Use 3rd party APIs to Audit Your Environment - Part One: Email Reputation Audit
Not all applications are created equal. Hardly any can match the robustness of the Powershell cmdlets available for Microsoft 365 services. However, you can still leverage the power of the back end of your 3rd party applications by using APIs.
When getting familiar with an application that you already have in your environment, or one you might be looking to add, consider the API library for that application. In my experience, most modern business applications have an API library. If they don't, they should.
API is an application to application language, but that doesn't mean you can't use it to your advantage as an admin. Let's talk about some ideas for using APIs to improve the automation in your environment.
Admins are auditors, and if you're not automating those audits, then you're doing it wrong. Some of the common tasks I've automated using API are: (available on my GitHub)
1. User Data Dump Security Report (HaveIBeenPwned)
2. Check domain registrars and DNS (WhoIs)
3. Check domain reputation (WhoIs)
4. Check email reputation (EmailRep)
In this article, I'm going to walk you through how to create the Check Email Reputation audit, using the Email Rep tool created by Sublime Security.
This audit will check the online presence of a list of email addresses, score their reputation from RISKY to HIGH, and then send an emailed report with a table of the findings.
1. Create the email list
Let's start with our email list. I'm using a static list for demonstration purposes, but a good way to pull your list might be using the O365 Quarantine Center. Here's the email list we'll be using for this article: (beware, these are LIVE examples, proceed with caution)
And here's the code snippet for getting the list from the O365 Quarantine Center:
2. Build and send the request in Postman
As in my previous articles, I like to test my requests in Postman before moving over to Powershell. You don't have to, but it gives you a good idea of the response schema before you start writing code.
Since we needed an API key at the beginning of the article, you've probably already guessed at some of the content of the header. Here's how it should look in Postman:
Since this is a GET, there is no body to this request. Here's what the response looks like if I use one of the emails from my list:
We can also add a query to have emailrep.io give us a nice summary of the findings (note the change in the URL):
2. Put it together in Powershell
Now that we have our list, built our header, and have confirmed our request works, let's put it all together in Powershell. For this, we'll put all of the request details for each email address in a PS Custom Object.
Now, if we run $Table, we get an organized list of our request objects:
What should we do with this now? Let's email it to our sysadmins!
3. Send it in an email
Emailed audits are easy and actionable, so let's email this to our sysadmins. First, let's use our CSS from the last article.
Next, let's build the body of the email. We're going to keep this one very simple, but you can use the skills from the last article to add anything else you might want:
Last step is to send it!
You can find the whole script, and others on my GitHub!