Preserve Phishing Email Evidence
Capture and preserve the original phishing emails with full headers, embedded URLs, attachments, and delivery metadata before quarantine or purge actions destroy this evidence.
Actions
- 1
Export the original phishing email(s) in EML/MSG format with full internet headers preserved: use Outlook "Save As" or Graph API to extract the raw message including X-headers and authentication results (SPF/DKIM/DMARC)
- 2
Capture email delivery logs from Exchange message trace: Get-MessageTrace for the past 10 days or submit historical search for 11-90 days to identify all recipients who received the phishing email
- 3
Preserve embedded URLs without clicking: extract all URLs from the email body and HTML source, capture them in a text file, and submit to URL analysis tools (urlscan.io, VirusTotal) from an isolated analysis workstation
- 4
Quarantine but do NOT delete the phishing email from all recipient mailboxes: use Content Search + ComplianceSearchAction -Purge -PurgeType SoftDelete to move to recoverable items (preserves evidence while removing from inbox)
- 5
Capture the email authentication results: extract SPF, DKIM, and DMARC verdict from headers to determine if the email was spoofed, sent from a compromised legitimate account, or from an attacker-controlled domain
- 6
If attachments are present, save them to a quarantined network share with write-once permissions and calculate SHA256 hashes for IOC tracking
Queries
// PowerShell -- Export phishing email metadata via message trace Get-MessageTrace -SenderAddress "<PHISHING_SENDER>" -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, MessageId | Export-Csv -Path "C:\Evidence\phishing_message_trace.csv" -NoTypeInformation
// PowerShell -- Content Search to find and soft-delete phishing email New-ComplianceSearch -Name "Phish-$(Get-Date -f yyyyMMdd)" -ExchangeLocation All -ContentMatchQuery "subject:\"<PHISH_SUBJECT>\" AND received:>=$(Get-Date (Get-Date).AddDays(-7) -f yyyy-MM-dd)" Start-ComplianceSearch -Identity "Phish-$(Get-Date -f yyyyMMdd)" # After search completes: New-ComplianceSearchAction -SearchName "Phish-$(Get-Date -f yyyyMMdd)" -Purge -PurgeType SoftDelete
// KQL -- Identify all recipients and click activity
EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>"
| where Subject == "<PHISH_SUBJECT>"
| where Timestamp > ago(7d)
| project Timestamp, RecipientEmailAddress, DeliveryAction, AuthenticationDetails, SenderIPv4
| join kind=leftouter (
UrlClickEvents
| where Timestamp > ago(7d)
| project UrlClickTimestamp=Timestamp, AccountUpn, Url, ActionType
) on $left.RecipientEmailAddress == $right.AccountUpn
| sort by Timestamp ascindex=email sourcetype=proofpoint:pps OR sourcetype=mimecast:email subject="<PHISH_SUBJECT>" sender="<PHISHING_SENDER>" | stats count by recipient, action, subject, msg_id | sort -count
Notes
Always preserve the original email before any quarantine or purge action -- once purged, the evidence is gone
Email headers are critical for attribution: SPF/DKIM/DMARC results, sending IP, and X-Originating-IP reveal the true source
Use soft-delete (not hard-delete) for quarantine to preserve evidence in recoverable items for legal holds