SOLVED

Quarantine or block specific (pre-existing) emails?

%3CLINGO-SUB%20id%3D%22lingo-sub-23345%22%20slang%3D%22en-US%22%3EQuarantine%20or%20block%20specific%20(pre-existing)%20emails%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-23345%22%20slang%3D%22en-US%22%3E%3CP%3EForgive%20me%20if%20this%20is%20the%20wrong%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOffice%20365%2FE3.%20Some%20of%20our%20users%20have%20been%20receiving%20a%20specific%20phishing%20email%20today%20in%20their%20regular%20inbox%20(from%20the%20same%20sender%2C%20same%20subject%20line%2C%20payload%2C%20attachments)%20that%20attempts%20to%20phish%20their%20Google%20Doc%20login%20details.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20for%20me%20to%2C%20as%20a%20global%20admin%2C%20to%20search%20for%20and%20somehow%20%22quarantine%22%20(not%20sure%20if%20that's%20the%20right%20term)%20these%20specific%20existing%20mails%20across%20the%20tenant%2Forganization%3F%20I%20don't%20want%20users%20to%20continue%20to%20click%20on%20these%20emails%20as%20they%20encounter%20them%20in%20their%20inbox.%20Going%20forward%20I%20know%20I%20can%20somehow%20block%20them%2C%20but%20what%20to%20do%20about%20all%20the%20ones%20that%20have%20already%20been%20delivered%2Freceived%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EBob%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-23345%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-23375%22%20slang%3D%22en-US%22%3ERe%3A%20Quarantine%20or%20block%20specific%20(pre-existing)%20emails%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-23375%22%20slang%3D%22en-US%22%3EThanks%2C%20Vasil!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-23374%22%20slang%3D%22en-US%22%3ERe%3A%20Quarantine%20or%20block%20specific%20(pre-existing)%20emails%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-23374%22%20slang%3D%22en-US%22%3E%3CP%3EBest%20you%20can%20do%20is%20purge%20them%20via%20Search-Mailbox.%20Or%20simply%20report%20them%20(%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj200769(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj200769(v%3Dexchg.150).aspx%3C%2FA%3E)%20and%20let%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FZero-hour-auto-purge-protection-against-spam-and-malware-96deb75f-64e8-4c10-b570-84c99c674e15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EZAP%20%3C%2FA%3Edo%20it's%20magic.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Forgive me if this is the wrong group.

 

Office 365/E3. Some of our users have been receiving a specific phishing email today in their regular inbox (from the same sender, same subject line, payload, attachments) that attempts to phish their Google Doc login details.

 

Is there any way for me to, as a global admin, to search for and somehow "quarantine" (not sure if that's the right term) these specific existing mails across the tenant/organization? I don't want users to continue to click on these emails as they encounter them in their inbox. Going forward I know I can somehow block them, but what to do about all the ones that have already been delivered/received?

 

Thanks,

Bob

2 Replies
Best Response
Solution

Best you can do is purge them via Search-Mailbox. Or simply report them (https://technet.microsoft.com/en-us/library/jj200769(v=exchg.150).aspx) and let ZAP do it's magic.

Thanks, Vasil!