Using Content Search to delete phishing/spam Emails from Organization
As an admin you can use the Content search located under Security & Compliance to search for and delete email message from select or all mailbox in your organization. This is particularly useful to remove high-risk emails such as:
- Message that contains sensitive data
- Messages that were sent in error
- Message that contain malware or viruses
- Phishing message
To start the process, we begin with creating a content search:
- Log into your Office 365 protection center – https://protection.office.com
- Click on Search & investigation, then select Content search
- From Content search click on the “New” Icon
- Enter a name for this search job
- Select either specific mailboxes or “all mailboxes”
- Select “Search all sites”, public folders are an option depending on your search criteria
- Click Next
- Enter in keywords to search of leave blank to search for all content
- Add Conditions – In my example I am looking for a subject (ex. Microsoft account unusual sign-in activity)
- Click Search
The search will start and results will be displayed in the right pane.
When completed you a preview the results and export to computer as a report.
Now the you have generated a search you can move to deleting the content you had searched for.
To do this we will need to connect to the Security & Compliance Center using remote PowerShell.
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -AllowClobber -DisableNameChecking
$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + ” (Office 365 Security & Compliance Center)”
Once successful authenticated, and connected to the compliance center you can creation a new action to delete the items found in our previous search.
This is done by using the following example:
New-ComplianceSearchAction -SearchName “Phishing” -Purge -PurgeType SoftDelete