Last active
September 14, 2022 01:39
-
-
Save SweetAsNZ/cd2cdb6c23586f2b72d6aa7355fb1b4b to your computer and use it in GitHub Desktop.
Remove A Phishing Email From Exchange Online
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Remove-PhishingEmail | |
{ | |
# "A maximum of 10 items per mailbox can be removed at one time" | |
# REF: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide | |
#"Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant" REF: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide | |
#"The goal is to process mailboxes at least once weekly. Experience is that MFA usually performs better than this and that you can expect to have mailboxes processed twice a week" REF: https://office365itpros.com/2018/12/10/reporting-the-managed-folder-assistant/ | |
<# # TESTING | |
$SearchName = "Phishing Email Removal2" | |
$From = 'bob@bob.com' | |
$Subject = 'RE: Quote 2022' | |
#> | |
$SearchName = Read-Host "Search Name to be Created?" | |
$From = Read-Host "Sender Address?" | |
$Subject = Read-Host "Subject Line?" | |
# Get the string in the correct format | |
$Query = "'(From:" + $From + ") AND (Subject:" +'"'+ $Subject +'")' + "'" | |
Import-Module ExchangeOnlineManagement | |
Connect-ExchangeOnline | |
$UPN = CMD /c WHOAMI /UPN # Allows SSO | |
Connect-IPPSSession -UserPrincipalName $UPN | |
$Search = New-ComplianceSearch -Name $SearchName -ExchangeLocation All -ContentMatchQuery $Query | |
Start-ComplianceSearch -Identity $Search.Name | |
# Loop Until Completed | |
do | |
{ | |
Get-ComplianceSearch $Search.Name | FT -AutoSize | |
Start-Sleep -Seconds 10 | |
} | |
until ( ((Get-ComplianceSearch $Search.Name).Status -eq "Completed") ) | |
Get-ComplianceSearch $Search.Name | FT -AutoSize | |
# SOFT DELETE | |
#New-ComplianceSearchAction -SearchName $SearchName -Purge -PurgeType SoftDelete -Force # -Confirm:$false | |
# HARD DELETE | |
New-ComplianceSearchAction -SearchName $SearchName -Purge -PurgeType SoftDelete -Force # -Confirm:$false #-PurgeType SoftDelete | |
# Loop Until Completed | |
do | |
{ | |
Get-ComplianceSearchAction | Where {($_.Name -like "$SearchName*")} | |
Start-Sleep -Seconds 10 | |
} | |
until ( (Get-ComplianceSearchAction | Where {($_.Name -like "$SearchName*")}).Status -eq "Completed" ) | |
Get-ComplianceSearchAction | Where {($_.Name -like "$SearchName*")} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment