Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, October 17, 2016 2:04 PM
I manage several thousand Office 365 mailboxes and need to remove hundreds of instances of a recently received phishing email. I think I need to create a mailbox content search in the O365 UI, and then use PowerShell to do the actual cleanup, but I'm not sure how to do either. Does anyone have detailed steps for removing a phishing email from a large number of O365 mailboxes?
All replies (3)
Monday, October 17, 2016 8:33 PM ✅Answered
I believe I have found my answer:
1. First, I need to create a search in https://protection.office.com -> Search & investigation -> Content Search
2. I then use PowerShell to connect to protection.office.com:
# Get login credentials
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber -DisableNameChecking
$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + " (Office 365 Security & Compliance Center)"
3. Third, delete the message with this PoSh command
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
This is documented here: https://support.office.com/en-us/article/Search-for-and-delete-email-messages-in-your-Office-365-organization-3526fd06-b45f-445b-aed4-5ebd37b3762a
Wednesday, July 5, 2017 11:53 AM
Hello Bane,
The above process removes the spam emails and keep the email available for end users to recover from recoverable items folder. do we have any option to remove those emails from recoverable items folder also with the same process by tweaking any power shell commands.
Regards
VB
Wednesday, September 25, 2019 3:26 PM
For anyone with E5 or an ATP subscription, you can also do this in the GUI:
Find and delete suspicious email that was delivered
Mike Crowley
My Blog | MikeCrowley.US
Baseline Technologies | Baseline.Consulting
“ Being ignorant is not so much a shame, as being unwilling to learn ”
-Ben Franklin