MTL‐Analyzer
MTL-Analyzer.ps1 is a PowerShell script utilized to simplify the analysis of M365 Message Trace Logs extracted via Microsoft-Extractor-Suite by Invictus-IR. Message Trace Logs are useful for identifying suspicious messages sent by attackers from compromised accounts, and can also aid in identifying initial phishing emails.
Note
Single User Audit only.
Fig 1: MTL-Analyzer
Fig 2: Hunt.xlsx - Filter column 'Country Name' or 'ASN' by Color → Filter by Cell Color 'Red'
Fig 3: ASN (Stats) w/ ASN Blacklisting and ASN Whitelisting
Fig 4: Country (Stats)
Fig 5: FromIP (Stats)
Fig 6: Delivery Status (Stats)
| Name | Description |
|---|---|
| Delivered | The message was successfully delivered to the intended destination. |
| Expanded | A distribution group recipient was expanded before delivery to the individual members of the group. |
| Failed | The message wasn't delivered. |
| FilteredAsSpam | The message was identified as spam, and was rejected or blocked (not quarantined). |
| Pending | Delivery of the message is being attempted or reattempted. |
| Quarantined | The message was quarantined (as spam, bulk mail, or phishing). |
| Resolved | The message was redirected to a new recipient address based on an Active Directory look up. When this event happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message. |
Fig 7: Subject / Delivery Status - Outbound (Stats) → Outgoing Spam
Fig 8: Outbound Messages (Line Chart)
Fig 9: GeoIP-Mapping w/ IPinfo CLI ('Map-All.txt')
Fig 10: MessageBox
Microsft-Extractor-Suite: Get-MessageTraceLog
Get-MessageTrace
Message trace in the new Exchange admin center in Exchange Online