Monday, April 17, 2023

Purging a Phish on all mailboxes Exchange Online (Microsoft 365)

 ﷽

 

Imagine you’re the IT administrator for a mid-sized company. It’s a busy Monday morning and your "Urgent" inbox starts blowing up. 

The Scenario: The "Phish" bait.

A sophisticated phishing email has bypassed your initial security filters. It looks exactly like a legitimate HR memo about "Updated 2023 Benefits" but it contains a malicious link designed to steal employee credentials. By the time you’ve been alerted, the email has already landed in the inboxes of 1000 employees. 

The Fix: Taking Decisive Action

You can’t manually log into 1000 mailboxes to delete the messages. Instead, you use the New-ComplianceSearchAction command to automate the cleanup. Here is the breakdown :

1. Login using Powershell :

Connect-IPPSSession -UserPrincipalName admin@yourdomain -EnableSearchOnlySession

2. Create Compliance Search with spesific Subject :

New-ComplianceSearch -Name "Delete-Updated 2023 Benefits" -ExchangeLocation All -ContentMatchQuery 'subject:"Updated 2023 Benefits"'

'subject:"Updated 2023 Benefits"' : This tells the system exactly which "pile" of email subject you are targeting—specifically

3. Run the Search :

Start-ComplianceSearch -Identity "Delete-Updated 2023 Benefits" 

4. Check the Search Progress :

Get-ComplianceSearch -Identity "Delete-Updated 2023 Benefits" 

Name                 RunBy                JobEndTime           Status
----                 -----                ----------           ------
Delete-Updated 2023 Benefits Rizky Marunda Dinata 4/17/2023 8:08:37 AM Completed 

5. Delete E-Mail from all mailboxes :

New-ComplianceSearchAction -SearchName "Delete-Updated 2023 Benefits" -Purge -PurgeType HardDelete

-Purge: This is the "active" part of the command. Without this, the search is just a list. This flag tells the system to actually go in and remove the items.
-PurgeType :
A SoftDelete would just move the emails to the "Deleted Items" or "Deletions" folder where a user might still find them.
A HardDelete strips the email from the mailbox entirely. It’s no longer visible or accessible to the user, effectively neutralizing the threat before a single click can happen.

The Outcome

Within minutes of running that command, the phishing threat is purged. Even if an employee saw the notification on their mobilephone, by the time they open their Outlook, the "Updated 2023 Benefits" email has vanished. Alhamdulillah you've successfully prevented a potential data breach with one line of code.

Barakallahu fiikum

Wa Jazakumullahu khair.
 
 

at No comments:
Labels: ,
Subscribe to: Comments (Atom)

Paloalto 100% full /opt/pancfg

﷽ On Palo Alto Networks firewalls, a 100% full /opt/pancfg partition is a known critical issue and can break commits, upgrades, and logging....