Generally in outlook messages can be encrypted with either S/MIME encryption or Microsoft 365 Message Encryption (IRM).
In order to identify and filter messages encrypted in either of the above two methods analyzed the internet message headers and Microsoft graph API values of those encrypted message samples found no clue to consider a message be a encrypted/signed. but, found something in common from the graph API response that each of these messages contains an attachment that is not attached by the sender in the email body.
common cases found in mails encrypted/signed in different ways based on analyzing sample mails:
MIME signed messages contains an attachment with
name: "smime.p7m" & content type: "multipart/signed"
MIME encrypted messages contains an attachment with
name: "smime.p7m" & content type: "application/pkcs7-mime"
IRM encrypted messages contains an attachment with
name: "message.rpmsg" or "message_v2.rpmsg" & content type: "application/x-microsoft-rpmsg-message"
However I feel this is insufficient for me to recognize a encrypted/signed mail as it is completely based on assumption with common cases found in some sample encrypted/signed mails and with this ten year old stack question check-if-a-outlook-mail-msg-is-digitaly-signed-or-encrypted describing the similar case with additional set of assumptions.
It would be helpful if one of you could guide me by suggesting any other valid approach to handle this or anything that I missed to try out or to proceed with the collected details.
Thanks in advance ;)
You will need to request
PR_MESSAGE_CLASSMAPI property (0x001A001F). It will be"IPM.Note.SMIME.MultipartSigned"for the signed messages or"IPM.NOTE.SMIME"for the encrypted messages (or just check if it ends in".SMIME")Use
"expand=singleValueExtendedProperties($filter=id eq 'String 0x001A')"when retrieving the message in Graph.