O365 eDiscovery - u...
 
Notifications
Clear all

O365 eDiscovery - using wildcards in email addresses

8 Posts
3 Users
0 Likes
3,046 Views
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

I have an issue with e-discovery project. A customer insistats to use their O365 SEcurity & Complaince environment to do the search.

At the same time they want me to run a search including recipients grouped under a particular external domain. I was hoping that I can simply use
to*@domain.com
but it looks I'm not allowed to use wildcards in email addresses at all.

I hoped it's related to this limitation outlined in the documentation
You can use only prefix wildcard searches; for example, cat* or set*. Suffix searches (*cat), infix searches (c*t), and substring searches (*cat*) are not supported.
but apparently in email addresses I cannot use wildcard at any position. It looks I need to supply a full email address only otherwise it won't work.

Am I correct here? Is there a way to overcome this limitation and search through all possible users in a given domain using O365 ediscovery module?

 
Posted : 27/02/2020 2:46 pm
(@trewmte)
Posts: 1877
Noble Member
 

I have an issue with e-discovery project. A customer insistats to use their O365 SEcurity & Complaince environment to do the search.

At the same time they want me to run a search including recipients grouped under a particular external domain. I was hoping that I can simply use
to*@domain.com
but it looks I'm not allowed to use wildcards in email addresses at all.

I hoped it's related to this limitation outlined in the documentation
You can use only prefix wildcard searches; for example, cat* or set*. Suffix searches (*cat), infix searches (c*t), and substring searches (*cat*) are not supported.
but apparently in email addresses I cannot use wildcard at any position. It looks I need to supply a full email address only otherwise it won't work.

Am I correct here? Is there a way to overcome this limitation and search through all possible users in a given domain using O365 ediscovery module?

Can you dump (CSV output) all the users in the O365 Global Address List (GAL) to find more email addresses and the email groups to which they belong instead of whittling down to *@domain.com?

 
Posted : 27/02/2020 4:36 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

The problem is that the domain in question is the external domain, not our corporate domain.

I've got an advice on the MS forums to use the "participants" property for this purpose. It makes sense, but I guess I would then need also some operator that would stand for "contains", and all I can see in the documentation is a colon, and for me it stands only for "equals"…

 
Posted : 27/02/2020 4:53 pm
(@trewmte)
Posts: 1877
Noble Member
 

The problem is that the domain in question is the external domain, not our corporate domain.

I've got an advice on the MS forums to use the "participants" property for this purpose. It makes sense, but I guess I would then need also some operator that would stand for "contains", and all I can see in the documentation is a colon, and for me it stands only for "equals"…

Does your Project prevent you from using Red Team pen tester tactics?

 
Posted : 27/02/2020 5:11 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Well, they do. They have a in-house forensic/compliance guy who steers the project. I'm only his hands…

 
Posted : 27/02/2020 5:43 pm
(@trewmte)
Posts: 1877
Noble Member
 

Well, they do. They have a in-house forensic/compliance guy who steers the project. I'm only his hands…

Maybe have a look at

https://github.com/sensepost/ruler

or

https://github.com/Narcolapser/python-o365#email

 
Posted : 27/02/2020 5:58 pm
(@rich2005)
Posts: 535
Honorable Member
 

Can you not just use todomain.xyz?
(This implies you can - https://docs.microsoft.com/en-us/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-worldwide)

 
Posted : 28/02/2020 7:44 am
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Indeed, looks like "participants@domain.com" does the job! )

 
Posted : 28/02/2020 9:21 am
Share: