365 Deleting malicious email using the admin console

We all get those forwarded emails that made it into Office 365 that hopefully an end user asks “is this legit” or “this looks fake”. Unfortunately, filtering can only do so much. This article will review how to quickly purge those emails a thread a time from your Office 365 exchange environment and thus your end users outlook. Preventing that user that doesn’t ask and always clicks first and asks later from doing harm.

IMPORTANT NOTE: If your query legitimate or not contains more than 10 emails per mailbox or more that 50,000 mailboxes this will not work as you may have intended. If you have more than 10 it may only delete the first 10 it finds per mailbox. If you run it over and over again it still won’t remove any more. This tool is ONLY for surgical removal of a single email blast.

First we need to create a content search:

Open Office365 using Microsoft Edge logon as an Administrator and Open “Security and Compliance” console:

image or image

Drill down to “Search and Investigations” and “Content search” as shown below:

image

Click on the + to add a new search, Name the search and specify locations to search and click “Next” as shown below:

image

Now put in your search keywords and or any conditions. CAUTION! If you put in something too short or vague and don’t qualify it with a condition, you may get more results than you intended. I used the path to the phishing link as my keyword, but I made an intentional mistake for your benefit.

image

Note: you can change the conditions as needed if you don’t get the results intended.

Once you click “Search” it will begin immediately searching your “indexed” database:

image

Note: Indexed means email and data it can scan and index. It may skip attachments or larger email threads.

To the right you will see the search results. As you can see below my search grabbed all the wrong data. To view what emails it found you can “preview search results”:

image

The reason the query grabbed too much is because I had https:// in front of my keyword search. Once I modified that to only “nathatransport.co.th” and reran the Search it found the following 2 items I intended it to find:

image

Reminder: If your query legitimate or not contains more than 10 emails per mailbox or more that 50,000 mailboxes this will not work! If you have more than 10 it may only delete the first 10 it finds. If you run it over and over again it still won’t remove any more. This tool is ONLY for surgical removal of a single email blast.

Clean using search results:

Now that you have your search results we can now run the Powershell commands to access those results and purge those emails.

First you need to connect to the 365 Exchange server with Powershell as an Administrator and run the following commands:

Create a Powershell script and call it 365SCC.ps1 copy in the following commands and run it, or run the following commands individually:

Set-ExecutionPolicy RemoteSigned


$UserCredential = Get-Credential


$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic –AllowRedirection

Import-PSSession $Session -AllowClobber -DisableNameChecking

$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Office 365 Security & Compliance Center)"

image

Now you run the deletion command separately:

New-ComplianceSearchAction -SearchName "Insert Name Here" -Purge -PurgeType SoftDelete

image

A few minutes later to Confirm the email “soft” deleted. I opened up my test mailbox and went to deleted items. The email will not show there since it was “Soft Deleted” so click on “Recover deleted items” as shown below:

image

Now you can see the email is in the Deleted Items recovery bin which it will remain for the standard Deleted Items Retention policy timeframe (typically 30 days) before full deletion.

image

Note: If you run the Query again, those email will still be listed as the query will still find them in deleted items recovery bin until hard deletion happens.

Congratulations you now know how to surgically clean malicious email from your Exchange 365 environment.

If you need scripts to purge more than 10 items per mailbox or 50,000 mailboxes that may become available in future releases of this tool from Microsoft.

Comments

Post a Comment

Popular posts from this blog

Office 365 Deployment Tool Office Download fails “Could not Install”

Image
Problem: you run the setup.exe /download download.xml and fails immediately with “Couldn’t install” You make sure all the settings are correct (see other blogs) and find nothing wrong Solution: Change drives and run it as an administrator again. For example above i am in the F:\OfficeDeploy directory which is the same directory I have the download.xml directing the download to. If i Change to the c: and run the same command again it works The Office Data folder was created and updated as shown below:
Read more

FRS to DFSR Post Cleanup “File Replication NtFrs Stopped”

Image
After successfully migrating from FRS to DFSR you get the File Replication NtFrs service is Stopped error on the local servers AD DS Services list. In the Event logs you may see Event id 13575 13577. You can confirm your migration completed by opening a cmd prompt as administrator and typing in: dfsrmig /getmigrationstate After your migration to DFSR is completed and you have given your servers ample time to propagate this service is no longer required. Since it is set to “Automatic”, as shown below” it shows in logs as a false positive error. Edit the File Replication Service and change it to “Disabled”, as shown below: Once it is listed as “Disabled” it will no longer show in the Console as an “error” Note : it may take some time to clear from the active view
Read more

Domain Migration SubinACL /Migratetodomain How To:

Caution : DO NOT run this on Domain Controller C:\ and only run on roaming profiles folders, or my docs shares day of migration to avoid ownership change issues. Confirm Domain trust is in place and users and groups have been migrated Test ping of olddomain.org from new domain Test ping of newdomain.org from olddomain Add newdomain.org domain controller host records to olddomain.org including reverse DNS records Confirm the user running the app is a domain admin in BOTH domains Download SubinACL here: http://www.microsoft.com/en-us/download/details.aspx?id=23510 /Migratetodomain- command will add the permissions of the new user to the old files and folders for example if jimbob@olddomain.org was migrated to the new domain jimbob@newdomain.org and you run the command below any file or folder in that path that has jimbob@olddomain.org will add Jimbob@newdomain.org with the exact same permissions. This is a safer way to migrate by keeping the old and new permissions intact while a
Read more