-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathThreat-Submission_GraphAPI.ps1
72 lines (57 loc) · 3.04 KB
/
Threat-Submission_GraphAPI.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<#
.SYNOPSIS
Basic POC/Example - Threat Submission using Security Graph API with TABL addition
Permission needed for submission --> Application -ThreatSubmission.ReadWrite.All
https://learn.microsoft.com/en-us/graph/api/security-emailthreatsubmission-post-emailthreats?view=graph-rest-beta&tabs=http
Permission needed to get the message id as refrence for submission --> Application - Mail.ReadBasic.All OR Mail.Read
https://learn.microsoft.com/en-us/graph/api/message-get?view=graph-rest-1.0&tabs=http
Additinal modules needed
* MSAL.PS Powershell module as prerequisite. https://www.powershellgallery.com/packages/MSAL.PS/4.37.0.0
* JWT https://www.powershellgallery.com/packages/JWTDetails/1.0.2
.DESCRIPTION
Microsoft Defender for Office 365 Admin Submission using Graph API with application Permission
It´s a simple proof of concept with no further error managment.
#>
$tenantID = ''
$clientID = ''
$clientSecret = ConvertTo-SecureString '' -AsPlainText -Force
# Using MSAL.PS powershell library to get the access token
$authResult = Get-MsalToken -ClientId $clientID -TenantId $tenantID -ClientSecret $clientSecret -ForceRefresh
$accessToken = $authResult.AccessToken
# Using jwtdetails module to get the details of the access token
$accessToken | Get-JWTDetails | select-object aud,app_displayname,roles
$accessTokenSecureString = ConvertTo-SecureString $accessToken -AsPlainText -Force
$headers= @{"Content-Type" = "application/json" ; "Authorization" = "Bearer " + $accessToken}
$Mailbox = ""
$MessageID = "''"
$MessageIDQueryURL = "https://graph.microsoft.com/v1.0/users/{0}/messages?`$filter=(internetMessageId eq {1})" -f $Mailbox,$MessageID
$id = (Invoke-RestMethod -Headers $headers -Uri $MessageIDQueryURL -Method Get).value.id
$GraphUrl="https://graph.microsoft.com/beta/security/threatSubmission/emailThreats"
$messageURL = "https://graph.microsoft.com/v1.0/users/{0}/messages/{1}" -f $Mailbox,$id
$allowAllow = $true
if ( $allowAllow ) {
$expirationDate = (get-date).adddays(+30) | get-date -Format o
$submissionCategory = "notjunk"
$bodyJSON = [PSCustomObject]@{
'@odata.type' = '#microsoft.graph.security.emailUrlThreatSubmission'
category = $submissionCategory
recipientEmailAddress = $Mailbox
messageUrl = $messageURL
tenantAllowOrBlockListAction =
@{
action = 'allow'
expirationDateTime = $expirationDate
note = 'temporal allow the url/attachment/sender in the email - API done'
}
} | ConvertTo-Json
} else {
$submissionCategory = "phishing"
$bodyJSON = [PSCustomObject]@{
'@odata.type' = '#microsoft.graph.security.emailUrlThreatSubmission'
category = $submissionCategory
recipientEmailAddress = $Mailbox
messageUrl = $messageURL
} | ConvertTo-Json
}
try{ $Submissionresult = Invoke-WebRequest -Uri $GraphURL -Headers $headers -Body $bodyJSON -Method POST -ContentType 'application/json' -ErrorVariable RespErr } catch {$err=$_.Exception}
$err | Get-Member -MemberType Property