Sign in Subscribe

Removing email from O365 Online

Mike

2 min read

We ran into a bit of a problem yesterday. An employee clicked on a malicious .doc file. This in turn emailed the attachment to everyone it could from her account. For those interested, here's the Virus Total results of that file.

To stem the bleeding, I wanted to remove that email from all the mailboxes before someone else clicked on it. You can do this via Powershell, here's some notes on the process.

#Connect to 365 with Admin Credentials
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Delegate Full Access to All Mailboxes
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'UserMailbox')} | Add-MailboxPermission -User [email protected] -AccessRights FullAccess -InheritanceType all


# Get all messages from sender between date (Message Trace)
Get-MessageTrace -SenderAddress [email protected] -StartDate "6/16/2015 15:45" -EndDate "6/16/2015 16:00" | Out-GridView

# In order to delete emails with the -DeleteContent switch, you must be assigned the Discovery Management role and Mailbox Import Export role.  By default, the Mailbox Import Export role isn’t assigned to any role group, so we’ll need to create a new group and assign our user.
#Query Discovery Management Members
Get-RoleGroupMember -Identity "Discovery Management"
 #Assign Discovery Management Member
Add-RoleGroupMember -Identity "Discovery Management" -Member 365admin@your tenant.onmicrosoft.com
 #Create Mailbox Import Export Management Group
New-RoleGroup "Mailbox Import-Export Management" -Roles "Mailbox Import Export"
 #Add User to Mailbox Import Export Management Group
Add-RoleGroupMember "Mailbox Import-Export Management" -Member [email protected]

# Search everyone's mailbox and remove message, you'll be prompted for a folder and mailbox to send the logs to
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery {Subject:"Confirmation of payment" AND Sent:"6/16/2015" AND From:"[email protected]"} -DeleteContent -LogLevel Full –SearchDumpster -LogOnly
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery {Attachment:"payment_info_document.doc" AND Sent:"6/16/2015"} -DeleteContent -LogLevel Full –SearchDumpster
#Delete message from a single user, you'll get prompted for a folder and mailbox to send the logs to
Search-Mailbox -Identity "Joe Bob" -SearchQuery {Attachment:"payment_info_document.doc" AND Sent:"6/16/2015"} -DeleteContent -LogLevel Full –SearchDumpster
#[email protected] = User’s mailbox you want to search
#SearchDumpster = Search recoverable items (Emails that were deleted from the Trash)
#*Note: If you only want to test the command and NOT copy anything, you can add the -LogOnly switch

#disconnect
Remove-PSSession $Session

http://sigkillit.com/2015/05/14/search-for-emails-in-a-365-users-mailbox/
https://messagingschool.wordpress.com/2012/01/17/error-the-property-keyword-isnt-supported-in-search-mailbox/

Sign up for more like this.

Enter your email
Subscribe