Mac 102 00:05:08,180 --> 00:05:14,270 I look for Windows I'll use EWS 103 00:05:10,670 --> 00:05:17,320 underneath the hood newer phones like if 104 00:05:14,270 --> 00:05:21,469 you have Outlook the outlook app for 105 00:05:17,320 --> 00:05:25,280 office 365 it will connect over arrest 106 00:05:21,470 --> 00:05:27,710 but they still use soap as well but it 107 00:05:25,280 --> 00:05:31,159 connects to EWS as well as some other 108 00:05:27,710 --> 00:05:37,219 services like RPC das so on and so forth 109 00:05:31,160 --> 00:05:41,060 but the basis of everything is around 110 00:05:37,220 --> 00:05:43,040 EWS so you have HTTP soap request that 111 00:05:41,060 --> 00:05:46,060 actually gets sent to an iis web server 112 00:05:43,040 --> 00:05:48,440 that's running on that exchange and that 113 00:05:46,060 --> 00:05:51,170 actually forwards it off and tries to do 114 00:05:48,440 --> 00:05:55,280 lookups and access actual mailbox data 115 00:05:51,170 --> 00:05:59,120 so basically everything that you can do 116 00:05:55,280 --> 00:06:01,130 in exchange and I be like Adam email 117 00:05:59,120 --> 00:06:04,850 delete an email add a calendar item add 118 00:06:01,130 --> 00:06:09,200 a group to an IM or an IM group remove 119 00:06:04,850 --> 00:06:10,550 people everything is done through EWS so 120 00:06:09,200 --> 00:06:13,820 you have access to everything that you 121 00:06:10,550 --> 00:06:23,300 can do in the UI of exchange and war 122 00:06:13,820 --> 00:06:25,460 through EWS Soaker 123 00:06:23,300 --> 00:06:28,639 these are the the most common ways to 124 00:06:25,460 --> 00:06:32,900 actually connect so use dotnet or 125 00:06:28,639 --> 00:06:34,729 c-sharp and it uses the EWS managed API 126 00:06:32,900 --> 00:06:37,969 that's completely different if you ever 127 00:06:34,729 --> 00:06:40,639 see that this is a dll that you have on 128 00:06:37,970 --> 00:06:43,240 windows systems that they just wrap EWS 129 00:06:40,639 --> 00:06:45,620 in to make it easily accessible 130 00:06:43,240 --> 00:06:49,460 same with powershell powershell and 131 00:06:45,620 --> 00:06:50,990 c-sharp j/s node you can access it 132 00:06:49,460 --> 00:06:51,859 through rest but it's only for office 133 00:06:50,990 --> 00:06:54,409 365 134 00:06:51,860 --> 00:06:58,969 not on on-premise exchange all does not 135 00:06:54,409 --> 00:07:01,520 have rest at this time again PowerShell 136 00:06:58,969 --> 00:07:03,860 with Microsoft Exchange Web Services DLL 137 00:07:01,520 --> 00:07:06,289 so a compiled DLL that only runs on 138 00:07:03,860 --> 00:07:07,879 Windows systems and then you get 139 00:07:06,289 --> 00:07:10,068 PowerShell remote you can actually 140 00:07:07,879 --> 00:07:12,919 remote into Exchange Online to view 141 00:07:10,069 --> 00:07:16,190 office 365 you can actually remote to a 142 00:07:12,919 --> 00:07:19,310 jump box or the actual exchange server 143 00:07:16,190 --> 00:07:22,039 please don't ever do that but you can 144 00:07:19,310 --> 00:07:24,500 actually do that and run those commands 145 00:07:22,039 --> 00:07:26,060 and then you also have PowerShell you 146 00:07:24,500 --> 00:07:29,539 know just the general exchange 147 00:07:26,060 --> 00:07:32,419 Commandments you know get mailbox or 148 00:07:29,539 --> 00:07:34,550 whatever Zak it is all of those are 149 00:07:32,419 --> 00:07:42,318 actually using that DLL underneath them 150 00:07:34,550 --> 00:07:45,080 so what about Nix users anyone ever see 151 00:07:42,319 --> 00:07:47,330 this xkcd article I love this I have it 152 00:07:45,080 --> 00:07:51,500 framed because it's amazing it's kind of 153 00:07:47,330 --> 00:07:53,960 yeah let me see if I can stretch that up 154 00:07:51,500 --> 00:07:56,479 there you go because no I'm not 155 00:07:53,960 --> 00:08:00,138 interested in updating my antivirus I 156 00:07:56,479 --> 00:08:05,240 run Linux and he gets on his dirt bike 157 00:08:00,139 --> 00:08:08,199 and runs off pretty funny I have a weird 158 00:08:05,240 --> 00:08:11,840 since humor I think so PI EWS is why 159 00:08:08,199 --> 00:08:14,180 Linux users so this is a framework that 160 00:08:11,840 --> 00:08:19,068 I built the in Python that works in 161 00:08:14,180 --> 00:08:22,490 Python 2 & 3 but it wraps the entire PWS 162 00:08:19,069 --> 00:08:24,979 into an easily digestible package and 163 00:08:22,490 --> 00:08:26,870 we'll go through all of those kind of 164 00:08:24,979 --> 00:08:31,520 functions that they currently support 165 00:08:26,870 --> 00:08:34,399 and how you can extend and allow it to 166 00:08:31,520 --> 00:08:36,228 do whatever the heck you want the 167 00:08:34,399 --> 00:08:36,860 repository is there I'll have the links 168 00:08:36,229 --> 00:08:38,839 at the end 169 00:08:36,860 --> 00:08:46,010 but there's also the documentation it's 170 00:08:38,839 --> 00:08:49,700 pretty thorough so to install it let's 171 00:08:46,010 --> 00:08:51,319 zoom in so install it it's literally its 172 00:08:49,700 --> 00:08:54,230 own pie pie so if you're not familiar 173 00:08:51,320 --> 00:08:56,810 with Python or package management it's 174 00:08:54,230 --> 00:08:58,610 it's underused pip which is their 175 00:08:56,810 --> 00:09:02,899 built-in package manager 176 00:08:58,610 --> 00:09:06,170 pip stands for Python ad there's like 177 00:09:02,899 --> 00:09:08,510 for meetings like Python is Python or 178 00:09:06,170 --> 00:09:10,790 pip is Python I think is what this means 179 00:09:08,510 --> 00:09:12,620 for ya so you can install it on Windows 180 00:09:10,790 --> 00:09:16,790 or Linux and run this 181 00:09:12,620 --> 00:09:18,980 it's just pip install PI - uws and where 182 00:09:16,790 --> 00:09:21,170 you can clone the repository and to use 183 00:09:18,980 --> 00:09:26,810 it you first actually have to create a 184 00:09:21,170 --> 00:09:29,630 user configuration so everything with 185 00:09:26,810 --> 00:09:32,449 piety but PI ews is with this user 186 00:09:29,630 --> 00:09:34,220 configuration object so this will 187 00:09:32,450 --> 00:09:36,290 connect to all the service in points 188 00:09:34,220 --> 00:09:38,630 that you can actually perform actions 189 00:09:36,290 --> 00:09:39,980 with so we have a couple different 190 00:09:38,630 --> 00:09:43,939 options when it comes to actually 191 00:09:39,980 --> 00:09:46,880 authenticating to exchange we have to 192 00:09:43,940 --> 00:09:49,760 import the library PI EWS import user 193 00:09:46,880 --> 00:09:51,620 config but before you really kind of go 194 00:09:49,760 --> 00:09:54,890 down that road make sure you have these 195 00:09:51,620 --> 00:09:58,310 access rights as ediscovery has anyone 196 00:09:54,890 --> 00:09:59,300 ever used ediscovery permissions in 197 00:09:58,310 --> 00:10:02,719 exchange okay 198 00:09:59,300 --> 00:10:05,000 so e discovery is what digital forensics 199 00:10:02,720 --> 00:10:06,740 or ir people or your compliance 200 00:10:05,000 --> 00:10:08,510 administrator will actually put a hold 201 00:10:06,740 --> 00:10:10,970 on your mailbox and you will never know 202 00:10:08,510 --> 00:10:13,279 and that means you think you're deleting 203 00:10:10,970 --> 00:10:16,940 an email and you're not there holding it 204 00:10:13,279 --> 00:10:19,550 and you to do that you actually have to 205 00:10:16,940 --> 00:10:21,170 have these rights in exchange and they 206 00:10:19,550 --> 00:10:22,760 can do automated searching they can do 207 00:10:21,170 --> 00:10:27,229 it but it's all through this crabby UI 208 00:10:22,760 --> 00:10:29,390 that is so slow and crashes like half 209 00:10:27,230 --> 00:10:31,130 the time if you have a mailbox of 20,000 210 00:10:29,390 --> 00:10:33,140 or more it will crash within 24 hours 211 00:10:31,130 --> 00:10:37,760 and it'll probably take about 48 hours 212 00:10:33,140 --> 00:10:40,069 to run that's how crappy it is so but 213 00:10:37,760 --> 00:10:42,649 these endpoints are there which is great 214 00:10:40,070 --> 00:10:43,430 so you need to have even ediscovery 215 00:10:42,649 --> 00:10:46,220 rights 216 00:10:43,430 --> 00:10:48,859 compliance administrator ediscovery 217 00:10:46,220 --> 00:10:49,790 manager so on and so forth but once you 218 00:10:48,860 --> 00:10:51,560 actually have the 219 00:10:49,790 --> 00:10:55,339 then you can provide a username and 220 00:10:51,560 --> 00:10:57,560 password there's no OAuth or any other 221 00:10:55,340 --> 00:11:00,410 authentication mechanism besides your 222 00:10:57,560 --> 00:11:04,579 name user human password with EWS so 223 00:11:00,410 --> 00:11:09,380 it's not the most secure but it's there 224 00:11:04,580 --> 00:11:11,690 and it will be there for a long time so 225 00:11:09,380 --> 00:11:13,430 if you don't have those rights but you 226 00:11:11,690 --> 00:11:16,550 still want to search then you can 227 00:11:13,430 --> 00:11:19,010 actually impersonate so if you are given 228 00:11:16,550 --> 00:11:22,040 the impersonation right for a specific 229 00:11:19,010 --> 00:11:24,260 mailbox then you can actually search as 230 00:11:22,040 --> 00:11:25,699 that user so you're going to personate 231 00:11:24,260 --> 00:11:28,580 that user and you can do this all 232 00:11:25,700 --> 00:11:29,570 through AWS as well so depending on your 233 00:11:28,580 --> 00:11:31,280 situation 234 00:11:29,570 --> 00:11:34,310 it's better to have any discovery rights 235 00:11:31,280 --> 00:11:36,410 because it's very restricted that the 236 00:11:34,310 --> 00:11:39,770 rights aren't they won't get budged I 237 00:11:36,410 --> 00:11:42,380 guess but impersonation rights are 238 00:11:39,770 --> 00:11:44,270 possible and so you need the application 239 00:11:42,380 --> 00:11:46,700 of personation or the actual right on 240 00:11:44,270 --> 00:11:52,250 the ad object is called MS exchange 241 00:11:46,700 --> 00:11:54,860 impersonation once you do that you then 242 00:11:52,250 --> 00:11:56,360 you know create an impersonation object 243 00:11:54,860 --> 00:11:58,610 by importing that part of the library 244 00:11:56,360 --> 00:12:01,040 and then you just pass it into your user 245 00:11:58,610 --> 00:12:03,230 configuration so from now on when you 246 00:12:01,040 --> 00:12:06,230 make any other calls using that object 247 00:12:03,230 --> 00:12:12,130 you actually impersonate based on that 248 00:12:06,230 --> 00:12:15,770 users rights now this is the deep dive 249 00:12:12,130 --> 00:12:17,120 can you see that okay a lot of this is 250 00:12:15,770 --> 00:12:19,790 like comments up there so you don't 251 00:12:17,120 --> 00:12:22,850 really but to impersonate you just need 252 00:12:19,790 --> 00:12:25,730 the SMTP address there's a couple you 253 00:12:22,850 --> 00:12:28,430 can use the SID of that account but you 254 00:12:25,730 --> 00:12:31,970 can actually use SMTP primary SMTP a 255 00:12:28,430 --> 00:12:34,640 principal name etc but if you can see at 256 00:12:31,970 --> 00:12:39,230 the bottom here this is where we get 257 00:12:34,640 --> 00:12:41,000 into the fund ready it is that looks 258 00:12:39,230 --> 00:12:44,210 funky right 259 00:12:41,000 --> 00:12:47,450 IMed so this is it a soap header that 260 00:12:44,210 --> 00:12:49,730 we'll add to our soap request and it 261 00:12:47,450 --> 00:12:54,200 indicates I want to connect using the 262 00:12:49,730 --> 00:12:55,430 SID or using this SMTP address and you 263 00:12:54,200 --> 00:12:56,900 have to actually put that when you 264 00:12:55,430 --> 00:12:59,650 actually post the data to your so 265 00:12:56,900 --> 00:12:59,650 service 266 00:13:03,320 --> 00:13:09,810 so the other thing is that anyone here 267 00:13:06,690 --> 00:13:12,149 familiar with autodiscover anyone ever 268 00:13:09,810 --> 00:13:14,310 seen that right you connect to exchange 269 00:13:12,149 --> 00:13:16,350 and it says hey this is your auto it'll 270 00:13:14,310 --> 00:13:17,479 automatically discover everything it's 271 00:13:16,350 --> 00:13:21,420 awesome 272 00:13:17,480 --> 00:13:25,230 all right so pi EWS actually supports 273 00:13:21,420 --> 00:13:28,649 this Auto discover but Microsoft's 274 00:13:25,230 --> 00:13:31,709 recommendations are a little weird they 275 00:13:28,649 --> 00:13:35,730 actually don't have an official way of 276 00:13:31,709 --> 00:13:40,319 doing this they actually say okay you 277 00:13:35,730 --> 00:13:45,480 can use in what they call an SCP a what 278 00:13:40,320 --> 00:13:48,209 is the code yeah 279 00:13:45,480 --> 00:13:51,750 so we basically correct create these 280 00:13:48,209 --> 00:13:53,489 URLs that you see those for based on 281 00:13:51,750 --> 00:13:56,520 your user name and password or based on 282 00:13:53,490 --> 00:13:58,550 your your email address and you can also 283 00:13:56,520 --> 00:14:01,740 use what they call an SCP which is a 284 00:13:58,550 --> 00:14:03,540 service control point that actually is 285 00:14:01,740 --> 00:14:06,120 registered in your Active Directory or a 286 00:14:03,540 --> 00:14:08,610 juror or Active Directory and it points 287 00:14:06,120 --> 00:14:12,060 to your exchange servers so if you have 288 00:14:08,610 --> 00:14:14,160 40 exchange servers in 10 racks or 289 00:14:12,060 --> 00:14:18,540 whatever it will actually make a record 290 00:14:14,160 --> 00:14:20,279 in active directory called SCP but you 291 00:14:18,540 --> 00:14:21,959 can actually just you know pass in that 292 00:14:20,279 --> 00:14:24,029 user configuration and we're 293 00:14:21,959 --> 00:14:25,829 automatically by default try 294 00:14:24,029 --> 00:14:28,620 autodiscover so we'll generate these 295 00:14:25,829 --> 00:14:30,870 URLs and actually you know try to 296 00:14:28,620 --> 00:14:33,660 authenticate and we'll provide every 297 00:14:30,870 --> 00:14:36,000 single version so there's nine versions 298 00:14:33,660 --> 00:14:38,790 total of exchange and so we'll just 299 00:14:36,000 --> 00:14:41,339 attempt each one so you can think five 300 00:14:38,790 --> 00:14:44,630 times nine we're going to try every 301 00:14:41,339 --> 00:14:52,140 single one of those throughout the time 302 00:14:44,630 --> 00:14:54,149 so here's an example and maybe me so 303 00:14:52,140 --> 00:14:55,470 we're actually going to auto-discovery 304 00:14:54,149 --> 00:14:57,510 and we're printing out you know the 305 00:14:55,470 --> 00:15:00,300 user's email address and then we we 306 00:14:57,510 --> 00:15:02,279 identified the EWS URL and their 307 00:15:00,300 --> 00:15:04,469 specific exchange version and this is 308 00:15:02,279 --> 00:15:06,779 the actual soap response that you get 309 00:15:04,470 --> 00:15:09,660 when you make that call and it says hey 310 00:15:06,779 --> 00:15:13,579 I know who you are and I'm gonna print 311 00:15:09,660 --> 00:15:15,469 all the attributes about that user here 312 00:15:13,579 --> 00:15:20,689 pretty 313 00:15:15,470 --> 00:15:25,630 they're pretty deep but the overall 314 00:15:20,690 --> 00:15:31,400 structure of our request is this massive 315 00:15:25,630 --> 00:15:33,410 let's see if we can find the the actual 316 00:15:31,400 --> 00:15:35,750 XML and I'll zoom in here in a bit but 317 00:15:33,410 --> 00:15:38,990 we have the envelope and then we have 318 00:15:35,750 --> 00:15:41,120 the actual request header and in there 319 00:15:38,990 --> 00:15:43,790 where say we have to specify the exact 320 00:15:41,120 --> 00:15:45,800 version of exchange as well as what 321 00:15:43,790 --> 00:15:47,930 action we want to take here we're 322 00:15:45,800 --> 00:15:51,410 actually going to get user settings and 323 00:15:47,930 --> 00:15:54,709 then we can also provide the connecting 324 00:15:51,410 --> 00:15:57,530 sit if we wanted to impersonate but the 325 00:15:54,710 --> 00:16:01,100 real magic is all in the body and this 326 00:15:57,530 --> 00:16:03,949 is saying in the get user settings 327 00:16:01,100 --> 00:16:06,620 message we actually are requesting these 328 00:16:03,950 --> 00:16:10,250 settings we're requesting the internal 329 00:16:06,620 --> 00:16:12,110 uws URL the the external the user DN so 330 00:16:10,250 --> 00:16:14,000 on and so forth and so you can request 331 00:16:12,110 --> 00:16:15,980 whatever attributes that you want or you 332 00:16:14,000 --> 00:16:21,320 can just get them all pretty 333 00:16:15,980 --> 00:16:22,700 straightforward but if you don't want to 334 00:16:21,320 --> 00:16:24,740 use out a discovery and you're already 335 00:16:22,700 --> 00:16:25,430 kind of know or if you want to use 336 00:16:24,740 --> 00:16:27,140 autodiscover 337 00:16:25,430 --> 00:16:28,910 and you can actually provide a very 338 00:16:27,140 --> 00:16:30,770 specific you know that you're on office 339 00:16:28,910 --> 00:16:32,660 365 then you can do that as well 340 00:16:30,770 --> 00:16:35,960 you can you can limit the scope a little 341 00:16:32,660 --> 00:16:39,949 bit but the other versions are office 342 00:16:35,960 --> 00:16:44,240 365 exchange 2019 16 all the way to 343 00:16:39,950 --> 00:16:48,050 exchange 2010 I can support 2007 but how 344 00:16:44,240 --> 00:16:55,100 dare you ever beyond 2007 if you are 345 00:16:48,050 --> 00:16:56,660 please don't tell me run so the size 346 00:16:55,100 --> 00:16:58,580 autodiscover you know if you actually 347 00:16:56,660 --> 00:17:00,530 know your exchange URL you could provide 348 00:16:58,580 --> 00:17:01,460 that as well so a direct connection so 349 00:17:00,530 --> 00:17:05,930 if you have you know your email 350 00:17:01,460 --> 00:17:09,140 addresses or funky soup comm or whatever 351 00:17:05,930 --> 00:17:11,660 I'm just making things up but you did 352 00:17:09,140 --> 00:17:16,339 but your actual you exchange version is 353 00:17:11,660 --> 00:17:18,650 going to be soup funky so we'll never 354 00:17:16,339 --> 00:17:21,909 guess it right then you can actually 355 00:17:18,650 --> 00:17:25,400 pass in that I that for your realm and 356 00:17:21,910 --> 00:17:28,180 again you can pass in if you wanted to 357 00:17:25,400 --> 00:17:29,740 actually impersonate 358 00:17:28,180 --> 00:17:31,570 so all these objects that I'm talking 359 00:17:29,740 --> 00:17:33,040 about are the user config and all we're 360 00:17:31,570 --> 00:17:35,050 doing is setting up the how do we gonna 361 00:17:33,040 --> 00:17:36,850 authenticate what are the reasons are we 362 00:17:35,050 --> 00:17:38,919 gonna do autodiscover are we actually 363 00:17:36,850 --> 00:17:41,139 going to impersonate or do we already 364 00:17:38,920 --> 00:17:43,360 have rights if we do we're good to go 365 00:17:41,140 --> 00:17:46,120 but all of those object that object 366 00:17:43,360 --> 00:17:48,010 however we create it will actually be 367 00:17:46,120 --> 00:17:52,719 passed into what they call a service 368 00:17:48,010 --> 00:17:55,150 endpoint and currently these are the 369 00:17:52,720 --> 00:17:58,900 ones that we actually support so we can 370 00:17:55,150 --> 00:18:02,290 delete items we can get their mailbox 371 00:17:58,900 --> 00:18:04,300 rules you can get all the searchable 372 00:18:02,290 --> 00:18:06,580 mailboxes meaning whatever I'm 373 00:18:04,300 --> 00:18:08,230 indicating with these are all the 374 00:18:06,580 --> 00:18:10,870 mailboxes that I have rights to actually 375 00:18:08,230 --> 00:18:12,880 search cool thing is that they'll 376 00:18:10,870 --> 00:18:14,530 actually expand all distribution groups 377 00:18:12,880 --> 00:18:19,150 found and automatically add them to a 378 00:18:14,530 --> 00:18:21,100 list you can resolve the names and you 379 00:18:19,150 --> 00:18:25,200 can actually search those mailboxes and 380 00:18:21,100 --> 00:18:25,199 this is where the the GC stuff gets 381 00:18:26,070 --> 00:18:31,240 alright so these are three situations 382 00:18:28,270 --> 00:18:34,480 anyone recognize these and I can read 383 00:18:31,240 --> 00:18:37,180 them off but as a security professional 384 00:18:34,480 --> 00:18:40,030 when someone within my or get reports a 385 00:18:37,180 --> 00:18:41,500 malicious message I want to find in 386 00:18:40,030 --> 00:18:43,450 search all mailboxes for a similar 387 00:18:41,500 --> 00:18:47,470 message right that's pretty a pretty 388 00:18:43,450 --> 00:18:48,640 straightforward use case but as a 389 00:18:47,470 --> 00:18:50,710 security professional 390 00:18:48,640 --> 00:18:52,660 I want to active the hunt for malicious 391 00:18:50,710 --> 00:18:55,090 messages so you have a list of my OCS 392 00:18:52,660 --> 00:18:56,920 you have specific attachments you know 393 00:18:55,090 --> 00:18:59,139 that certain keywords are in the body of 394 00:18:56,920 --> 00:19:01,390 the message certain email sender or so 395 00:18:59,140 --> 00:19:03,780 on and so forth this is where you're 396 00:19:01,390 --> 00:19:06,100 actually you know going on hunting for 397 00:19:03,780 --> 00:19:08,800 actual delicious messages in your 398 00:19:06,100 --> 00:19:09,679 environment by the way don't click on 399 00:19:08,800 --> 00:19:12,430 400 00:19:09,680 --> 00:19:15,070 [Music] 401 00:19:12,430 --> 00:19:18,180 as a security professional though I want 402 00:19:15,070 --> 00:19:23,080 to find all the emails received today 403 00:19:18,180 --> 00:19:24,430 that have any URL or any attachment and 404 00:19:23,080 --> 00:19:28,510 I want to I want to know all of this 405 00:19:24,430 --> 00:19:31,870 right that's pretty cool we'll show you 406 00:19:28,510 --> 00:19:33,460 how you can do all of this so the 407 00:19:31,870 --> 00:19:35,979 typical workflow that you'll receive 408 00:19:33,460 --> 00:19:38,110 right for that first kind of use case 409 00:19:35,980 --> 00:19:40,690 and a few others is will actually 410 00:19:38,110 --> 00:19:42,310 retrieve all the emails and we can 411 00:19:40,690 --> 00:19:45,550 actually we need to find all the 412 00:19:42,310 --> 00:19:48,300 mailboxes within our org too and you can 413 00:19:45,550 --> 00:19:50,740 specify a very specific set of users or 414 00:19:48,300 --> 00:19:53,169 everyone in your work just kinds of 415 00:19:50,740 --> 00:19:54,700 depends on your scope but then we want 416 00:19:53,170 --> 00:19:57,460 to actually search all those mailboxes 417 00:19:54,700 --> 00:20:01,660 and we need to provide a specific search 418 00:19:57,460 --> 00:20:04,180 term that we want to provide and we can 419 00:20:01,660 --> 00:20:06,640 actually delete all of those messages or 420 00:20:04,180 --> 00:20:10,170 very specific ones and there's a couple 421 00:20:06,640 --> 00:20:10,170 different options when we talk about the 422 00:20:10,920 --> 00:20:20,050 so get searchable mailboxes this is all 423 00:20:15,970 --> 00:20:22,270 about finding again all of those 424 00:20:20,050 --> 00:20:24,820 messages in like I said you can actually 425 00:20:22,270 --> 00:20:27,790 expand any found groups and they're all 426 00:20:24,820 --> 00:20:29,470 contained within those mailboxes but 427 00:20:27,790 --> 00:20:31,930 when you return each mailbox we can 428 00:20:29,470 --> 00:20:34,870 actually search an ad based on this 429 00:20:31,930 --> 00:20:37,360 reference ID this is the mailbox ID this 430 00:20:34,870 --> 00:20:40,899 is a unique identifier for that 431 00:20:37,360 --> 00:20:42,399 attribute in the mailbox database and if 432 00:20:40,900 --> 00:20:44,980 you wanted to filter a list you can add 433 00:20:42,400 --> 00:20:47,440 logic there as well but for the scope 434 00:20:44,980 --> 00:20:59,860 it's mostly everyone wants to search 435 00:20:47,440 --> 00:21:05,740 everything can you see that or is that 436 00:20:59,860 --> 00:21:10,270 pretty small every time I like zoom in 437 00:21:05,740 --> 00:21:13,150 it jumps that's still pretty small but 438 00:21:10,270 --> 00:21:14,740 here we're actually just getting all 439 00:21:13,150 --> 00:21:16,570 those mailboxes and it's returning their 440 00:21:14,740 --> 00:21:19,060 IDs as well as some attributes like what 441 00:21:16,570 --> 00:21:21,370 is there a some TV address what is their 442 00:21:19,060 --> 00:21:23,230 name their display name so on and so 443 00:21:21,370 --> 00:21:25,899 forth those are just basic attributes 444 00:21:23,230 --> 00:21:27,400 for that for that item and so we can 445 00:21:25,900 --> 00:21:33,970 actually go through and filter those if 446 00:21:27,400 --> 00:21:36,190 we wanted to all right so the search 447 00:21:33,970 --> 00:21:38,460 mailbox so we now if we actually have 448 00:21:36,190 --> 00:21:40,900 our list of messages that we want or 449 00:21:38,460 --> 00:21:42,929 mailboxes that we want to search we need 450 00:21:40,900 --> 00:21:47,740 to back actually perform a search and 451 00:21:42,929 --> 00:21:51,190 the one reason why pi e WS is extremely 452 00:21:47,740 --> 00:21:52,720 powerful is it is faster than anything 453 00:21:51,190 --> 00:21:54,460 else out there 454 00:21:52,720 --> 00:21:58,240 you wouldn't think for this old protocol 455 00:21:54,460 --> 00:22:01,690 of soap sidenote soap is actually a 456 00:21:58,240 --> 00:22:04,450 standard by an RFC standard rest is not 457 00:22:01,690 --> 00:22:06,700 at all it never has been never will be 458 00:22:04,450 --> 00:22:12,429 but soap is and it has been for many 459 00:22:06,700 --> 00:22:15,309 years but so give another that single or 460 00:22:12,429 --> 00:22:17,020 a list of mailboxes of those reference 461 00:22:15,309 --> 00:22:19,899 IDs we can actually perform our search 462 00:22:17,020 --> 00:22:23,679 so we just need to import the from PI 463 00:22:19,900 --> 00:22:27,850 EWS search mailboxes give it a list and 464 00:22:23,679 --> 00:22:30,490 you can see here this subject account 465 00:22:27,850 --> 00:22:32,199 that is actually our search term so I'm 466 00:22:30,490 --> 00:22:34,320 looking at the subject for any emails 467 00:22:32,200 --> 00:22:37,990 that have the word account on them 468 00:22:34,320 --> 00:22:39,760 pretty basic we need to pass in that 469 00:22:37,990 --> 00:22:41,530 user configuration object that we 470 00:22:39,760 --> 00:22:44,049 created however we want to actually 471 00:22:41,530 --> 00:22:46,720 authenticate and then our reference IDs 472 00:22:44,049 --> 00:22:48,580 so whatever mailboxes we want to 473 00:22:46,720 --> 00:22:50,890 actually search and then when we 474 00:22:48,580 --> 00:22:53,649 actually print those we can we can 475 00:22:50,890 --> 00:22:58,540 return a whole bunch of properties on 476 00:22:53,650 --> 00:23:03,220 each message that it actually found so 477 00:22:58,540 --> 00:23:12,580 this search query is all about it's a 478 00:23:03,220 --> 00:23:15,549 hand or logic so we're gonna actually 479 00:23:12,580 --> 00:23:16,990 run a search here and right now we're 480 00:23:15,549 --> 00:23:19,960 printing out the body of the message 481 00:23:16,990 --> 00:23:21,850 this is just the raw like HTML ramp we 482 00:23:19,960 --> 00:23:24,730 have a conversation and index the 483 00:23:21,850 --> 00:23:27,790 created time culture date time received 484 00:23:24,730 --> 00:23:30,549 a time sent display info flags has 485 00:23:27,790 --> 00:23:35,320 attachments importance I'm skipping some 486 00:23:30,549 --> 00:23:38,620 it's draft his reason is submitted 487 00:23:35,320 --> 00:23:41,649 last modified this is the raw mime 488 00:23:38,620 --> 00:23:45,399 content and it's all based 64 this is 489 00:23:41,650 --> 00:23:49,600 the entire message we have the OWI link 490 00:23:45,400 --> 00:23:54,460 we have sender sensitivity set value 491 00:23:49,600 --> 00:23:57,429 unique ash this is the base64 decoded 492 00:23:54,460 --> 00:24:00,040 ROM I'm content with full headers with 493 00:23:57,430 --> 00:24:02,620 full message body with with everything 494 00:24:00,040 --> 00:24:05,080 that if you open that dot message or dot 495 00:24:02,620 --> 00:24:09,459 EML this is what you would see inside of 496 00:24:05,080 --> 00:24:12,879 it and we have some other attributes but 497 00:24:09,460 --> 00:24:16,960 the entire list and I'm gonna kind of 498 00:24:12,880 --> 00:24:21,370 slowly scroll there's many there's like 499 00:24:16,960 --> 00:24:23,440 30 that you can choose and so you have 500 00:24:21,370 --> 00:24:25,179 access to everything about that message 501 00:24:23,440 --> 00:24:30,040 and if you wanted to get the attachment 502 00:24:25,180 --> 00:24:33,990 so you can do that as well so to be a 503 00:24:30,040 --> 00:24:36,370 link we have sensitivity sort value a 504 00:24:33,990 --> 00:24:41,890 couple of side notes here for some of 505 00:24:36,370 --> 00:24:44,080 these attributes is that the like flag 506 00:24:41,890 --> 00:24:46,570 what did the user actually flag that 507 00:24:44,080 --> 00:24:49,149 message why is that important all right 508 00:24:46,570 --> 00:24:50,950 I mean that is you know that the user 509 00:24:49,150 --> 00:24:52,810 interacted with it or someone did in 510 00:24:50,950 --> 00:24:55,600 that mailbox and that they flagged it 511 00:24:52,810 --> 00:24:57,129 for review so they looked at it they may 512 00:24:55,600 --> 00:25:01,240 have thought it was suspicious who knows 513 00:24:57,130 --> 00:25:04,390 you got to ask the user importance was 514 00:25:01,240 --> 00:25:06,970 it sent at high priority importance it's 515 00:25:04,390 --> 00:25:09,340 hugely important especially when you're 516 00:25:06,970 --> 00:25:12,310 defending against BC and other type of 517 00:25:09,340 --> 00:25:13,929 attacks and you want to know are they 518 00:25:12,310 --> 00:25:15,879 trying to trick you into thinking this 519 00:25:13,930 --> 00:25:20,830 is really really important message you 520 00:25:15,880 --> 00:25:23,530 need to act now we also have again the 521 00:25:20,830 --> 00:25:27,159 mind content was it read does the user 522 00:25:23,530 --> 00:25:29,020 actually read the message or or not that 523 00:25:27,160 --> 00:25:33,520 means that they open it and they took a 524 00:25:29,020 --> 00:25:35,050 gander and two recipients and some other 525 00:25:33,520 --> 00:25:36,730 match words but there's a lot of 526 00:25:35,050 --> 00:25:41,980 attributes in here that are extremely 527 00:25:36,730 --> 00:25:46,030 useful so the search syntax is all based 528 00:25:41,980 --> 00:25:47,820 on exchanges with a call AQS and it's 529 00:25:46,030 --> 00:25:50,428 advanced query syntax 530 00:25:47,820 --> 00:25:52,470 and it's pretty straightforward but the 531 00:25:50,429 --> 00:25:55,019 sightseeing the the subject an 532 00:25:52,470 --> 00:25:58,109 accountant or example on the previous 533 00:25:55,019 --> 00:26:02,609 side you can actually search a lot more 534 00:25:58,109 --> 00:26:06,168 options so you could specify if you 535 00:26:02,609 --> 00:26:09,720 wanted a very specific from user or 536 00:26:06,169 --> 00:26:14,249 almost Raj you can just add a star to it 537 00:26:09,720 --> 00:26:18,690 so some domain you know a star at some 538 00:26:14,249 --> 00:26:20,820 domain to the CC field BCC any 539 00:26:18,690 --> 00:26:22,799 participants the subject and you can 540 00:26:20,820 --> 00:26:25,049 actually see that the product and 541 00:26:22,799 --> 00:26:27,509 product development those two in that 542 00:26:25,049 --> 00:26:30,690 bracket means any any of those two words 543 00:26:27,509 --> 00:26:31,859 and not a full screen if you wanted the 544 00:26:30,690 --> 00:26:35,210 full string it would be actually you 545 00:26:31,859 --> 00:26:38,549 have to put it in quotes in your body 546 00:26:35,210 --> 00:26:40,049 content attachment and you can actually 547 00:26:38,549 --> 00:26:43,470 search for attachment names or 548 00:26:40,049 --> 00:26:45,450 extensions you add any other kind of 549 00:26:43,470 --> 00:26:47,489 there are some other properties but you 550 00:26:45,450 --> 00:26:50,279 know also what filter by win-win like 551 00:26:47,489 --> 00:27:02,879 time and time range and you have these 552 00:26:50,279 --> 00:27:17,749 and or or not connectors woo we're gonna 553 00:27:02,879 --> 00:27:17,748 page goon technical difficulties once it 554 00:27:23,820 --> 00:27:28,319 [Music] 555 00:27:31,970 --> 00:27:49,399 serve at this will I do everything in 556 00:27:39,210 --> 00:27:49,399 markdown because it's fun oh man 557 00:27:59,510 --> 00:28:05,670 we're just gonna go old-school so the 558 00:28:03,930 --> 00:28:10,380 actual you know some attributes that you 559 00:28:05,670 --> 00:28:13,860 can run is that this is one subject 560 00:28:10,380 --> 00:28:17,250 account and body has the word clique in 561 00:28:13,860 --> 00:28:20,699 it and it was received today right 562 00:28:17,250 --> 00:28:23,430 pretty pretty straightforward search but 563 00:28:20,700 --> 00:28:26,220 you can also say okay let's do subject 564 00:28:23,430 --> 00:28:29,130 an account body click and the attachment 565 00:28:26,220 --> 00:28:31,760 had the word fax in it somewhere 566 00:28:29,130 --> 00:28:35,520 doesn't matter where it's at it had fax 567 00:28:31,760 --> 00:28:40,110 you'd also specify a GUID from mr. robot 568 00:28:35,520 --> 00:28:41,639 or from me and subject write any of 569 00:28:40,110 --> 00:28:44,610 those keywords in the subject raised 570 00:28:41,640 --> 00:28:49,050 upgrade warning expire so on and so 571 00:28:44,610 --> 00:28:55,340 forth you can do subject office 365 but 572 00:28:49,050 --> 00:29:00,750 not from the IT department again body 573 00:28:55,340 --> 00:29:05,100 HTTP star is there any HTTPS or HTTP 574 00:29:00,750 --> 00:29:07,440 links or FTP or whatever you want in the 575 00:29:05,100 --> 00:29:10,830 body of the message or attachment star 576 00:29:07,440 --> 00:29:11,970 any message with an attachment doesn't 577 00:29:10,830 --> 00:29:14,550 really matter what it is we don't care 578 00:29:11,970 --> 00:29:16,830 we just want them all so in that case 579 00:29:14,550 --> 00:29:19,139 that's our third use case of you know 580 00:29:16,830 --> 00:29:20,520 finding all messages that have URLs and 581 00:29:19,140 --> 00:29:22,650 our attachments that have been sent 582 00:29:20,520 --> 00:29:25,190 today pretty straightforward to do with 583 00:29:22,650 --> 00:29:25,190 EWS 584 00:29:28,370 --> 00:29:38,189 we can also specifically you know delete 585 00:29:32,400 --> 00:29:40,380 messages and each deleted message has a 586 00:29:38,190 --> 00:29:43,050 couple different options there is the 587 00:29:40,380 --> 00:29:45,090 the heart delete that means it's not 588 00:29:43,050 --> 00:29:47,669 recoverable and it is permanently 589 00:29:45,090 --> 00:29:49,500 removed from the mailbox database you 590 00:29:47,670 --> 00:29:51,720 can soft elite which means if you have 591 00:29:49,500 --> 00:29:54,900 the yeah what do they call it then yeah 592 00:29:51,720 --> 00:29:56,220 dumpster enabled you can actually 593 00:29:54,900 --> 00:29:59,100 recover that message and you're 594 00:29:56,220 --> 00:30:01,490 recovered messages I think is what it's 595 00:29:59,100 --> 00:30:03,590 called or or whatever but you 596 00:30:01,490 --> 00:30:07,539 actually recover or you can just move to 597 00:30:03,590 --> 00:30:07,539 the deleted items pretty straightforward 598 00:30:07,929 --> 00:30:15,770 to actually use this we just need to 599 00:30:12,470 --> 00:30:20,870 provide a very specific message ID to 600 00:30:15,770 --> 00:30:23,149 our delete item object or class and we 601 00:30:20,870 --> 00:30:26,178 can actually provide a user config and 602 00:30:23,149 --> 00:30:27,770 then we just print out the response and 603 00:30:26,179 --> 00:30:29,870 it says hey we deleted this message 604 00:30:27,770 --> 00:30:31,309 pretty straightforward so that's only if 605 00:30:29,870 --> 00:30:34,760 you really need to actually delete a 606 00:30:31,309 --> 00:30:36,559 message I'm actually gonna go back here 607 00:30:34,760 --> 00:30:43,010 and look at these the this property 608 00:30:36,559 --> 00:30:45,139 again so to actually print out some of 609 00:30:43,010 --> 00:30:46,940 these and this is one thing I skipped 610 00:30:45,140 --> 00:30:49,760 over you just access anyone familiar 611 00:30:46,940 --> 00:30:51,370 with dicks or dictionaries or lists and 612 00:30:49,760 --> 00:30:55,250 Python anyone from there when python 613 00:30:51,370 --> 00:30:57,529 yeah I I just started on Python last 614 00:30:55,250 --> 00:30:59,390 year or the beginning of this year 615 00:30:57,529 --> 00:31:01,549 before it was all power show and I I 616 00:30:59,390 --> 00:31:02,960 love it like it so if you haven't 617 00:31:01,549 --> 00:31:05,720 checked it out I actually did another 618 00:31:02,960 --> 00:31:08,230 talk at besides Springfield they did a 619 00:31:05,720 --> 00:31:11,179 comparison between PowerShell and Python 620 00:31:08,230 --> 00:31:12,380 side-by-side comparison so yeah if 621 00:31:11,179 --> 00:31:15,049 you're interested in that let me know 622 00:31:12,380 --> 00:31:16,580 but you access it by just you know 623 00:31:15,049 --> 00:31:20,418 accessing that object and that 624 00:31:16,580 --> 00:31:22,850 dictionary name of message ID or sender 625 00:31:20,419 --> 00:31:38,000 or any of these other like mine content 626 00:31:22,850 --> 00:31:40,100 so on and so forth alright so what are 627 00:31:38,000 --> 00:31:42,380 the the great things here let's see if 628 00:31:40,100 --> 00:31:45,168 we can actually expand this is that you 629 00:31:42,380 --> 00:31:48,890 can add new endpoints really extremely 630 00:31:45,169 --> 00:31:51,049 easy with pi uws i've made it in such a 631 00:31:48,890 --> 00:31:53,450 way where it's it's extensible like last 632 00:31:51,049 --> 00:31:55,279 night I actually realized that it wasn't 633 00:31:53,450 --> 00:31:57,620 getting the entire mime content and 634 00:31:55,279 --> 00:32:01,960 added that in like 10 minutes by by a 635 00:31:57,620 --> 00:32:05,209 little Google and and some code but 636 00:32:01,960 --> 00:32:06,890 overall how the actual service in point 637 00:32:05,210 --> 00:32:08,870 you need to inherit a service in point 638 00:32:06,890 --> 00:32:11,070 which is how it's going to actually do 639 00:32:08,870 --> 00:32:13,799 all the soap requests in the backend 640 00:32:11,070 --> 00:32:16,049 and you just just need to actually 641 00:32:13,799 --> 00:32:19,290 provide what your soap message is gonna 642 00:32:16,049 --> 00:32:21,929 look like and in here again we're 643 00:32:19,290 --> 00:32:24,659 actually you know forming our our 644 00:32:21,929 --> 00:32:27,960 message and we have the XML signifier 645 00:32:24,660 --> 00:32:32,730 for every anyone here to use XML hate it 646 00:32:27,960 --> 00:32:35,820 love it I mean it sucks but it's what we 647 00:32:32,730 --> 00:32:38,700 get and you actually have the soap 648 00:32:35,820 --> 00:32:42,178 envelope and in each one of these you 649 00:32:38,700 --> 00:32:45,960 can actually specify what the syntax is 650 00:32:42,179 --> 00:32:48,900 for that soap here you can see where it 651 00:32:45,960 --> 00:32:51,840 says XML NS that's the namespace of this 652 00:32:48,900 --> 00:32:54,480 XML document and a namespace is just 653 00:32:51,840 --> 00:32:56,730 like what you see in C sharp PowerShell 654 00:32:54,480 --> 00:33:00,030 whatever it almost every language is 655 00:32:56,730 --> 00:33:01,799 they have namespaces of what you can 656 00:33:00,030 --> 00:33:04,559 access based on their that definition 657 00:33:01,799 --> 00:33:07,230 and there's just like the basic XML 658 00:33:04,559 --> 00:33:12,059 namespace but we know that it's a soap 659 00:33:07,230 --> 00:33:16,740 native space we can also provide the XML 660 00:33:12,059 --> 00:33:20,360 s in SN T and this is the types so 661 00:33:16,740 --> 00:33:26,669 Microsoft everything is based on a WSDL 662 00:33:20,360 --> 00:33:28,918 file it's a Windows verb it's a web 663 00:33:26,669 --> 00:33:30,540 service description language I think is 664 00:33:28,919 --> 00:33:32,910 what it stands for Canada acronyms are 665 00:33:30,540 --> 00:33:34,678 horrible but but it's a definition of 666 00:33:32,910 --> 00:33:37,200 how although all the services that you 667 00:33:34,679 --> 00:33:39,809 have available and what you what you 668 00:33:37,200 --> 00:33:41,820 actually have access to and each one of 669 00:33:39,809 --> 00:33:44,910 those actually has inherited types and 670 00:33:41,820 --> 00:33:46,620 those types are the actual functions 671 00:33:44,910 --> 00:33:49,620 that you can perform and they're 672 00:33:46,620 --> 00:33:50,879 extremely detailed you also have the 673 00:33:49,620 --> 00:33:54,330 different messages and those are 674 00:33:50,880 --> 00:33:56,970 typically the message attributes that 675 00:33:54,330 --> 00:33:59,820 you'll find the body as well as any 676 00:33:56,970 --> 00:34:02,340 metadata around it and which a 677 00:33:59,820 --> 00:34:04,620 closed-off or header or I'm sorry we're 678 00:34:02,340 --> 00:34:07,699 starting a header there and we actually 679 00:34:04,620 --> 00:34:11,368 provide a specific version of exchange 680 00:34:07,700 --> 00:34:14,940 so whether office 365 and which was 681 00:34:11,369 --> 00:34:18,300 actually exchange 2016 we have exchange 682 00:34:14,940 --> 00:34:20,550 2019 2010 so on and so forth but we need 683 00:34:18,300 --> 00:34:21,840 to provide that in the header to say hey 684 00:34:20,550 --> 00:34:25,530 I'm trying to 685 00:34:21,840 --> 00:34:27,390 okay here's my grids this is the version 686 00:34:25,530 --> 00:34:30,960 that I know if you don't provide one 687 00:34:27,389 --> 00:34:32,609 that is a valuable or a known attribute 688 00:34:30,960 --> 00:34:33,840 to that exchange server it'll just say I 689 00:34:32,610 --> 00:34:34,290 don't know what the hell you're talking 690 00:34:33,840 --> 00:34:36,570 about 691 00:34:34,290 --> 00:34:41,250 and then that a person a shoe editor as 692 00:34:36,570 --> 00:34:44,550 well and here is where the fun stuff is 693 00:34:41,250 --> 00:34:47,130 with the body elements and this is where 694 00:34:44,550 --> 00:35:03,870 you can actually get very specific 695 00:34:47,130 --> 00:35:13,770 details I'm gonna switch over here don't 696 00:35:03,870 --> 00:35:17,970 look so this approach talking about with 697 00:35:13,770 --> 00:35:21,360 the get item this is actually getting 698 00:35:17,970 --> 00:35:24,330 all the attributes over me all attribute 699 00:35:21,360 --> 00:35:28,080 or a mail message again we have our very 700 00:35:24,330 --> 00:35:31,080 basic soap we have our header but the 701 00:35:28,080 --> 00:35:34,170 body is where we actually define what we 702 00:35:31,080 --> 00:35:36,960 want to do and here we're saying okay 703 00:35:34,170 --> 00:35:39,300 get item here's the the type or the 704 00:35:36,960 --> 00:35:42,210 namespace and the type that we want to 705 00:35:39,300 --> 00:35:44,070 use and the item shape is going to be 706 00:35:42,210 --> 00:35:47,190 okay we want to get all the properties 707 00:35:44,070 --> 00:35:50,340 we want to include the mime content we 708 00:35:47,190 --> 00:35:52,290 want to have the best body type there's 709 00:35:50,340 --> 00:35:54,240 a couple different options for HTML or 710 00:35:52,290 --> 00:35:57,060 plain text but if you use best it'll 711 00:35:54,240 --> 00:35:59,279 just try to figure it out it's weird 712 00:35:57,060 --> 00:36:02,250 that they actually he's best I don't 713 00:35:59,280 --> 00:36:05,510 know of any other property that actually 714 00:36:02,250 --> 00:36:07,890 it's like Oh best is work that works 715 00:36:05,510 --> 00:36:10,100 additional properties is where we would 716 00:36:07,890 --> 00:36:30,569 actually find the property tag and 717 00:36:10,100 --> 00:36:36,330 anyone ever seen exchange msox3104t 718 00:36:30,570 --> 00:36:38,100 is literally 900 pages of just yeah you 719 00:36:36,330 --> 00:36:40,470 have a headache after reading him think 720 00:36:38,100 --> 00:36:42,360 that they're they're massive but they 721 00:36:40,470 --> 00:36:44,339 explain every single property type and 722 00:36:42,360 --> 00:36:46,020 what those attributes and here we're 723 00:36:44,340 --> 00:36:50,690 saying this is a property type of string 724 00:36:46,020 --> 00:36:53,160 but the property tag is this hex code I 725 00:36:50,690 --> 00:36:55,740 don't know what the hell that means I 726 00:36:53,160 --> 00:36:58,980 just know that it points to the message 727 00:36:55,740 --> 00:37:01,830 pointer of all message headers in RAW 728 00:36:58,980 --> 00:37:04,440 format atom I don't really care why it 729 00:37:01,830 --> 00:37:07,080 does that but it doesn't and then we 730 00:37:04,440 --> 00:37:09,900 provide the actual message ID so this is 731 00:37:07,080 --> 00:37:12,509 the very specific message ID you can't 732 00:37:09,900 --> 00:37:15,720 all you can't store message IDs because 733 00:37:12,510 --> 00:37:18,360 they change their there they're always 734 00:37:15,720 --> 00:37:20,339 different I have to get moved if that 735 00:37:18,360 --> 00:37:22,410 email gets updated if something else in 736 00:37:20,340 --> 00:37:25,130 the mailbox needs that ID and just kind 737 00:37:22,410 --> 00:37:27,330 of you know messes things around 738 00:37:25,130 --> 00:37:28,770 especially if you move a message it's 739 00:37:27,330 --> 00:37:30,779 automatically gonna be a new message ID 740 00:37:28,770 --> 00:37:32,070 and all that so if a user touches it or 741 00:37:30,780 --> 00:37:35,580 replies to it it's gonna have a new 742 00:37:32,070 --> 00:37:37,080 message ID so you need to make sure that 743 00:37:35,580 --> 00:37:38,880 you know if you're looking through this 744 00:37:37,080 --> 00:37:42,540 you need to build in some logic to 745 00:37:38,880 --> 00:37:44,790 actually you know use the same or find a 746 00:37:42,540 --> 00:37:47,279 way to actually find that message and 747 00:37:44,790 --> 00:37:50,310 not rely on the message ID you found 748 00:37:47,280 --> 00:37:51,870 yesterday and then we're actually just 749 00:37:50,310 --> 00:37:53,970 formatting the body with our variables 750 00:37:51,870 --> 00:37:56,330 and we close that ourself header and 751 00:37:53,970 --> 00:37:56,330 we're good to go 752 00:37:57,500 --> 00:38:05,910 there's also anyone here just office 365 753 00:38:02,600 --> 00:38:08,190 so I wanted to point out that there's 754 00:38:05,910 --> 00:38:12,930 this other tool that I wrote it's 755 00:38:08,190 --> 00:38:32,100 actually called graph fish gr Lucy this 756 00:38:12,930 --> 00:38:35,069 will actually show the demo gods so this 757 00:38:32,100 --> 00:38:38,360 is called graph fish so I'm horrible at 758 00:38:35,070 --> 00:38:40,950 names I'm not a marketing person but I 759 00:38:38,360 --> 00:38:42,670 looked at it because it's Microsoft 760 00:38:40,950 --> 00:38:45,700 graph 2 API 761 00:38:42,670 --> 00:38:49,779 and fish so I just kind of combined the 762 00:38:45,700 --> 00:38:51,788 two words clever but but this is a graph 763 00:38:49,779 --> 00:38:54,190 fish and this actually does the same 764 00:38:51,789 --> 00:38:57,760 exact thing but using Microsoft graphs 765 00:38:54,190 --> 00:38:59,890 API and but it requires oweth to 766 00:38:57,760 --> 00:39:02,890 authentication if anyone's familiar with 767 00:38:59,890 --> 00:39:05,650 OAuth 2 but it will actually let you 768 00:39:02,890 --> 00:39:07,930 search delete move messages get inbox 769 00:39:05,650 --> 00:39:10,960 rules while that all through Microsoft 770 00:39:07,930 --> 00:39:12,819 graph API which is a rest-based based 771 00:39:10,960 --> 00:39:14,859 API which you don't have to provide all 772 00:39:12,819 --> 00:39:17,829 the soap and all that other stuff but 773 00:39:14,859 --> 00:39:22,589 only for office 365 doesn't work for 774 00:39:17,829 --> 00:39:25,390 exchange online or exchange on-premise 775 00:39:22,589 --> 00:39:27,460 current future features again being 776 00:39:25,390 --> 00:39:29,259 create a new search and the search 777 00:39:27,460 --> 00:39:32,049 actually does it a little bit different 778 00:39:29,260 --> 00:39:34,569 instead of with a search and pipe or in 779 00:39:32,049 --> 00:39:36,069 soap and regular exchange it actually 780 00:39:34,569 --> 00:39:38,009 will create a folder you can move 781 00:39:36,069 --> 00:39:41,650 messages that you found in that search 782 00:39:38,010 --> 00:39:43,420 but with graph it will actually create a 783 00:39:41,650 --> 00:39:48,549 hidden folder in the users mailbox that 784 00:39:43,420 --> 00:39:51,369 will contain all messages found and all 785 00:39:48,549 --> 00:39:53,049 so once you actually create a search any 786 00:39:51,369 --> 00:39:54,940 message is found after you've created 787 00:39:53,049 --> 00:39:58,240 that search will be added to that folder 788 00:39:54,940 --> 00:40:01,089 as well which is extremely powerful if 789 00:39:58,240 --> 00:40:03,549 you have like generic rules then that 790 00:40:01,089 --> 00:40:06,000 you want anyone with any PDF that has 791 00:40:03,549 --> 00:40:06,000 fact 792 00:40:13,610 --> 00:40:18,200 Senate or whatever you wanted to move to 793 00:40:16,340 --> 00:40:21,590 this hidden folder user can't access it 794 00:40:18,200 --> 00:40:22,819 but if you have rights again which you 795 00:40:21,590 --> 00:40:25,700 delegate through is your active 796 00:40:22,820 --> 00:40:27,050 directory you can actually hold those 797 00:40:25,700 --> 00:40:29,629 messages and just keep a repository 798 00:40:27,050 --> 00:40:30,200 across all your mailboxes pretty 799 00:40:29,630 --> 00:40:32,660 powerful 800 00:40:30,200 --> 00:40:35,419 you can delete that search which will 801 00:40:32,660 --> 00:40:37,580 basically release those messages from 802 00:40:35,420 --> 00:40:39,950 that folder you can actually delete a 803 00:40:37,580 --> 00:40:42,560 message you can list all the mailbox 804 00:40:39,950 --> 00:40:45,740 rules across your organization and this 805 00:40:42,560 --> 00:40:49,220 is again super fast pretty easy to use 806 00:40:45,740 --> 00:40:51,589 as well I this package is pretty 807 00:40:49,220 --> 00:40:53,209 straightforward but the other thing is 808 00:40:51,590 --> 00:40:55,700 you can actually move messages to a 809 00:40:53,210 --> 00:40:57,800 different folder so not just deleted 810 00:40:55,700 --> 00:41:00,799 items so if you just had like a phishing 811 00:40:57,800 --> 00:41:06,170 hidden folder and your users mailbox you 812 00:41:00,800 --> 00:41:08,390 can move those as well all right I'm 813 00:41:06,170 --> 00:41:11,300 actually done a little early sorry for 814 00:41:08,390 --> 00:41:14,810 the demo delays but here's the actual 815 00:41:11,300 --> 00:41:17,870 documentation so pi uws is on the read 816 00:41:14,810 --> 00:41:19,220 that read the docs that i oh it's pretty 817 00:41:17,870 --> 00:41:21,319 detailed and then it explains like all 818 00:41:19,220 --> 00:41:23,180 the class attributes and there's also 819 00:41:21,320 --> 00:41:25,490 the repository which you can just go for 820 00:41:23,180 --> 00:41:28,100 core you know clown however you want to 821 00:41:25,490 --> 00:41:31,009 do it I wrote a blog about it for work 822 00:41:28,100 --> 00:41:34,130 at swimlane it's swimlane calm slash 823 00:41:31,010 --> 00:41:36,590 blogs I also did one for graph fish as 824 00:41:34,130 --> 00:41:39,170 well and I have like a five-part series 825 00:41:36,590 --> 00:41:41,330 series explaining a lot too if you're 826 00:41:39,170 --> 00:41:42,910 ever interested because it's unmet eat 827 00:41:41,330 --> 00:41:46,670 it's a mess 828 00:41:42,910 --> 00:41:50,359 also a personal blog let's automate it 829 00:41:46,670 --> 00:41:53,000 and on Twitter I'm MS administrator and 830 00:41:50,360 --> 00:41:55,570 that means Microsoft administrator not 831 00:41:53,000 --> 00:41:55,570 miss