How to search and destroy the spam emails delivered to users

By | November 16, 2019
  1. Create a Content Search to find the message(s) to delete
    1. Sign into O365 Security and Compliance Portal using your admin account.
    1. Create and refine a Content Search to identify the message(s) that require deleting.
      1. E.g. search by date range, subject, from etc by using Add Conditions
      1. Locations; All Locations or Specific Locations for a range of users, depending upon the incident.
    1. Click Save & Run.
    1. Save the search with a simply name and description for use in the next step.
    1. Only the message(s) that require removing should be displayed in the search results.
  • Delete the message(s)
    • Connect to Office 365 Security & Compliance Centre PowerShell using multi-factor authentication.
    • Run Connect-IPPSSession -UserPrincipalName x@x.com , where ‘x@x.com’ is your admin account.
    • Complete MFA authentication.
    • Using the Content Search created in #1 above, run the following command in PowerShell, where ‘Test ’ is the name of your Search.

New-ComplianceSearchAction -SearchName “Test ” -Purge -PurgeType SoftDelete

  • Upon prompt, enter A to confirm Yes for All.
    • Confirmation will be returned, whereby the message(s) will be removed from the user’s inbox.
  • Close PowerShell.

Before you begin

  • To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role.
  • You must use Security & Compliance Centre PowerShell to delete messages.
  • A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove messages is intended to be an incident-response tool, this limit helps ensure that messages are quickly removed from mailboxes. This feature isn’t intended to clean up user mailboxes. To delete more than 10 items, you can use the Search-Mailbox -Delete Content command in Exchange Online PowerShell.
  • The maximum number of mailboxes in a Content Search that you can delete items in by doing a search and purge action is 50,000. If the Content Search has more than 50,000 source mailboxes, the purge action (that you create in Step 3) will fail.
  • The procedure in this article can only be used to delete items in Exchange Online mailboxes and public folders. You can’t use it to delete content from SharePoint or OneDrive for Business sites.

Tips for finding messages to remove

The goal of the search query is to narrow the results of the search to only the message or messages that you want to remove.

  • If you know the exact text or phrase used in the subject line of the message, use the Subject property in the search query.
  • If you know that exact date (or date range) of the message, include the Received property in the search query.
  • If you know who sent the message, include the From property in the search query.
  • Preview the search results to verify that the search returned only the message (or messages) that you want to delete.

What happens after you delete a message?

A message that is deleted by using the New-ComplianceSearchAction -Purge -PurgeType SoftDelete command is moved to the Deletions folder in the user’s Recoverable Items folder. It isn’t immediately purged from Office 365. The user can recover messages in the Deleted Items folder for the duration based on the deleted item retention period configured for the mailbox. After this retention period expires (or if user purges the message before it expires), the message is moved to the Purges folder and can no longer be accessed by the user.

Once in the Purges folder, the message is again retained for the duration based on the deleted item retention period configured for the mailbox if single items recovery is enabled for the mailbox. (In Office 365, single item recovery is enabled by default when a new mailbox is created). After the deleted item retention period expires, the message is marked for permanent deletion and will be purged from Office 365 the next time that the mailbox is processed by the Managed Folder assistant.

Leave a Reply

Your email address will not be published. Required fields are marked *