Alternative method to Search-Mailbox match on HTML to DeleteContent

%3CLINGO-SUB%20id%3D%22lingo-sub-324959%22%20slang%3D%22en-US%22%3EAlternative%20method%20to%20Search-Mailbox%20match%20on%20HTML%20to%20DeleteContent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-324959%22%20slang%3D%22en-US%22%3E%3CDIV%3EWe're%20a%20school%20using%20Exchange%20Online%20and%20have%20had%20several%20users%20click%20on%20a%20link%20in%20a%20phishing%20email%20with%20a%20compromised%20link.%26nbsp%3B%20Their%20accounts%20each%20started%20sending%20lots%20of%20messages%2C%20and%20thankfully%20most%20(all%20but%201)%20accounts%20were%20flagged%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22https%3A%2F%2Fprotection.office.com%2F%3Frfr%3DAdminCenter%23%2Frestrictedusers%22%20href%3D%22https%3A%2F%2Fprotection.office.com%2F%3Frfr%3DAdminCenter%23%2Frestrictedusers%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20%26amp%3B%20Compliance%20Restricted%20Users%3C%2FA%3E%2C%26nbsp%3Bwhich%20stopped%20the%20attack.%26nbsp%3B%20Now%20my%20job%20is%20to%20(a)%20clear%20out%20those%20messages%20and%20(b)%20create%20a%20spam%20detection%20rule.%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EA%20quick%20exchange-online-powershell%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fexchange%2Fsecurity-and-compliance%2Fin-place-ediscovery%2Fmessage-properties-and-search-operators%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ESearch-Mailbox%3C%2FA%3E%20doesn't%20seem%20to%20let%20me%20identify%20html%20code%20in%20the%20dodgy%20sent%20emails.%26nbsp%3B%20Each%20sent%20email%20has%20unique%20subject%20and%20body%20text%2C%20but%20common%20html%20wrappers%20(think%20styled%20color%2C%20font%2C%20etc.)%20around%20the%20body%20text.%26nbsp%3B%20Can%20anyone%20help%20identify%20a%20way%20to%20clear%20out%20my%20messages%20based%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fmicrosoft.exchange.webservices.data.bodytype%3Fredirectedfrom%3DMSDN%26amp%3Bview%3Dexchange-ews-api%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdotnet%2Fapi%2Fmicrosoft.exchange.webservices.data.bodytype%3Fredirectedfrom%3DMSDN%26amp%3Bview%3Dexchange-ews-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehtml%20bodytype%3C%2FA%3E%3F%26nbsp%3B%20I'm%20hoping%20the%20same%20match%20method%20will%20help%20me%20create%20an%20Exchange%20mail%20flow%20rule%20to%20quarantine%20any%20future%20inbound%20messages.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-324959%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor
We're a school using Exchange Online and have had several users click on a link in a phishing email with a compromised link.  Their accounts each started sending lots of messages, and thankfully most (all but 1) accounts were flagged in Security & Compliance Restricted Users, which stopped the attack.  Now my job is to (a) clear out those messages and (b) create a spam detection rule. 
 
A quick exchange-online-powershell Search-Mailbox doesn't seem to let me identify html code in the dodgy sent emails.  Each sent email has unique subject and body text, but common html wrappers (think styled color, font, etc.) around the body text.  Can anyone help identify a way to clear out my messages based on html bodytype?  I'm hoping the same match method will help me create an Exchange mail flow rule to quarantine any future inbound messages.
0 Replies