O365 Get Mail Query Fault

Background:
My organization has a process that goes out to various mailboxes and extracts attached files from them based on various properties such as sender, subject, body, and has attachments. We have an API set up using Azure that allows us to connect to them, and everything has been working well up until a security update a few days ago. After said update, the body of external emails now contain a message stating it is from an external sender with a button to report it as suspicious. From what I can tell, this button probably does some sort of API post, but the URL must contain an escape character or something that is causing the reading of email bodies to get messed up.

This is the query I am using:
“(contains(body/content,‘Please see backup attached.’) and (hasAttachments eq true))”

Here is an example of the JSON email body returned by the API without the security message:
Body=“Please see backup attached. This rebate will be processed as usual, either as an A/P deduction or your payment. We greatly appreciate your prompt review and notification of concerns. All disputes and/or requests for information can be forwarded to my email address within 60 days of rebate period.”

This is an example of the json email body after the security update:
Body=@"Please see backup attached. Employee Name Specialist,
Senior Product FoodCompany,
Inc. Work: xxx-xxx-xxxx ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
***********BannerStart
This Message Is From an External Sender
This message came from outside your organization.
https://us-phishalarm-ewt.proofpoint.com****************************$
Report Suspicious

***************BannerEnd

Please see backup attached.

Employee Name
Specialist,
Senior Product
Food Company,
Inc.
Work: xxx-xxx-xxxx

"
Issue:
The body filter no longer works. I think it may be due to the “@” symbol being added to the body results before the string. I assume it is being added to make it a verbatim string probably because of an escape character now present in the body. If you look at the new query results it says Body=@“String…” Even if I try to pass an empty string into the body filter it does not work.

Question:
Any experts out there know a way around this or a possible solution?

We are having this exact same problem. I do not believe it’s a UiPath issue, I think something changed on the Office 365 end.

Do you have any info on the security update? Could it be that it was actually a ProofPoint update?

I don’t have any further information on ProofPoint, but I’m going to try to escalate it tomorrow to get our Azure team and security team involved.

We run extraction on about 30 mailboxes, for some reason not all of the mailboxes have the security message about it coming from an external source even though they are coming from sources outside of our domain. Those without the message work fine when filtering based on what the body contains. I had not considered it, but is very possible it is an that ties back to ProofPoint and that some domains are marked as trusted.

Ours have always had the “external email” warning. I suspect there was an update to the 360 environment that has somehow broken body/content filters. If we take that part of the filter out, it works fine. It’s only emails since this past weekend that it won’t find. The body/content filter still finds older emails.

Suddenly this morning our automation is able to find the emails again. Anything change on your end?

We pulled security in and they said they didn’t make any updates. Went to get some more examples an hour ago and noticed while testing that it was working again. Do you think it was something on the Azure side?

It’s my usual suspicion that Microsoft broke something in an update and then quietly fixed it in a subsequent update.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.