Purge an email that has been delivered to users’ mailbox

The problem:

Recently a client was under a phishing email attack. To be more precise, an external sender using an email address for example xxxx@hotmail.com was able to send about 500 emails to our corporate users just in 5 hours. So, we came up with a situation that those emails were received by users late at night and we didn’t want them read in the morning. We needed to find a solution urgently! For those wondering, yes we do have antispam policies and filtering enabled, but because the email only needed a reply by the user it managed to bypass them.

The solution:

We came up with eDiscovery and soft deleted the email received by the users. Before you begin make sure you are a Global admin or you have:

• Compliance Search admin role (to search for those emails)

• Organization Management role (to delete them)

More info on how to assign those roles can be found here

1. User PowerShell to connect to the 365 Exchange

If you haven’t use it before, first type:

Import-Module ExchangeOnlineManagement

Secondly, connect to exchange online:

Connect-IPPSSession -UserPrincipalName:

2. Then, make a new compliance search on every user’s mailbox:

New-ComplianceSearch -Name "Remove Phishing" -ExchangeLocation all -ContentMatchQuery 'from:xxxxx@hotmail.com'

Next start the rule, which we created on previous step:

Start-ComplianceSearch -Identity "Remove Phishing"

At this step we are going to wait for a while (at least 10 minutes). To see the results just type

Get-ComplianceSearch -Identity "Remove Phishing" | Format-List

3. Soft Delete the messages that have been found

Soft deleting emails means that they go to each users deleted items folder to proceed with that type

New-ComplianceSearchAction -SearchName "Remove Phishing" -Purge -PurgeType SoftDelete

You will notice that as a result an action will be made with the name “Remove Phishing_Purge”  we are going to wait a few minutes more and run the results command to see if the deletion has take place

Get-ComplianceSearchAction -Identity "Remove Phishing_Purge"

If the command says Success you know that you have made it !

On the other hand if you are receiving an error please go and check your O365 admin roles