Join Us!

O365 eDiscovery - u...
 
Notifications
Clear all

O365 eDiscovery - using wildcards in email addresses  

  RSS
fraudit
(@fraudit)
Member

I have an issue with e-discovery project. A customer insistats to use their O365 SEcurity & Complaince environment to do the search.

At the same time they want me to run a search including recipients grouped under a particular external domain. I was hoping that I can simply use
to*@domain.com
but it looks I'm not allowed to use wildcards in email addresses at all.

I hoped it's related to this limitation outlined in the documentation
You can use only prefix wildcard searches; for example, cat* or set*. Suffix searches (*cat), infix searches (c*t), and substring searches (*cat*) are not supported.
but apparently in email addresses I cannot use wildcard at any position. It looks I need to supply a full email address only otherwise it won't work.

Am I correct here? Is there a way to overcome this limitation and search through all possible users in a given domain using O365 ediscovery module?

Quote
Posted : 27/02/2020 2:46 pm
trewmte
(@trewmte)
Community Legend

I have an issue with e-discovery project. A customer insistats to use their O365 SEcurity & Complaince environment to do the search.

At the same time they want me to run a search including recipients grouped under a particular external domain. I was hoping that I can simply use
to*@domain.com
but it looks I'm not allowed to use wildcards in email addresses at all.

I hoped it's related to this limitation outlined in the documentation
You can use only prefix wildcard searches; for example, cat* or set*. Suffix searches (*cat), infix searches (c*t), and substring searches (*cat*) are not supported.
but apparently in email addresses I cannot use wildcard at any position. It looks I need to supply a full email address only otherwise it won't work.

Am I correct here? Is there a way to overcome this limitation and search through all possible users in a given domain using O365 ediscovery module?

Can you dump (CSV output) all the users in the O365 Global Address List (GAL) to find more email addresses and the email groups to which they belong instead of whittling down to *@domain.com?

ReplyQuote
Posted : 27/02/2020 4:36 pm
fraudit
(@fraudit)
Member

The problem is that the domain in question is the external domain, not our corporate domain.

I've got an advice on the MS forums to use the "participants" property for this purpose. It makes sense, but I guess I would then need also some operator that would stand for "contains", and all I can see in the documentation is a colon, and for me it stands only for "equals"…

ReplyQuote
Posted : 27/02/2020 4:53 pm
trewmte
(@trewmte)
Community Legend

The problem is that the domain in question is the external domain, not our corporate domain.

I've got an advice on the MS forums to use the "participants" property for this purpose. It makes sense, but I guess I would then need also some operator that would stand for "contains", and all I can see in the documentation is a colon, and for me it stands only for "equals"…

Does your Project prevent you from using Red Team pen tester tactics?

ReplyQuote
Posted : 27/02/2020 5:11 pm
fraudit
(@fraudit)
Member

Well, they do. They have a in-house forensic/compliance guy who steers the project. I'm only his hands…

ReplyQuote
Posted : 27/02/2020 5:43 pm
trewmte
(@trewmte)
Community Legend

Well, they do. They have a in-house forensic/compliance guy who steers the project. I'm only his hands…

Maybe have a look at

https://github.com/sensepost/ruler

or

https://github.com/Narcolapser/python-o365#email

ReplyQuote
Posted : 27/02/2020 5:58 pm
Rich2005
(@rich2005)
Active Member

Can you not just use todomain.xyz?
(This implies you can - https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide)

ReplyQuote
Posted : 28/02/2020 7:44 am
fraudit
(@fraudit)
Member

Indeed, looks like "[email protected]" does the job! )

ReplyQuote
Posted : 28/02/2020 9:21 am
Share: