I recently had a need to delete a phishing email that had slipped through my emailing filter solution. Manually deleting the email from hundreds of mailboxes wouldn’t have been fun or quick so I can came up the below solution.
The Office 365 Content Search feature can be used to search Exchange, Skype and SharePoint amongst other things. In my case I wanted to search and delete all exchange email delivered after a certain date with a specific keyword in the subject.
Step 1: Creating the Content Search Rule
- Head over to https://protection.office.com
- Expand Search & Investigation => Content Search and click the plus icon to create a “New Search” rule
Search Query Section – Where we define what email(s) we want to delete
- In the “Search query” section click the “Add conditions” button (you may have to scroll down)
- Add the condition(s) relevant to what you are searching for. In my case emails which contain the string “DocuSign” in the subject that were received after a certain date.
Locations Section – We only want to search Exchange
- Under the Location section select “Specific Locations” and click the “Modify” button
- Only enable the Exchange section.
- Click Save in the Modify Locations section
Finishing the Rule
- Click “Save & Run” on the New search section
- Give the rule a name and a description if desired and click Save
- At this point the search will run. It is very important you take a good look to confirm only the email(s) you want to delete are returned.
Step 2: Deleting the matched emails via PowerShell
1. Connecting to the Security and Compliance Center
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session
2. Deleting the emails matching the Content Search rule
New-ComplianceSearchAction -SearchName "RuleName" -Purge -PurgeType SoftDelete
Step 3: Checking the Status
Using the below command you can get a summary of the status of the action;
Or you can get a detailed output for the action using the below;
Get-ComplianceSearchAction -Identity "RuleName_Purge" | Format-List
- 28/08/2018 – If you get the message ““Purge does not support the SharePoint or OneDrive workload.” when running the PowerShell it is because you location in section 1 is set to more than just Exchange. Thanks Chris!
- 28/08/2018 – If you run the search again and still see the email(s) present, don’t worry this is expected. The PowerShell moves the email(s) into the Deleted Items folder (in recoverable items). Thanks Briangig!