Preserve Phishing Email Evidence

PreservationP145 min

IR AnalystSwitch roles in the top navigation to see different perspectives.

Capture and preserve the original phishing emails with full headers, embedded URLs, attachments, and delivery metadata before quarantine or purge actions destroy this evidence.

Actions

1.Export the original phishing email(s) in EML/MSG format with full internet headers preserved: use Outlook "Save As" or Graph API to extract the raw message including X-headers and authentication results (SPF/DKIM/DMARC)
2.Capture email delivery logs from Exchange message trace: Get-MessageTrace for the past 10 days or submit historical search for 11-90 days to identify all recipients who received the phishing email
3.Preserve embedded URLs without clicking: extract all URLs from the email body and HTML source, capture them in a text file, and submit to URL analysis tools (urlscan.io, VirusTotal) from an isolated analysis workstation
4.Quarantine but do NOT delete the phishing email from all recipient mailboxes: use Content Search + ComplianceSearchAction -Purge -PurgeType SoftDelete to move to recoverable items (preserves evidence while removing from inbox)
5.Capture the email authentication results: extract SPF, DKIM, and DMARC verdict from headers to determine if the email was spoofed, sent from a compromised legitimate account, or from an attacker-controlled domain
6.If attachments are present, save them to a quarantined network share with write-once permissions and calculate SHA256 hashes for IOC tracking

Queries

// PowerShell -- Export phishing email metadata via message trace
Get-MessageTrace -SenderAddress "<PHISHING_SENDER>" -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) |
  Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, MessageId |
  Export-Csv -Path "C:\Evidence\phishing_message_trace.csv" -NoTypeInformation

// PowerShell -- Content Search to find and soft-delete phishing email
New-ComplianceSearch -Name "Phish-$(Get-Date -f yyyyMMdd)" -ExchangeLocation All -ContentMatchQuery "subject:\"<PHISH_SUBJECT>\" AND received:>=$(Get-Date (Get-Date).AddDays(-7) -f yyyy-MM-dd)"
Start-ComplianceSearch -Identity "Phish-$(Get-Date -f yyyyMMdd)"
# After search completes:
New-ComplianceSearchAction -SearchName "Phish-$(Get-Date -f yyyyMMdd)" -Purge -PurgeType SoftDelete

// KQL -- Identify all recipients and click activity
EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>"
| where Subject == "<PHISH_SUBJECT>"
| where Timestamp > ago(7d)
| project Timestamp, RecipientEmailAddress, DeliveryAction, AuthenticationDetails, SenderIPv4
| join kind=leftouter (
    UrlClickEvents
    | where Timestamp > ago(7d)
    | project UrlClickTimestamp=Timestamp, AccountUpn, Url, ActionType
) on $left.RecipientEmailAddress == $right.AccountUpn
| sort by Timestamp asc

Notes

Always preserve the original email before any quarantine or purge action -- once purged, the evidence is gone
Email headers are critical for attribution: SPF/DKIM/DMARC results, sending IP, and X-Originating-IP reveal the true source
Use soft-delete (not hard-delete) for quarantine to preserve evidence in recoverable items for legal holds

Where to Go Next

Email preserved, triage the BEC angle

Analyze BEC indicators

BEC Email Analysis

Check for attacker mailbox rules

Investigate inbox rules

Inbox Rules

Update chain of custody

Document chain of custody

Chain of Custody

Related Artifacts

Message Trace Logs

Exchange Admin Center > Mail flow > Message trace (or Get-MessageTrace cmdlet)