Purging Malicious Emails via O 365 Security and Compliance

%3CLINGO-SUB%20id%3D%22lingo-sub-1164057%22%20slang%3D%22en-US%22%3EPurging%20Malicious%20Emails%20via%20O%20365%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164057%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Guys.%20When%20I%20purge%20malicious%20emails%20from%20user%20inbox%20via%20office%20365%20security%20and%20compliance%2C%20the%20users%20are%20still%20able%20to%20see%20them%20in%20their%20inbox.%20This%20is%20something%20that%20I%20am%20really%20grappling%20with.%3C%2FP%3E%3CP%3EHas%20someone%20come%20across%20this%20issue%3F%20Any%20help%20on%20how%20to%20successfully%20purged%20emails%20from%20user%20inboxes%3F%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%3C%2FP%3E%3CP%3ETatah%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1164057%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164280%22%20slang%3D%22en-US%22%3ERe%3A%20Purging%20Malicious%20Emails%20via%20O%20365%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164280%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20aren't%20talking%20about%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fmanage-quarantined-messages-and-files%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Equarantined%20messages%3C%2FA%3E%2C%26nbsp%3Bemails%20in%20the%26nbsp%3Bquarantine%20are%20yet%20to%20be%20delivered%20and%20will%20be%20deleted%20automatically%20after%20the%20time%20has%20elapsed%2C%2030%20days%20by%20default%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20are%20deleting%20malicious%20emails%20you%20can%20use%26nbsp%3Ba%20Content%20Search%20with%20PowerShell%20if%20that's%20the%20process%20you%20are%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CEM%3EThe%20final%20step%20is%20to%20run%20the%20New-ComplianceSearchAction%20cmdlet%20to%20delete%20the%20message.%20You%20can%20soft-%20or%20hard-delete%20the%20message.%20A%20soft-deleted%20message%20is%20moved%20to%20a%20user's%20Recoverable%20Items%20folder%20and%20retained%20until%20the%20deleted%20item%20retention%20period%20expires.%20Hard-deleted%20messages%20are%20marked%20for%20permanent%20removal%20from%20the%20mailbox%20and%20will%20be%20permanently%20removed%20the%20next%20time%20the%20mailbox%20is%20processed%20by%20the%20Managed%20Folder%20Assistant.%3C%2FEM%3E%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmicrosoft-365%2Fcompliance%2Fsearch-for-and-delete-messages-in-your-organization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmicrosoft-365%2Fcompliance%2Fsearch-for-and-delete-messages-in-your-organization%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.geekshangout.com%2Foffice-365-deleting-email-mailboxes-using-content-search-feature%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.geekshangout.com%2Foffice-365-deleting-email-mailboxes-using-content-search-feature%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20easier%20with%20Office%20365%20E5%20or%20ATP%20Plan%202%20add-on%2C%20as%20this%20is%20in%20the%20interface%20without%20needing%20PowerShell%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Finvestigate-malicious-email-that-was-delivered%23find-and-delete-suspicious-email-that-was-delivered%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EFind%20and%20delete%20suspicious%20email%20that%20was%20delivered%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1166431%22%20slang%3D%22en-US%22%3ERe%3A%20Purging%20Malicious%20Emails%20via%20O%20365%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1166431%22%20slang%3D%22en-US%22%3EWhat%20if%20I%20use%20the%20GUI%20to%20delete%20malicious%20messages%3F%20That%20is%20the%20method%20I%20use%20but%20it%20does%20not%20seem%20to%20work.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1166455%22%20slang%3D%22en-US%22%3ERe%3A%20Purging%20Malicious%20Emails%20via%20O%20365%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1166455%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F457992%22%20target%3D%22_blank%22%3E%40Tatabime%3C%2FA%3E%26nbsp%3BWithout%20knowing%20more%20on%20exactly%20what%20process%20you%20are%20following%20(the%20previous%20links%20I%20posted%20show%20how%20this%20should%20work)%2C%20I'd%20suggest%20opening%20a%20ticket%20with%20Office%20365%20support%20if%20it's%20not%20working%20the%20way%20you%20are%20expecting%2C%20would%20be%20the%20next%20step%20I'd%20do.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1178931%22%20slang%3D%22en-US%22%3ERe%3A%20Purging%20Malicious%20Emails%20via%20O%20365%20Security%20and%20Compliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1178931%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F457992%22%20target%3D%22_blank%22%3E%40Tatabime%3C%2FA%3E%26nbsp%3Bfirst%20check%20if%20the%20mailbox%20hasn't%20reached%20it's%20full%20mailboxsize%20Get-MailboxFolderStatistics%20%3CUSEREMAILADDRESS%3E%20-FolderScope%20RecoverableItems%20%7C%20FL%20Name%2CFolderAndSubfolderSize%2CItemsInFolderAndSubfolders.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20can%20happen%20that%20the%20purged%20or%20recoverable%20has%20already%20reached%20100GB%20even%20though%20you%20might%20notice%20that%20the%20inbox%20is%20lower.%20If%20that%20is%20the%20case%20you%20may%20need%20to%20recreate%20a%20new%20mailbox%20and%20depending%20if%20the%20mailbox%20is%20running%20from%20a%20hybrid%20or%20directly%20on%20the%20cloud.%3C%2FUSEREMAILADDRESS%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello Guys. When I purge malicious emails from user inbox via office 365 security and compliance, the users are still able to see them in their inbox. This is something that I am really grappling with.

Has someone come across this issue? Any help on how to successfully purged emails from user inboxes?


Thanks

Tatah

4 Replies
Highlighted

We aren't talking about quarantined messages, emails in the quarantine are yet to be delivered and will be deleted automatically after the time has elapsed, 30 days by default?

 

If you are deleting malicious emails you can use a Content Search with PowerShell if that's the process you are following: 

 

"The final step is to run the New-ComplianceSearchAction cmdlet to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant."

 

https://docs.microsoft.com/en-gb/microsoft-365/compliance/search-for-and-delete-messages-in-your-org...

 

https://www.geekshangout.com/office-365-deleting-email-mailboxes-using-content-search-feature/

 

It easier with Office 365 E5 or ATP Plan 2 add-on, as this is in the interface without needing PowerShell - Find and delete suspicious email that was delivered.

Highlighted
What if I use the GUI to delete malicious messages? That is the method I use but it does not seem to work.
Highlighted

@Tatabime Without knowing more on exactly what process you are following (the previous links I posted show how this should work), I'd suggest opening a ticket with Office 365 support if it's not working the way you are expecting, would be the next step I'd do.  

Highlighted
@Tatabime first check if the mailbox hasn't reached it's full mailboxsize Get-MailboxFolderStatistics <useremailaddress> -FolderScope RecoverableItems | FL Name,FolderAndSubfolderSize,ItemsInFolderAndSubfolders.

It can happen that the purged or recoverable has already reached 100GB even though you might notice that the inbox is lower. If that is the case you may need to recreate a new mailbox and depending if the mailbox is running from a hybrid or directly on the cloud.