How do i use Office 365 content search to remove unwanted email

Knowledge BaseCategory: QuestionsHow do i use Office 365 content search to remove unwanted email
0 Vote Up Vote Down
Andrey Staff asked 6 years ago

How do i remove phishing emails using office 365 portal and powershell?

Question Tags:
1 Answers
0 Vote Up Vote Down
Andrey Staff answered 6 years ago

                 Using Content Search to delete phishing/spam Emails from Organization

As an admin you can use the Content search located under Security & Compliance to search for and delete email message from select or all mailbox in your organization.  This is particularly useful to remove high-risk emails such as:

  • Message that contains sensitive data
  • Messages that were sent in error
  • Message that contain malware or viruses
  • Phishing message

To start the process, we begin with creating a content search:

  1. Log into your Office 365 protection center – https://protection.office.com
  2. Click on Search & investigation, then select Content search
  3. From Content search click on the “New” Icon
  4. Enter a name for this search job
  5. Select either specific mailboxes or “all mailboxes”
  6. Select “Search all sites”, public folders are an option depending on your search criteria
  7. Click Next
  8. Enter in keywords to search of leave blank to search for all content
  9. Add Conditions – In my example I am looking for a subject (ex. Microsoft account unusual sign-in activity)

  10. Click Search

The search will start and results will be displayed in the right pane.

When completed you a preview the results and export to computer as a report.

Now the you have generated a search you can move to deleting the content you had searched for.
To do this we will need to connect to the Security & Compliance Center using remote PowerShell.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber -DisableNameChecking
$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + ” (Office 365 Security & Compliance Center)”

Once successful authenticated, and connected to the compliance center you can creation a new action to delete the items found in our previous search.
This is done by using the following example:
New-ComplianceSearchAction -SearchName “Phishing” -Purge -PurgeType SoftDelete

(c) 2018 aJax Technologies, Inc. All rights reserved.