Icewolf.EXO.SpamAnalyze.psm1

##############################################################################
# Invoke-SpamAnalyze.ps1
# Get SPAM Detail Info for Specific MessageTraceID in MessageTrace
# V2.0.0 04.05.2021 - Andres Bohren / Initial Version
# V2.0.1 07.05.2021 - Andres Bohren / Bugfixes
# V2.0.2 09.05.2021 - Andres Bohren / Bugfixes
# V2.0.3 16.06.2021 - Andres Bohren / Bugfixes Improvements
# V2.0.4 30.09.2021 - Andres Bohren / Bugfixes Improvements
# V2.0.5 23.12.2021 - Andres Bohren / Bugfixes Improvements
# V2.0.6 01.03.2022 - Andres Bohren / Added dependency Module ExchangeOnlineManagement
# V2.0.7-Alpha 10.03.2022 - Andres Bohren / Added Error Handling (Try / Catch) for DNS over HTTPS Querys
# - DNS Query changed from Cloudflare to Google
# https://developers.google.com/speed/public-dns/docs/doh
# https://developers.google.com/speed/public-dns/docs/doh/json
# - Subject is Limited to 20 Characters, so the MessageTraceId is still visible at long Subjects
# V2.0.7-Beta
# - Added diffrent Error Handling (Try / Catch) for DNS over HTTPS Querys
# V2.0.7-Gamma
# - Added Info for Message Event "Send External"
# - Fixed Issue with DNS over HTTPS Querys
# V2.0.7-Delta
# - Requires now ExchangeOnlineModule 3.0.0
# V2.0.8 10.11.2022 - Andres Bohren
# - Requires now ExchangeOnlineModule 3.0.0
# - Addet TentantAllowBlockList checks
# V2.0.9 09.02.2022 - Andres Bohren
# - Addet Reverse Lookup and EOP IP Checks (Special thanks to @SchaedlerDaniel)
# - Checks for Transport Rule with SCL-1
##############################################################################
#Requires -Modules ExchangeOnlineManagement

# Create Function with IPaddress that checks is ip is in CIDR Range
# Special thanks to @SchaedlerDaniel
Function Test-IPv4InCIDRRange {
    Param (
        [Parameter(Mandatory = $true, Position = 1)]
        [string]$CIDRNetwork,

        [Parameter(Mandatory = $false, Position = 2)]
        [IPAddress]$TargetIP
    )

    $MaskBits = $CIDRNetwork.Split('/')[1]
    $IP = [System.Net.IPAddress]::Parse($CIDRNetwork.Split('/')[0])

    # Convert the mask to type [IPAddress]
    $mask = ([Math]::Pow(2, $MaskBits) - 1) * [Math]::Pow(2, (32 - $MaskBits))
    $maskbytes = [BitConverter]::GetBytes([UInt32] $mask)
    $DottedMask = [IPAddress]((3..0 | ForEach-Object { [String] $maskbytes[$_] }) -join '.')

    # bitwise AND them together, and you've got the subnet ID
    $lower = [IPAddress] ( $ip.Address -band $DottedMask.Address )

    # We can do a similar operation for the broadcast address
    # subnet mask bytes need to be inverted and reversed before adding
    $LowerBytes = [BitConverter]::GetBytes([UInt32] $lower.Address)
    [IPAddress]$upper = (0..3 | ForEach-Object { $LowerBytes[$_] + ($maskbytes[(3 - $_)] -bxor 255) }) -join '.'

    $f = $lower.GetAddressBytes() | ForEach-Object { "{0:000}" -f $_ }   | & { $ofs = '-'; "$input" }
    $t = $upper.GetAddressBytes() | ForEach-Object { "{0:000}" -f $_ }   | & { $ofs = '-'; "$input" }
    $tg = $TargetIP.GetAddressBytes() | ForEach-Object { "{0:000}" -f $_ }   | & { $ofs = '-'; "$input" }
    return ($f -le $tg) -and ($t -ge $tg)
}

Function Get-EOPIPs {
    #Create GUID
    $ClientRequestId = ([guid]::NewGuid()).Guid
    
    #Get Exchange Endpoints
    $uri = "https://endpoints.office.com/endpoints/worldwide?ServiceAreas=Exchange&NoIPv6=true&ClientRequestId=$ClientRequestId"
    #"DEBUG: URL $uri"
    $Result = Invoke-RestMethod -Method GET -uri $uri

    #EOP IP's
    $EOPAddresses = ($Result | Where-Object {$_.urls -match "mail.protection.outlook.com"}).ips | Sort-Object -Unique
    return $EOPAddresses
}

Function Invoke-SpamAnalyze
{

<#
.SYNOPSIS
         
.DESCRIPTION
    Get SPAM Detail Info for Specific MessageTraceID in MessageTrace
 
.PARAMETER Recipientaddress
    The Emailaddress of the Recipient
 
.PARAMETER SenderAddress
    The Emailadress of the Sender
 
    .EXAMPLE
.\SpamAnalyze.ps1 -SenderAddress SenderAddress@domain.tld -RecipientAddress RecipientAddress@domain.tld
 
.LINK
#>


Param(
    [parameter(Mandatory=$true)][String]$RecipientAddress,
    [parameter(Mandatory=$true)][String]$SenderAddress
    )
    
Begin {
    ##############################################################################
    # Connect to Exchange Online
    ##############################################################################
    Function Connect-EXO {

        $ConnInfo = Get-ConnectionInformation
        If ($Null -eq $ConnInfo)
        {
            Write-Host "Connect to Exchange Online..." -ForegroundColor Gray
            Connect-ExchangeOnline -ShowBanner:$false
        } else {
            Write-Host "Connection to Exchange Online already exists" -ForegroundColor Green
        }
    }

    ##############################################################################
    # Disconnect from Exchange Online
    ##############################################################################
    Function Disconnect-EXO 
    {
                Write-Host "Disconnect from Exchange Online" -ForegroundColor Gray
                #fWrite-Log -fLogtext "Disconnect from Exchange Online"
                #Get-PSSession | Where-Object {($_.ComputerName -eq "outlook.office365.com") -AND ($_.ConfigurationName -eq "Microsoft.Exchange")} | Remove-PSSession
                #Get-PSSession | Where-Object {($_.ComputerName -like "compliance.protection.outlook.com") -AND ($_.ConfigurationName -eq "Microsoft.Exchange")} | Remove-PSSession
                Disconnect-ExchangeOnline -Confirm:$false
                
    }
    

    ##############################################################################
    # Check MessageTraceDetail
    ##############################################################################
    Function Get-SPAMinfo {
        Param(
            [parameter(Mandatory=$false)][String]$RecipientAddress,
            [parameter(Mandatory=$false)][String]$SenderAddress,
            [parameter(Mandatory=$true)][String]$MessageTraceId
            )
        
        $Start = (Get-Date).AddDays(-10) 
        $End = (Get-Date)

        Write-Host "Message events:" -ForegroundColor Magenta
        $MTDetail = Get-MessageTraceDetail -MessageTraceId $MessageTraceId -RecipientAddress $RecipientAddress -SenderAddress $SenderAddress -StartDate $Start -EndDate $End | Sort-Object Date

        $MTEventFail = $MTDetail | Where-Object {$_.event -eq "Failed"}
        If ($Null -ne $MTEventFail) {
            Write-Host "Failed-Event: " -ForegroundColor Magenta
            Write-Host (" Action: " +$MTEventFail.action )
            Write-Host
        }        
        $MTEventMal = $MTDetail | Where-Object {$_.event -eq "Malware"}
        If ($Null -ne $MTEventMal) {
            Write-Host "Malware-Event: " -ForegroundColor Magenta
            Write-Host (" Action: " +$MTEventMal.action )
            Write-Host
        }
        
        #Send External / Extern senden
        $MTEventExternal = $MTDetail | Where-Object {$_.event -match "Extern"} 
        If ($Null -ne $MTEventExternal) 
        {
            Foreach ($SendExternal in $MTEventExternal)
            {
                Write-Host "Send External: " -ForegroundColor Magenta
                [xml]$xmlE =$MTEventExternal.Data
                #$xmlE.root.MEP
            
                $Items = $xmle.root.MEP.Count -1
                for ($i=0; $i -lt$Items; $i++)
                {
                    $Item = $xmle.root.MEP.Item($i)
                    #$Item = $xmle.root.MEP.Item(1)
                    $ItemProperty = ($item | Get-Member | Where-Object {$_.MemberType -eq "Property" -and $_.Name -ne "Name"} | Select-Object Name).Name
                    $ItemName = $Item.Name
                    $ItemValue = $Item.$ItemProperty
                    If ($ItemName -eq "CustomData")
                    {
                        $Blob = $ItemValue.Split(";")
                        foreach ($Line in $blob)
                        {
                            Write-Host " $Line"
                        }                        
                    } else {
                        Write-Host " $ItemName : $ItemValue"
                    }
                    
                }
            }
        }

        $MTEventSPM = $MTDetail | Where-Object {$_.event -eq "Spam"} | Select-Object -uniq
        # SPAM Detail
        If ($Null -ne $MTEventSPM) {
            Write-Host "SPAM-Event: " -ForegroundColor Magenta
            Write-Host (" Action: " +$MTEventSPM.action )
            Write-Host
            Write-Host "SPAM-Event Details:" -ForegroundColor Magenta
            Write-Host "Anti-spam message headers: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers" -ForegroundColor Cyan
            Write-Host "Spam confidence levels: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels" -ForegroundColor Cyan
            [xml]$xmlS = $MTEventSPM.Data
            $RcptCount  = ($xmlS.root.MEP | Where-Object {$_.Name -eq "RcptCount"})
            $DI         = ($xmlS.root.MEP | Where-Object {$_.Name -eq "DI"})
            $SCL        = ($xmlS.root.MEP | Where-Object {$_.Name -eq "SCL"})
            $Score        = ($xmlS.root.MEP | Where-Object {$_.Name -eq "Score"})
            $SFV        = ($xmlS.root.MEP | Where-Object {$_.Name -eq "SFV"})
            $ClientIP   = ($xmlS.root.MEP | Where-Object {$_.Name -eq "CIP"})
            $Country    = ($xmlS.root.MEP | Where-Object {$_.Name -eq "Ctry"})
            $HeloString = ($xmlS.root.MEP | Where-Object {$_.Name -eq "H"})
            $ReturnPath = ($xmlS.root.MEP | Where-Object {$_.Name -eq "ReturnPath"})
            $Language   = ($xmlS.root.MEP | Where-Object {$_.Name -eq "Language"})
            Write-Host (" RecipientCount: " +$RcptCount.Integer)
            switch ($DI.String) {
                "SB" { $DI = "(SB) The sender of the message was blocked" }
                "SQ" { $DI = "(SQ) The message was quarantined" }
                "SD" { $DI = "(SD) The message was deleted" }
                "SJ" { $DI = "(SJ) The message was sent to the recipient's Junk Email folder" }
                "SN" { $DI = "(SN) The message was routed through the higher risk delivery pool" }
                "SO" { $DI = "(SO) The message was routed through the normal outbound delivery pool" }
            }
            Write-Host (" DI: " +$DI)
            # Color for SCL
            switch ($SCL.Integer) {
                -1 { $cSCL = "Green"; $Folder = "Inbox" }
                0 { $cSCL = "Green"; $Folder = "Inbox" }
                1 { $cSCL = "Green"; $Folder = "Inbox" }
                2 { $cSCL = "Green"; $Folder = "Inbox" }
                3 { $cSCL = "Green"; $Folder = "Inbox" }
                4 { $cSCL = "Green"; $Folder = "Inbox" }
                5 { $cSCL = "Yellow"; $Folder = "Junk-E-Mail" }
                6 { $cSCL = "Yellow"; $Folder = "Junk-E-Mail" }
                7 { $cSCL = "Red"; $Folder = "Quarantaine" }
                8 { $cSCL = "Red"; $Folder = "Quarantaine" }
                9 { $cSCL = "Red"; $Folder = "Quarantaine" }
            }
            Write-Host (" SpamConfidenceLevel (SCL): "+$SCL.Integer +" Deliver to: " +$Folder +")") -ForegroundColor $cSCL
            Write-Host (" SpamScoreLevel (Score): "+$Score.Integer )
            switch ($SFV.String) 
            {
                "BLK" { $SFV = "(BLK) Filtering was skipped and the message was blocked because it originated from a blocked sender" }
                "NSPM" { $SFV = "(NSPM) The message was marked as non-spam and was sent to the intended recipients" }
                "SFE" { $SFV = "(SFE) Filtering was skipped and the message was allowed because it was sent from an address in a user's Safe Senders list"}
                "SKA" { $SFV = "(SKA) The message skipped spam filtering and was delivered to the Inbox because the sender was in the allowed senders list or allowed domains list in an anti-spam policy"}
                "SKB" { $SFV = "(SKB) The message skipped spam filtering and was delivered to the Inbox because the sender was in the allowed senders list or allowed domains list in an anti-spam policy"}
                "SKI" { $SFV = "(SKI) Similar to SFV:SKN, the message skipped spam filtering for another reason (for example, an intra-organizational email within a tenant)"}
                "SKN" { $SFV = "(SKN) The message was marked as non-spam prior to being processed by spam filtering. For example, the message was marked as SCL -1 or Bypass spam filtering by a mail flow rule"}
                "SKQ" { $SFV = "(SKQ) The message was released from the quarantine and was sent to the intended recipients"}
                "SKS" { $SFV = "(SKS) The message was marked as spam prior to being processed by the content filter" }
                "SPM" { $SFV = "(SPM) The message was marked as spam by spam filtering" }
                            
            }

            Write-Host (" SpamFilterVerdikt (SFV): " +$SFV)
            #EOP relay pool will be in the 40.95.0.0/16 range
            #EOP
            #"40.92.0.0/15" --> 40.92.0.1 - 40.93.255.254
            #"40.107.0.0/16" --> 40.107.0.1 - 40.107.255.254
            #"52.100.0.0/14" --> 52.100.0.1 - 52.103.255.254
            #"104.47.0.0/17" --> 104.47.0.1 - 104.47.127.254
            If ($Null -ne $ClientIP.String -or $ClientIP.String -ne "")
            {
                $IP = [IPAddress] $($ClientIP.String)
                #$IP = [IPAddress] $("40.92.0.1")
                #Write-Host "DEBUG: IP $IP"

                #Check if IP is in EOP CIDR Range
                $EOPIPArray = Get-EOPIPs
                foreach ($CIDR in $EOPIPArray)
                {
                    If ((Test-IPv4InCIDRRange -TargetIP $IP -CIDRNetwork $CIDR) -eq $True)
                    {
                        Write-Host (" SenderClientIP (CIP): " +$ClientIP.String + " --> EOP Address") -ForegroundColor Green
                    }
                }
            }

            If ($ClientIP.String -like "40.95*")
            {
                Write-Host (" SenderClientIP (CIP): " +$ClientIP.String + " --> EOP Relay Pool") -ForegroundColor Yellow
            } else {
                Write-Host (" SenderClientIP (CIP): " +$ClientIP.String)
            }            
            Write-Host (" Country (CTRY): " +$Country.String)
            Write-Host (" HeloString (H): " +$HeloString.String)
            Write-Host (" ReturnPath: " +$ReturnPath.String)
            Write-Host (" Language: " +$Language.String)
            
            $ReverseDNSLookup = Resolve-DnsName $($ClientIP.String)
            If ($Null -ne $ReverseDNSLookup)
            {
                Write-Host (" ReverseLookup: " + $ReverseDNSLookup.NameHost)
            } else {
                Write-Host (" ReverseLookup: N/A") -ForegroundColor Yellow
            }
            Write-Host    

        } Else {
            Write-Host "SPAM-Event: " -ForegroundColor Magenta
            Write-Host (" INFO: This mail contains no 'Spam' event ") -ForegroundColor Cyan
            Write-Host
        }
    }
}

Process {
    #Set Window and Buffersize
    $pshost = get-host
    $pswindow = $pshost.ui.rawui
    $LanguageMode = $ExecutionContext.SessionState.LanguageMode
    If ($LanguageMode -eq "Fulllanguage"){
        if ($pswindow.WindowSize.Width -lt 220){
            $newsize = $pswindow.buffersize
            $newsize.height = 8000
            $newsize.width = 220
            $pswindow.buffersize = $newsize
            $newsize = $pswindow.windowsize
            $newsize.width = 180
            $newsize.height = 60
            $pswindow.windowsize = $newsize
        }
    }

    #Call Function to Connect to Exchange Online
    Connect-EXO

    #Check if Messagetrace is available
    Try {
        Get-Command Get-MessageTrace -ErrorAction Stop | Out-Null
    } catch { 
        Write-Host "No Permission for the Command: Get-MessageTrace. Stopping script."
        #exit
        Break
    }

    #Set Start- and Enddate for Messagetrace
    $Start = ((Get-Date).AddDays(-10))
    $End = Get-Date
    
    #Messagetrace depending on Parameters
    If ($SenderAddress -ne $Null)
    {
        If ($RecipientAddress -ne $Null)
        {
            $MT = Get-MessageTrace -StartDate (get-date).AddDays(-10) -EndDate (get-date) -SenderAddress $SenderAddress -RecipientAddress $RecipientAddress 
        } else {
            $MT = Get-MessageTrace -StartDate (get-date).AddDays(-10) -EndDate (get-date) -SenderAddress $SenderAddress 
        }
    } else {
        #SenderAddress = $Null / RecipientAddress populated
        $MT = Get-MessageTrace -StartDate (get-date).AddDays(-10) -EndDate (get-date) -RecipientAddress $RecipientAddress  
    }
    #$MT | Format-Table Received, SenderAddress, RecipientAddress, Subject, Status, MessageTraceID
    $MT | Select-Object Received, SenderAddress, RecipientAddress, @{label='Subject';expression={$_.Subject.Substring(0,20)}}, Status, MessageTraceID  | Format-Table

    If ($Null -eq $MT)
    {
        Write-Host "No Results in Message Trace found"
    } else {


        #Input MessageTraceID
        $readhost = Read-Host "MessageTraceID?"
        If ($readhost -eq "")
        {
            Write-Host "Not a MessageTraceID... Stopping Script"
        } else {
            #Write-Host "DEBUG: Readhost: $readhost"
            Foreach ($Line in $MT)
            {
                If ($readhost -eq $Line.MessageTraceId)
                {
                    
                    #Write-Host "DEBUG: MessageTraceID: $($Line.MessageTraceId)"
                    #Write-Host "DEBUG: Sender: $($Line.Senderaddress)"
                    #Write-Host "DEBUG: Recipient: $($Line.RecipientAddress)"
                    $MessageTraceId = $Line.MessageTraceId
                    $MTSenderAddress = $Line.Senderaddress
                    $MTRecipientAddress = $Line.RecipientAddress
                    $MTStatus = $Line.Status
                    $MTSubject = $Line.Subject
                    $MTReceived = $Line.Received
                    $MTMessageID = $Line.MessageID

                    #Infos from Message Trace
                    Write-Host
                    Write-Host "E-Mail Detail:" -ForegroundColor Magenta
                    Write-Host " Message ID: $MTMessageID"
                    Write-Host " Received: $MTReceived"
                    Write-Host " Sender: $MTSenderAddress"
                    Write-Host " Recipient: $MTRecipientAddress"
                    Write-Host " Subject: $MTSubject"
                    Write-Host " Status: $MTStatus"
                    Write-Host

                    #Check Recipient
                    $ExoRecipient = Get-Recipient -Identity $MTRecipientAddress
                    #$ExoRecipient
                    $RecipientTypeDetails = $ExoRecipient.RecipientTypeDetails

                    Write-Host "Recipient Details" -ForegroundColor Magenta
                    Write-Host " RecipientTypeDetails: $RecipientTypeDetails"
                    Write-Host

                    #Check for Transport Rules with "SCL -1"
                    #Get-TransportRule | Where-Object {$_.SetSCL -eq "-1"} | Format-List Name, From,*, SentTo*
                    $TransporRules = Get-TransportRule | Where-Object {$_.SetSCL -eq "-1"} | Select-Object Name, From*, SentTo*
                    Foreach ($TransportRule in $TransporRules)
                    {
                        Write-Host "Transport Rule with <SCL-1>" -ForegroundColor Magenta
                        Write-Host " Name: $($TransportRule.Name)"
                        Write-Host " FromMemberOf: $($TransportRule.FromMemberOf)"
                        Write-Host " FromScope: $($TransportRule.FromScope)"
                        Write-Host " FromAddressContainsWords: $($TransportRule.FromAddressContainsWords)"
                        Write-Host " FromAddressMatchesPatterns: $($TransportRule.FromAddressMatchesPatterns)"
                        Write-Host " SentTo: $($TransportRule.SentTo)"
                        Write-Host " SentToMemberOf: $($TransportRule.SentToMemberOf)"
                        Write-Host " SentToScope: $($TransportRule.SentToScope)"
                    }
                    Write-Host

                    #JunkMailConfiguration of Mailbox
                    $SenderDomain = ($SenderAddress.Split("@")[1])
                    If ($RecipientTypeDetails -like "*Mailbox")
                    {
                        $JMC = Get-MailboxJunkEmailConfiguration -Identity $MTRecipientAddress
                        If ($NULL -ne $JMC)
                        {
                            Write-Host "Recipient JunkMailConfiguration" -ForegroundColor Magenta
                            Write-Host " TrustedListsOnly: $($JMC.TrustedListsOnly)"
                            Write-Host " ContactsTrusted: $($JMC.ContactsTrusted)"
                            Write-Host

                            Write-Host "Check if $MTSenderAddress exists in MAILBOX ($MTRecipientAddress) Trusted-/BlockedSenders list: " -ForegroundColor Magenta        
                            If ($JMC.TrustedSendersAndDomains -contains $MTSenderAddress)
                            {
                                Write-Host " USER Junk-E-Mail Config: Found in 'TrustedSendersAndDomains'" -ForegroundColor Green
                            } Else {
                                Write-Host " USER Junk-E-Mail Config: Not found in 'TrustedSendersAndDomains'" -ForegroundColor White
                            }
                            
                            If ($JMC.BlockedSendersAndDomains -contains $MTSenderAddress)
                            {
                                Write-Host " USER Junk-E-Mail Config: Found in 'BlockedSendersAndDomains'" -ForegroundColor Red
                            } Else {
                                Write-Host " USER Junk-E-Mail Config: Not found in 'BlockedSendersAndDomains'" -ForegroundColor White
                            }
                            Write-Host
                            
                            Write-Host "Check if $SenderDomain exists in MAILBOX ($MTRecipientAddress) Trusted-/BlockedSenders list: " -ForegroundColor Magenta    
                            If ($JMC.TrustedSendersAndDomains -contains $SenderDomain)
                            {
                                Write-Host " USER Junk-E-Mail Config: Found in 'TrustedSendersAndDomains'" -ForegroundColor Green
                            } Else {
                                Write-Host " USER Junk-E-Mail Config: Not found in 'TrustedSendersAndDomains'" -ForegroundColor White
                            }
                            
                            If ($JMC.BlockedSendersAndDomains -contains $SenderDomain)
                            {
                                Write-Host " USER Junk-E-Mail Config: Found in 'BlockedSendersAndDomains'" -ForegroundColor Red
                            } Else {
                                Write-Host " USER Junk-E-Mail Config: Not found in 'BlockedSendersAndDomains'" -ForegroundColor White
                            }
                            Write-Host

                        }
                    }

                    #GLOBALConfig
                    Write-Host "Check if $MTSenderAddress exists in GLOBAL Trusted-/BlockedSender list: " -ForegroundColor Magenta
                    $GLOBALJunkConfig = Get-HostedContentFilterPolicy
                    #Allowed Senders
                    If ($GLOBALJunkConfig.AllowedSenders -match $MTSenderAddress)
                    {
                        Write-Host " GLOBAL EAC SpamFilter: Found in 'AllowedSenders'" -ForegroundColor Green
                    } Else {
                        Write-Host " GLOBAL EAC SpamFilter: Not found in 'AllowedSenders'" -ForegroundColor White
                    }

                    #Blocked Senders
                    If ($GLOBALJunkConfig.BlockedSenders -match $MTSenderAddress)
                    {
                        Write-Host " GLOBAL EAC SpamFilter: Found in 'BlockedSenders'" -ForegroundColor Red
                    } Else {
                        Write-Host " GLOBAL EAC SpamFilter: Not found in 'BlockedSenders'" -ForegroundColor White
                    }
                    Write-Host

                    Write-Host "Check if $SenderDomain exists in GLOBAL Allowed-/BlockedSenderDomain list: " -ForegroundColor Magenta
                    #Allowed Domains
                    If ($GLOBALJunkConfig.AllowedSenderDomains.Domain -contains $SenderDomain)
                    {
                        Write-Host " GLOBAL EAC SpamFilter: Found in 'AllowedSenderDomains'" -ForegroundColor Green
                    } Else {
                        Write-Host " GLOBAL EAC SpamFilter: Not found in 'AllowedSenderDomains'" -ForegroundColor White
                    }

                    #Allowed Senders
                    If ($GLOBALJunkConfig.BlockedSenderDomains.Domain -contains $SenderDomain)
                    {
                        Write-Host " GLOBAL EAC SpamFilter: Found in 'BlockedSenderDomains'" -ForegroundColor Red
                    } Else {
                        Write-Host " GLOBAL EAC SpamFilter: Not found in 'BlockedSenderDomains'" -ForegroundColor White
                    }
                    Write-Host

                    #Tenant Allow Block List (TABL) SENDER
                    Write-Host "Check Tenant Allow Block List - Sender (TABL): " -ForegroundColor Magenta
                    $TABLAllowUser = Get-TenantAllowBlockListItems -ListType Sender -Allow -Entry $MTSenderAddress
                    If ($Null -eq $TABLAllowUser)
                    {
                        Write-Host " Not Found in 'TenantAllowBlockList - Allow Addresses'" -ForegroundColor White
                    } else {
                        Write-Host " Found in 'TenantAllowBlockList - Allow Addresses'" -ForegroundColor White
                        Write-Host " Value: $($TABLAllowUser.Value)" -ForegroundColor Yellow
                        Write-Host " Action: $($TABLAllowUser.Action)" -ForegroundColor Yellow
                        Write-Host " SubmissionID: $($TABLAllowUser.SubmissionID)" -ForegroundColor Yellow
                        Write-Host " ListSubType: $($TABLAllowUser.ListSubType)" -ForegroundColor Yellow
                        Write-Host " SysManaged: $($TABLAllowUser.SysManaged)" -ForegroundColor Yellow
                        Write-Host " LastModifiedDateTime: $($TABLAllowUser.LastModifiedDateTime)" -ForegroundColor Yellow
                        Write-Host " ExpirationTime: $($TABLAllowUser.ExpirationDate)" -ForegroundColor Yellow
                    }
                    $TABLBlockUser = Get-TenantAllowBlockListItems -ListType Sender -Block -Entry $MTSenderAddress
                    If ($Null -eq $TABLBlockUser)
                    {
                        Write-Host " Not Found in 'TenantAllowBlockList - Block Addresses'" -ForegroundColor White
                    } else {
                        Write-Host " Found in 'TenantAllowBlockList - Block Addresses'" -ForegroundColor White
                        Write-Host " Value: $($TABLBlockUser.Value)" -ForegroundColor Yellow
                        Write-Host " Action: $($TABLBlockUser.Action)" -ForegroundColor Yellow
                        Write-Host " SubmissionID: $($TABLBlockUser.SubmissionID)" -ForegroundColor Yellow
                        Write-Host " ListSubType: $($TABLBlockUser.ListSubType)" -ForegroundColor Yellow
                        Write-Host " SysManaged: $($TABLBlockUser.SysManaged)" -ForegroundColor Yellow
                        Write-Host " LastModifiedDateTime: $($TABLBlockUser.LastModifiedDateTime)" -ForegroundColor Yellow
                        Write-Host " ExpirationTime: $($TABLBlockUser.ExpirationDate)" -ForegroundColor Yellow
                    }
                    $TABLAllowDomain =  Get-TenantAllowBlockListItems -ListType Sender -Allow -Entry $SenderDomain
                    If ($Null -eq $TABLAllowDomain)
                    {
                        Write-Host " Not Found in 'TenantAllowBlockList - Allow Domains'" -ForegroundColor White
                    } else {
                        Write-Host " Found in 'TenantAllowBlockList - Allow Domains'" -ForegroundColor White
                        Write-Host " Value: $($TABLAllowDomain.Value)" -ForegroundColor Yellow
                        Write-Host " Action: $($TABLAllowDomain.Action)" -ForegroundColor Yellow
                        Write-Host " SubmissionID: $($TABLAllowDomain.SubmissionID)" -ForegroundColor Yellow
                        Write-Host " ListSubType: $($TABLAllowDomain.ListSubType)" -ForegroundColor Yellow
                        Write-Host " SysManaged: $($TABLAllowDomain.SysManaged)" -ForegroundColor Yellow
                        Write-Host " LastModifiedDateTime: $($TABLAllowDomain.LastModifiedDateTime)" -ForegroundColor Yellow
                        Write-Host " ExpirationTime: $($TABLAllowDomain.ExpirationDate)" -ForegroundColor Yellow
                    }
                    $TABLBlockDomain = Get-TenantAllowBlockListItems -ListType Sender -Block -Entry $SenderDomain
                    If ($Null -eq $TABLBlockDomain)
                    {
                        Write-Host " Not Found in 'TenantAllowBlockList - Block Domains'" -ForegroundColor White
                    } else {
                        Write-Host " Found in 'TenantAllowBlockList - Block Domains'" -ForegroundColor White
                        Write-Host " Value: $($TABLBlockDomain.Value)" -ForegroundColor Yellow
                        Write-Host " Action: $($TABLBlockDomain.Action)" -ForegroundColor Yellow
                        Write-Host " SubmissionID: $($TABLBlockDomain.SubmissionID)" -ForegroundColor Yellow
                        Write-Host " ListSubType: $($TABLBlockDomain.ListSubType)" -ForegroundColor Yellow
                        Write-Host " SysManaged: $($TABLBlockDomain.SysManaged)" -ForegroundColor Yellow
                        Write-Host " LastModifiedDateTime: $($TABLBlockDomain.LastModifiedDateTime)" -ForegroundColor Yellow
                        Write-Host " ExpirationTime: $($TABLBlockDomain.ExpirationDate)" -ForegroundColor Yellow
                    }
                    Write-Host

                    #Tenant Allow Block List (TABL) SpoofedSenders
                    Write-Host "Check Tenant Allow Block List - SpoofedSenders (TABL): " -ForegroundColor Magenta
                    $TABLSpoof = Get-TenantAllowBlockListSpoofItems | Where-Object {$_.SpoofedUser -eq "$SenderDomain"}
                    If ($Null -eq $TABLSpoof)
                    {
                        Write-Host " Not Found in 'TenantAllowBlockList - SpoofedSenders'" -ForegroundColor White
                    } else {
                        Write-Host " Found in 'TenantAllowBlockList - SpoofedSenders'" -ForegroundColor White
                        Write-Host " $($TABLSpoof.SpoofedUser) > $($TABLSpoof.Action)" -ForegroundColor Yellow
                    }
                    Write-Host

                    #Spam Details
                    Get-SPAMinfo -RecipientAddress $MTRecipientAddress -SenderAddress $MTSenderAddress -MessageTraceId $MessageTraceId

                    #DNS Records
                    Write-Host "DNS Records of $SenderDomain" -ForegroundColor Magenta


                    #Test DNS over HTTP
                    $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=google.com&type=NS"
                    If (($json | Get-Member -MemberType NoteProperty).count -lt 3)
                    {
                        Write-Host "This System does not Support DNS over HTTPS" -ForegroundColor Yellow
                    } else {

                        #NS
                        Write-Host "NS" -ForegroundColor Magenta
                        try {
                            $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$SenderDomain&type=NS"
                            [string]$NS = $json.Answer.data
                            $NS
                        } catch {
                            if($_.ErrorDetails.Message) {
                                Write-Host $_.ErrorDetails.Message
                            } else {
                                Write-Host $_
                            }
                        }

                        #MX
                        Write-Host "MX" -ForegroundColor Magenta
                        try {
                            $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$SenderDomain&type=MX"
                            [string]$MX = $json.Answer.data
                            $MX
                        } catch {
                            if($_.ErrorDetails.Message) {
                                Write-Host $_.ErrorDetails.Message
                            } else {
                                Write-Host $_
                            }
                        }

                        #SPF
                        Write-Host "SPF" -ForegroundColor Magenta
                        try {
                            $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$SenderDomain&type=TXT"
                            $TXT = $json.Answer.data
                            $TXT = $TXT | Where-Object {$_ -match "v=spf1"}
                            $SPF = $TXT
                            If ($Null -eq $SPF)
                            {
                                Write-Host "NO SPF Record found" -ForegroundColor Yellow
                            } else {
                                $SPF
                            }
                        } catch {
                            if($_.ErrorDetails.Message) {
                                Write-Host $_.ErrorDetails.Message
                            } else {
                                Write-Host $_
                            }
                        }

                        #DKIM
                        Write-Host "DKIM (Only checking for: selector1/selector2)" -ForegroundColor Magenta
                        try {
                            $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=Selector1._domainkey.$SenderDomain&type=CNAME"
                            $DKIM1 = $json.Answer.data
                            $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=Selector2._domainkey.$SenderDomain&type=CNAME"
                            $DKIM2 = $json.Answer.data
                            [string]$DKIM = "$DKIM1 $DKIM2"                    
                            If ($DKIM -eq " ")
                            {
                                Write-Host "NO DKIM Record found" -ForegroundColor Yellow
                            } else {
                                $DKIM
                            }
                        } catch {
                            if($_.ErrorDetails.Message) {
                                Write-Host $_.ErrorDetails.Message
                            } else {
                                Write-Host $_
                            }
                        }

                        #DMARC
                        Write-Host "DMARC" -ForegroundColor Magenta
                        try {
                            $json = Invoke-RestMethod -URI "https://dns.google/resolve?name=_dmarc.$SenderDomain&type=TXT"
                            $DMARC = $json.Answer.data
                            If ($Null -eq $DMARC)
                            {
                                Write-Host "NO DMARC Record found" -ForegroundColor Yellow
                            } else {
                                $DMARC
                            }
                        } catch {
                            if($_.ErrorDetails.Message) {
                                Write-Host $_.ErrorDetails.Message
                            } else {
                                Write-Host $_
                            }
                        }
                    }
                }
            }
        }
    }
}

End {
    #Disconnect from Exchange Online and
    #Disconnect-EXO
}
}