Did your users receive a phishing or spam blast? You have to act quickly and prevent the users from reading or clicking links on those emails to avoid potential damage these emails can bring to your organization.
One way to address this situation is doing a content search in Office 365. The Office 365 content search crawls specific or all mailboxes and looks for the messages matching your search parameter. Usually, using the email’s subject line is a good starting point.
Stay tuned, and we’ll explore how to effectively search and destroy those emails using the Office 365 content search.
Table of Contents
Requirements
- Your Office 365 admin account must have the following permissions or roles:
|
|
|
|---|---|---|
|
|
|
|
|
|
|
|
|
- The Exchange Online Management v2 or v3 module is installed on your computer.
Step 1: Gather the Email Information
Before running a search, you must know the parameters of the search. And to get those details, a copy of the email would be the best way. For example, the below image shows an example of a phishing email.
According to the sample email, we can gather the following information.
- Email Date
- Email Subject
- Sender Address
- Recipient Addresses
In reality, you can use every part of an email to create a search parameter, including the message headers and body. But in most cases, the above pieces of information would be sufficient.
Note. Check our fix for Unable to Open Encrypted Email in Office 365 error.
Step 2: Create an Office 365 Content Search
Now that you have the information from the email sample, it’s time to formulate and run the search query.
But first, let’s connect to the Security and Compliance PowerShell.
Connect-IPPSSession -UserPrincipalName <user principal name>
According to the email data, we can use the following Office 365 content search keyword examples.
- Subject: [IMPORTANT] You must change your online banking password now!
- Date: January 25, 2023
The cmdlet we’ll use to run the content search is New-ComplianceSearch. In this example, we’ll use three parameters to create the search parameters.
- Name — This will be the name of the content search. This can be any name, but you must ensure it is identifiable.
- ExchangeLocation — This parameter accepts the identity of the exchange mailboxes or groups. To ensure we cover every mailbox, we’ll specify All.
- ContentMatchQuery — This parameter is where you’ll define the search query. The query follows the Keyword Query Language (KQL) syntax.
To put these all together, here’s the resulting command:
Note. The date format follows the MM/DD/YYYY notation.
New-ComplianceSearch ` -Name phish001 ` -ExchangeLocation All ` -ContentMatchQuery 'subject:"[IMPORTANT] You must change your online banking password now!" AND sent:01/25/2023'
After running the above command, you’ll see a similar result showing the content search status. By default, the search does not run automatically.
To start the search, run this command.
Start-ComplianceSearch -Identity phish001
Next, monitor whether the Office 365 content search has finished running. To do so, run this command. Depending on the number of mailboxes, the search operation could take several minutes to hours.
Get-ComplianceSearch -Identity phish001
The result below shows that the Office 365 content search has been completed.
To get the number of items found, run this command.
Get-ComplianceSearch -Identity phish001 | Select-Object Items,Size
You can see how many emails matched the search query and the total size.
Step 3: Preview the Office 365 Content Search Results
Note. This step is optional and can be skipped if you’re not interested in previewing the search results.
Before deleting the emails matching the search query, it is good practice to preview the results first. This way, you can be certain that the results are accurate and you’ll be deleting the correct messages.
To preview the result, we’ll create a new compliance search action to generate a preview.
New-ComplianceSearchAction -SearchName phish001 -Preview
The above command automatically assigns a name to the search action. The default is <searchname_preview>.
Now, let’s see if the preview has been generated.
Get-ComplianceSearchAction -Identity phish001_Preview
According to the below screenshot, the preview is now completed.
So how do we see the results preview? We can run the same command as above but return only the Results property.
(Get-ComplianceSearchAction phish001_Preview).results
As you can see below, the output is hard to read. Unfortunately, there’s no built-in way to manipulate this preview format to make it more understandable.
Note. Learn how to setup hMailServer.
What we can do is a quick and dirty workaround by doing some PowerShell string replace and split operations.
(Get-ComplianceSearchAction phish001_Preview).results `
-replace '{', '' -replace '}', '' -replace '; ',';' -split ',' | `
ForEach-Object { $_ -replace ';', "`n" }
And the preview is now better.
Step 4: Delete Messages from the Office 365 Content Search Results
Once satisfied with the Office 365 content search result, it’s time to issue action to purge these emails.
To do that, we’ll create another compliance search action using the Purge and PurgeType parameters. The Purge parameter indicates that the action is to purge the message.
The PurgeType parameter accepts two possible values:
- SoftDelete — The purged items will still be recoverable by the users (goes to the recoverable items folder.)
- HardDelete — The purged items will be marked for permanent removal. The actual removal happens during the next run of the Managed Folder Assistant.
Which purge type you choose is entirely your decision. In this example, let’s use SoftDelete to be on the safe side.
New-ComplianceSearchAction -SearchName phish001 -Purge -PurgeType SoftDelete
And run the below command to monitor and confirm that the purge operation has been completed.
Limitations of the Purge
Here are the documented limitations of purging items using the Office 365 content search.
- Only 10 items per mailbox can be purged at one time. If more than 10 items in the mailbox match the result, you must run multiple purge operations until all items are removed.
- A single content search purge operation can only remove items from 50,000 mailboxes simultaneously. If more than 50,000 mailboxes are affected, you will need to run multiple Office 365 content searches to cover them.
Conclusion
Despite its limitations, the content search is an effective and quick way in Office 365 to remove email from all mailboxes. Just be careful when formulating the search query to ensure that you don’t delete the wrong emails, especially when doing a hard delete.
1 comment
Very helpful guide – is there a way to get exact matches on subject lines –
eg: I want to delete subject:”abcde” but not delete “abcdef” or “abcde123” – ideally without adding exclusions.