Email Security Analysis: A PowerShell Approach to Identifying MFA-Enabled Domains
This PowerShell script is a powerful tool designed to enhance email security by Identifying MFA-Enabled Domains. We’re all too aware that email remains a popular vector for cyberattacks. Recognizing this, it’s important to know if the organizations we’re communicating with have taken steps to secure their accounts through MFA. This script automates that process by analyzing your email inbox and providing a comprehensive report on the MFA capabilities of your correspondents.
The script interfaces with Microsoft Outlook using the Outlook COM Object to access your mailbox. It asks you how far back you want to analyze your emails (e.g., last 7 days, 30 days, etc.), then proceeds to analyze emails from your specified folder and its subfolders, looking for unique sender domains.
The script then matches these domains against JSON data fetched from “https://api.2fa.directory” to determine if the sender’s domain supports MFA. As a final result, it generates an HTML report providing details about each sender domain, whether it supports MFA, and additional details such as the sender’s email address, documentation link for MFA (if available), two-factor authentication (TFA) methods, and more. You can also include or exclude domains that do not support MFA.
Using this script, you’re taking a proactive approach to email security, identifying possible vulnerabilities and staying informed about the security measures of the organizations you communicate with. This could be particularly useful for IT administrators or cybersecurity professionals who need to assess the security posture of their email interactions. With its user-friendly HTML report, you can quickly visualize and comprehend the MFA support status of your correspondents, making this script a valuable addition to your cybersecurity toolkit.
The Code
# Create Outlook COM Object $outlook = New-Object -ComObject Outlook.Application $namespace = $outlook.GetNameSpace("MAPI") # Choose the folder you want to check in your mailbox $rootFolder = $namespace.PickFolder() # Prompt the user for the number of days to check $daysToCheck = Read-Host "Enter the number of days to check back on emails" $showUnsupported = Read-Host "Show domains that do not support MFA? (yes/no)" # Create a date object for the specified number of days ago $startDate = (Get-Date).AddDays(-[int]$daysToCheck) # Create hashtable for tracking processed domains $processedDomains = @{} $matchedDomain = $null # Get the directory of the current script $scriptPath = Split-Path -Parent $PSCommandPath # Fetch JSON data of 2FA enabled/disabled websites $siteData = Invoke-RestMethod -Uri "https://api.2fa.directory/v3/all.json" # Initialize HTML output with a modern CSS styling $script:htmlOutput = @" <html> <head> <style> body { font-family: Arial, sans-serif; } table { border-collapse: collapse; width: 100%; margin-top: 20px; } th, td { border: 1px solid #dddddd; text-align: left; padding: 8px; } th { background-color: #4CAF50; color: white; } tr:nth-child(even) { background-color: #f2f2f2; } .mfaEnabled { background-color: #8bc34a; } .mfaDisabled { background-color: #ff4444; } </style> </head> <body> <h1>Sender Domains</h1> <table> <tr> <th>Matched Domain</th> <th>Supports MFA?</th> <th>EMail Address</th> <th>Documentation</th> <th>TFA Methods</th> <th>Custom Software</th> <th>Custom Hardware</th> <th>Recovery URL</th> <th>Additional Domains</th> <th>Keywords</th> <th>Notes</th> </tr> "@ # Recursive function to process emails in a folder and its subfolders function ProcessFolder($folder) { # Get all email items $emails = $folder.Items | Where-Object { $_.ReceivedTime -ge $startDate } # Calculate the total number of emails for the progress bar $totalEmails = $emails.Count # Initialize progress bar $i = 0 # Loop over each email foreach ($email in $emails) { # Increment progress bar $i++ Write-Progress -Activity "Processing Emails in $($folder.Name)" -Status "$i out of $totalEmails Emails Processed" -PercentComplete (($i / $totalEmails) * 100) ProcessEmail $email } # Recurse into subfolders foreach ($subfolder in $folder.Folders) { ProcessFolder $subfolder } } # Function to process each email function ProcessEmail($email) { try { # Extract the domain from the sender's email address $senderEmailParts = $email.SenderEmailAddress -split "@" $senderDomain = $senderEmailParts[-1] -replace ".*@(?<domain>[A-Za-z0-9.-]+(\.[A-Za-z0-9.-]+)+)$", '$1' # Skip processing if the domain matches the specified pattern if ($senderDomain -like "*EXCHANGELABS*") { return } # Add domain to hashtable and directly write to HTML output if it's not already there if (!$processedDomains.ContainsKey($senderDomain)) { $processedDomains[$senderDomain] = $true # Determine if domain supports MFA and get documentation link $siteInfo = $siteData | Where-Object { if ($senderDomain -like "*.$($_[1].domain)" -or $senderDomain -eq $_[1].domain) { $matchedDomain = $_[1].domain return $true } elseif ($_[1].'additional-domains' | Where-Object { $senderDomain -like "*.$_" -or $senderDomain -eq $_ }) { $matchedDomain = $_ return $true } else { return $false } } if ($siteInfo) { $mfaSupport = "Yes" $mfaClass = "mfaEnabled" $SenderEmailAddress = $email.SenderEmailAddress $documentationLink = "<a href='$($siteInfo[1].documentation)' target='_blank'>Documentation</a>" $tfaMethods = $siteInfo[1].tfa -join ', ' $customSoftware = $siteInfo[1].'custom-software' -join ', ' $customHardware = $siteInfo[1].'custom-hardware' -join ', ' $recoveryURL = $siteInfo[1].recovery $additionalDomains = $siteInfo[1].'additional-domains' -join ', ' $keywords = $siteInfo[1].keywords -join ', ' $notes = $siteInfo[1].notes } else { $mfaSupport = "No" $mfaClass = "mfaDisabled" $SenderEmailAddress = $email.SenderEmailAddress $documentationLink = "" $tfaMethods = "" $customSoftware = "" $customHardware = "" $recoveryURL = "" $additionalDomains = "" $keywords = "" $notes = "" } if (($mfaSupport -eq "Yes") -or ($showUnsupported -eq "yes" -and $mfaSupport -eq "No")) { $script:htmlOutput += @" <tr> <td><a href="http://$matchedDomain">$matchedDomain</a></td> <td class='$mfaClass'>$mfaSupport</td> <td>$SenderEmailAddress</td> <td>$documentationLink</td> <td>$tfaMethods</td> <td>$customSoftware</td> <td>$customHardware</td> <td><a href="$recoveryURL">$recoveryURL</a></td> <td>$additionalDomains</td> <td>$keywords</td> <td>$notes</td> </tr> "@ } } } catch { #Write-Host "Error processing email: $($email.Subject) - $_" -ForegroundColor Red } } # Process the root folder and all its subfolders ProcessFolder $rootFolder # Close HTML tags $script:htmlOutput += "</table></body></html>" # Write HTML output to file $script:htmlOutput | Out-File -FilePath "$scriptPath\Find_MFA_Domains.html" # Report completion Write-Host "Completed processing all emails within the last $daysToCheck days. Sender domains have been exported to $scriptPath\Find_MFA_Domains.html" -ForegroundColor Cyan
