Series: PowerShell Automation

Automating with PowerShell: Deploying External e-mail markers

Kelvin Tegelaar | 29 Nov, 2021 | 2 Mins Read

A while back I’ve blogged about deploying e-mail spoofing warnings. These warns inject a little bit of HTML into e-mails to let people know a e-mail is external or not trusted. For a while now Microsoft has a native option for this. You do need a somewhat recent version of Outlook but the native version works a little better than just injecting HTML.

A lot of bad actors these days understand we’re injecting HTML and have started adding CSS/HTML to their spoofed e-mails to hide this warning. Using Microsoft’s native warnings this cannot happen. These native warnings are actually a part of the client instead of just some injected code.

Deploying it is pretty easy; Microsoft has created a new cmdlet called “Set ExternalInOutlook”. Of course as Microsoft Partners we get to execute this for all of our partners using the Secure Application Model.

I’d really recommend to just set this up for all tenants, as it’s a nice and unobtrusive method of showing these warnings.

All Tenants Script

$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
$ENV:ExchangeRefreshToken = 'YourExchangeRefreshToken'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | ConvertTo-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal

Write-Host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
foreach ($Customer in $Customers) {
    try {
        $upn = "notRequired@required.com"
        $uri = "https://login.microsoftonline.com/$($customer.customerid)/oauth2/token"
        $body = "resource=a0c73c16-a7e3-4564-9a95-2bdf47383716&grant_type=refresh_token&refresh_token=$($ENV:ExchangeRefreshToken)"
        $token = (Invoke-RestMethod $uri -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue -Method post).accesstoken | ConvertTo-SecureString -Force -AsPlainText
        $credential = New-Object System.Management.Automation.PSCredential($upn, $tokenValue)
        $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell-liveid?DelegatedOrg=$($customer.customerid)&BasicAuthToOAuthConversion=true" -Credential $credential -Authentication Basic -AllowRedirection -ErrorAction Continue
        Import-PSSession $session -ea Silentlycontinue -AllowClobber -CommandName "Set-ExternalInOutlook"
        Set-ExternalInOutlook -Enabled $true
        Get-PSSession | Remove-PSSession

    }
    catch {

write-host "Failed to set for $($customer.customerid)" }

}

And that’s it! as always, Happy PowerShelling. 🙂

Recent Articles

Series: PowerShell Automation
The return of CyberDrain CTF
09 Jan, 2023|2 Mins Read

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Series: PowerShell Monitoring
Monitoring with PowerShell: Monitoring Acronis Backups
05 Sep, 2022|3 Mins Read

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Series: PowerShell Monitoring
Monitoring with PowerShell: Monitoring VSS Snapshots
30 Aug, 2022|2 Mins Read

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.