Search and Delete Email Messages in Microsoft 365
Every Microsoft 365 organization faces a surge in receiving phishing emails, malicious attachments, emails from suspicious senders, etc. As technology grows rapidly, intruders easily make Microsoft 365 users fall for their attacks using tricky methods. So, it is essential for admins to search for email messages in the Microsoft 365 organization. It helps them to identify spam & phishing emails, messages with sensitive content, and dangerous attachments, and delete them to enhance the Microsoft 365 security.
Let’s dive deep into how to find out high-risk mailbox contents and delete them efficiently.
As an admin, you need to periodically monitor malicious emails and delete them from all Office 365 mailboxes to avoid unwanted miseries. You can use the Content search feature to find email messages and delete them. Explore the prerequisites and how to search for and delete content using PowerShell below.
Before you begin, you should verify that you have the below-required permission to do the actions.
- To create and run a Content search, you must be assigned the eDiscovery Manager role or the Compliance Search role in the Microsoft Purview compliance portal.
- To delete messages in Microsoft 365, you must be a member of the Organization Management role group or Search And Purge role in the compliance portal.
Before creating a search, you must connect to Security & Compliance PowerShell.
- To create and run a Content search to find the email messages, you can use the New-ComplianceSearch and Start-ComplianceSearch cmdlets as given below.
New-ComplianceSearch –Name <search name> -ExchangeLocation <mailbox UPN> -ContentMatchQuery ‘<Query>’
You can provide a name for the search and replace <mailbox UPN> with the respective mailbox address or distribution group name. You can give your required KQL queries by replacing <Query>.
- To start the compliance searches that are stopped, completed, or not yet started, you can use the below cmdlet.
Start-ComplianceSearch –Identity “<Name_of_the_Content_Search>”
You can provide the respective name of the content search in the ‘Identity’ parameter.
- To view the search details like job status, end time, and who run the search, execute the below cmdlet.
Get-ComplianceSearch –Identity “<Name_of_the_Content_Search>”
You will see an output like below.
You can also do a content search using the Microsoft Purview portal, by navigating to Microsoft Purview–>Content search under Solutions.
You may have many requirements for deleting email messages in your Microsoft 365 organization like deleting spam, phishing emails, messages received from specific senders, emails with sensitive content, etc. Let’s explore the various cases covered in this blog that fulfill all your requirements efficiently.
- Delete Specific Emails from All Exchange Mailboxes
- Delete Specific Emails from Specific Exchange Mailboxes
- Delete Emails with Dangerous Attachments from Specific Exchange Mailboxes
- Delete Phishing Messages from Specific Exchange Mailboxes
- Delete Messages Contains Sensitive Data from Specific Exchange Mailboxes
- Purge Email Messages Received from Specific Senders in Microsoft 365
- Purge Emails from Mailboxes Received on Specific Time Period
Imagine you want to search and delete email messages received with the subject ‘Project X’. To soft delete email messages from all Exchange mailboxes received with the above subject, you can run the below cmdlet.
$Search=New-ComplianceSearch –Name “Remove Specific Emails” -ExchangeLocation All –ContentMatchQuery ‘(Subject: “Project X”)’ Start-ComplianceSearch –Identity $Search.Identity New-ComplianceSearchAction –SearchName “Remove Specific Emails” -Purge –PurgeType SoftDelete
If you want to hard delete the email messages, you can replace SoftDelete with HardDelete in the ‘PurgeType’ parameter.
Note: If messages are hard deleted, they will be moved to the purges folder and can’t be accessed by the user. It will be retained until the retention period. If messages are soft deleted, they will be moved to the Deletions folder in the user’s Recoverable Items folder. The user can recover these messages if required.
Consider you want to delete email messages with the same conditions provided in Case 1 but only from specific mailboxes. To do this, you can run the below cmdlet.
$Search=New-ComplianceSearch –Name “Remove Specific Emails” -ExchangeLocation <mailbox UPN> –ContentMatchQuery ‘(Subject: “Project X”)’ Start-ComplianceSearch –Identity $Search.Identity
You can replace the mailbox UPN with the respective mailbox address or distribution list name.
New-ComplianceSearchAction –SearchName “Remove Specific Emails” -Purge –PurgeType SoftDelete
Note: If you want to include multiple mailboxes in ExchangeLocation parameter, you can simply list them with separation by a comma.
For example, if you want to include mailboxes X, Y, and Z for the above search, modify the ExchangeLocation parameter like below.
$Search=New-ComplianceSearch –Name “Remove Specific Emails” -ExchangeLocation [email protected],[email protected],[email protected] –ContentMatchQuery ‘(Subject: “Project X”)’
You can give the respective mailbox addresses and domain name accordingly.
If you want to delete emails with malicious attachments in Exchange mailboxes, run the cmdlet below with the attachment name.
$Search=New-ComplianceSearch –Name “Remove Malicious Attachments” -ExchangeLocation <mailbox UPN> –ContentMatchQuery ‘(attachmentNames: “annualreport.doc”)’ Start-ComplianceSearch –Identity $Search.Identity New-ComplianceSearchAction –SearchName “Remove Malicious Attachments” -Purge –PurgeType SoftDelete
Most of the phishing scams come with an attractive email subject like Action required, Final call, etc., for which users instantly fall without a second thought. To delete such messages, use the below cmdlet.
Let’s say you want to delete email messages with the subjects Action required and Final call.
$Search=New-ComplianceSearch –Name “Remove Phishing Messages” -ExchangeLocation <mailbox UPN> –ContentMatchQuery ‘(Subject: “Action required” “Final call”)’ Start-ComplianceSearch –Identity $Search.Identity New-ComplianceSearchAction –SearchName “Remove Phishing Messages” -Purge –PurgeType SoftDelete
Usually, organizations won’t prefer to send sensitive content like PAN, SSN, credit card numbers, etc., over email. To find and delete messages with sensitive contents in Exchange Online, use the below cmdlet.
$Search=New-ComplianceSearch –Name “Remove Messages with Sensitive Data” -ExchangeLocation <mailbox UPN> –ContentMatchQuery ‘(WORDS (PAN, SSN))’ Start-ComplianceSearch –Identity $Search.Identity New-ComplianceSearchAction –SearchName “Remove Messages with Sensitive Data” -Purge –PurgeType SoftDelete
The cmdlet will search for emails containing the words PAN or SSN and delete them effectively.
Tip: If users accidentally send sensitive information internally, they can utilize the message recall feature in new Outlook to delete it from the recipient mailboxes.
Admins often want to delete spam emails from specific mailboxes as most of the spam senders are well-known to them. To search and delete messages from specific senders, run the below cmdlet.
$Search=New-ComplianceSearch –Name “Remove Messages from Specific Senders” -ExchangeLocation <mailbox UPN> –ContentMatchQuery ‘(From: “[email protected]”)’ Start-ComplianceSearch –Identity $Search.Identity New-ComplianceSearchAction –SearchName “Remove Messages from Specific Senders” -Purge –PurgeType SoftDelete
Emails received from ‘[email protected]’ to the specified mailboxes are searched and deleted by the above cmdlets.
To retrieve and delete emails received on a specific period, you can run the below cmdlets.
$Search=New-ComplianceSearch –Name “Remove Messages Received in a Specific Period” -ExchangeLocation <mailbox UPN> –ContentMatchQuery ‘(Received:01/10/2024..01/31/2024)’ Start-ComplianceSearch –Identity $Search.Identity New-ComplianceSearchAction –SearchName “Remove Messages Received in a Specific Period” -Purge –PurgeType SoftDelete
After executing the cmdlets, you will receive a confirmation popup as shown below. Click on ‘Yes to All’ option for deleting messages.
- The search and purge process explained above doesn’t delete chat messages or other content from Microsoft Teams though the content search returns items from it.
- A maximum of 10 items per mailbox can be deleted at once.
- A maximum of 50,000 mailboxes can be included to search for and purge items. Searching more than that in a single search will result in search failure.
- This process is intended to delete items only in Exchange Online mailboxes and public folders. It is not intended to delete content from SharePoint or OneDrive for Business sites.
- If the content is placed on hold, after it is moved to the purges folder, it will be retained until the hold duration, or the hold is completely removed.
- Email items in a review set in an eDiscovery (Premium) case can’t be deleted by using this procedure. As they are stored in Azure Storage location, they won’t be returned by the content search.
I hope this blog provides detailed steps on searching and deleting email messages from Exchange mailboxes effectively. Drop your queries if any. Happy securing!
