beamzer · September 21, 2020 14:35
diff --git a/maltrieve.ps1 b/maltrieve.ps1
 <#
 .SYNOPSIS
    This script retrieves malware (or other) mails from the O365 - EOP quarantaine queue
    these are real malware e-mails and could cause massive damage to your PC, network, organisation and even beyond (remember WannaCry, NonPetya and others)
    Use a dedicated, isolated malware research workstation, and make sure you know what you are doing
    => Use at your own Risk <=

 .DESCRIPTION
    Fetch malware (or other) mails from Office365 EOP Quarantaine Queue

 .PARAMETER qDIR
    location prefix for folder where extracted mails shoud be stored
    default prefix is the type (e.q. if type = Malware, so is the prefix)

 .PARAMETER qTime
    The time period that we want to retrieve quarantaine queue mails for,
    standard is 24 hours, so get malware (or other) mails from the quarantaine queue for the last 24 hours

 .NOTES

    Version:       1.1

 #>

 #---------------------------------------------------------[Script Parameters]------------------------------------------------------
 [CmdletBinding()]
 Param (
    [ValidateSet("Bulk", "HighConfPhish", "Malware", "Phish", "Spam", "SPOMalware", "TransportRule")]
    [string]$qType,
    [ValidateRange(0, 240)]
    [int]$qTime,
    [string]$qDIR
 )

 #---------------------------------------------------------[Initialisations]--------------------------------------------------------

 $ErrorActionPreference = 'SilentlyContinue' # Set Error Action to Silently Continue

 #----------------------------------------------------------[Declarations]----------------------------------------------------------
 # get/set standard values

 $baseDIR = "C:\Users\[YourLocation]\"

 If (-not $qTime) {
    $qTime = 24
 }

 $qDateEnd = Get-Date
 $qDateStart = $qDateEnd.AddHours(-$qTime)

 $Start = (Get-Date).ToString('ddMMyy_HHmm')
 $Stop = (Get-Date).AddHours(-$qTime).ToString('ddMMyy_HHmm')

 If (-not $qType) {
    $qType="Malware"
    }

 If (-not $qDIR) {
    $qDIR = $qType
 }

 $OutDIR= $baseDIR + $qDIR + "-" + $Start + "-" + $Stop + "\"

 If (!(test-path $OutDIR))
 {
    Write-Host  "creating Output folder:  $OutDIR"
    New-Item -ItemType Directory -Force -Path $OutDIR
 }


 $qmsg = Get-QuarantineMessage -Direction Inbound -StartReceivedDate $qDateStart -QuarantineTypes $qType -pagesize 1000

 Foreach($msg in $qmsg){
    $id = $msg.Identity
    $e = Export-QuarantineMessage -Identity $id
    $file = "{0}{1}.eml" -f $OutDIR, $id.Replace("\","_")
    $bytes = [Convert]::FromBase64String($e.eml);
    [IO.File]::WriteAllBytes($file, $bytes)
    "$file.eml"
 }
	<#
	.SYNOPSIS
	This script retrieves malware (or other) mails from the O365 - EOP quarantaine queue
	these are real malware e-mails and could cause massive damage to your PC, network, organisation and even beyond (remember WannaCry, NonPetya and others)
	Use a dedicated, isolated malware research workstation, and make sure you know what you are doing
	=> Use at your own Risk <=

	.DESCRIPTION
	Fetch malware (or other) mails from Office365 EOP Quarantaine Queue

	.PARAMETER qDIR
	location prefix for folder where extracted mails shoud be stored
	default prefix is the type (e.q. if type = Malware, so is the prefix)

	.PARAMETER qTime
	The time period that we want to retrieve quarantaine queue mails for,
	standard is 24 hours, so get malware (or other) mails from the quarantaine queue for the last 24 hours

	.NOTES

	Version: 1.1

	#>

	#---------------------------------------------------------[Script Parameters]------------------------------------------------------
	[CmdletBinding()]
	Param (
	[ValidateSet("Bulk", "HighConfPhish", "Malware", "Phish", "Spam", "SPOMalware", "TransportRule")]
	[string]$qType,
	[ValidateRange(0, 240)]
	[int]$qTime,
	[string]$qDIR
	)

	#---------------------------------------------------------[Initialisations]--------------------------------------------------------

	$ErrorActionPreference = 'SilentlyContinue' # Set Error Action to Silently Continue

	#----------------------------------------------------------[Declarations]----------------------------------------------------------
	# get/set standard values

	$baseDIR = "C:\Users\[YourLocation]\"

	If (-not $qTime) {
	$qTime = 24
	}

	$qDateEnd = Get-Date
	$qDateStart = $qDateEnd.AddHours(-$qTime)

	$Start = (Get-Date).ToString('ddMMyy_HHmm')
	$Stop = (Get-Date).AddHours(-$qTime).ToString('ddMMyy_HHmm')

	If (-not $qType) {
	$qType="Malware"
	}

	If (-not $qDIR) {
	$qDIR = $qType
	}

	$OutDIR= $baseDIR + $qDIR + "-" + $Start + "-" + $Stop + "\"

	If (!(test-path $OutDIR))
	{
	Write-Host "creating Output folder: $OutDIR"
	New-Item -ItemType Directory -Force -Path $OutDIR
	}


	$qmsg = Get-QuarantineMessage -Direction Inbound -StartReceivedDate $qDateStart -QuarantineTypes $qType -pagesize 1000

	Foreach($msg in $qmsg){
	$id = $msg.Identity
	$e = Export-QuarantineMessage -Identity $id
	$file = "{0}{1}.eml" -f $OutDIR, $id.Replace("\","_")
	$bytes = [Convert]::FromBase64String($e.eml);
	[IO.File]::WriteAllBytes($file, $bytes)
	"$file.eml"
	}