Search Exchange Online for a missing calendar

“Someone deleted our shared calendar!” #

Welp, here I go..

yikes

Once in a blue moon, we would get a panicked email about an important shared calendar mysteriously going MIA. What would end up happening is during some cleanup, an end user would inadvertently delete the entire shared calendar, then going about their business, causing a panic to other users. We need to somehow find this missing calendar, however before we do we first need a brief overview of the structure of an Exchange Mailbox.

Exchange Mailbox Dissection #

To find a missing calendar (or any calendar really), we need to know the structure of a mailbox using, PowerShell.

Connect to your Exchange Online environment and type in the following cmdlet:

Get-MailboxFolderStatistics -Identity Taylor.Swift@sleepysysadmin.com | gm 

There are a couple important properties here:

2019-05-14_10-24-13.png

To see all of the folders in your mailbox, type the following and notice the folder path of Calendar and Deleted Items:

Get-MailboxFolderStatistics -Identity Taylor.Swift@SleepySysAdmin.com | Select-Object FolderPath

2019-05-14_10-31-08.png

In Exchange, mailbox calendars are treated like folders! Therefore, if someone deleted a calendar it should be under their Deleted Items as a subfolder. So long as someone can remember the name of it (if no one can, they didn’t deserve the shared calendar), you should be able to find it.

The hunt is on! #

Ready up

Assuming your shared calendar is on a shared mailbox, and the user that need access to the shared calendar have access to the shared mailbox (too much sharing), we can proceed as the following. Using the power of, well, PowerShell, we’ll grab all of the users that have access to that shared mailbox, and loop them through Get-MailboxFolderStatistics:

$Member = Get-MailboxPermission -Identity SharedMailbox@sleepysysadmin.com | Select-Object User, IsInherited | Where-Object {$_.IsInherited -eq $False -and $_.User -ne "NT AUTHORITY\SELF"}

$Member | foreach { 

    Get-MailboxFolderStatistics $_.User | where {$_.FolderPath -like '/deleted items/*'} | Select-Object identity, name | ft -Wrap | Out-File $env:USERPROFILE\Desktop\CalendarSearch.txt -Append 

}

What that’ll do is go through each user’s deleted items that has access to a shared mailbox, and output it to a text file on your desktop (edit the path to whatever you would like).

It’s quick, it’s dirty, but when you’re under the gun, would you rather be right or would you rather be done?

Cheers

Cheers <3

 
1
Kudos
 
1
Kudos

Now read this

Blue Teaming - Defending Against Responder.py

Oh no, we at it again! # Isn’t it just nice that when you plug in your PC to the network, it can start discovering your local printers, shares and even other workstations? Yea, your red team thinks so, too. During a pentest engagement,... Continue →