Exchange Online Search and Purge with PowerShell and Threat Explorer

Andres Bohren
Hi All,

In this Article i'll show you how you can "Search and Purge" Emails in Exchange Online.

With Compliance Search you can search for Mails and purge (Soft- or HardDelete) them afterwards. That's usually the case for Phishing or Spam Incidents.
Your search can cover a maximum of 50’000 Mailboxes
A new Compliance Search will create an Alert by default.

First of all you need to have the correct Permissions https://security.microsoft.com/permissions
Select "Email & collaboration Roles"


I'have created a custom Role with the following Roles and assign this to Max Muster
  • Preview
  • Search And Purge
  • Compliance Search

Let's assume we search for this Mail


Max Muster can now connect with Security and Compliance part of the ExchangeOnlineManagement PowerShell Module

Connect-IPPSSession
Get-Module
Get-Command -Module <tmpxxxx.xxx>


Now he can start a Compliance Search with Keyword Query Language (KQL)
https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference

New-ComplianceSearch -ContentMatchQuery <KQL Query>​

New-ComplianceSearch -Name "ComplianceSearchDemo" -Description "BOA: ComplianceSearchDemo" -ExchangeLocation All ​-ContentMatchQuery "(From:zainabyusuf128@gmail.com) AND (Subject:'Spende')"


A Compliance Search raises an Alert


Now you need to Start the Compliance Search

​Get-ComplianceSearch -Identity <Name>
Start-ComplianceSearch -Identity <Name>
​Get-ComplianceSearch -Identity <Name>


You can check if the ComplianceSearch has a status of "Completed" then look at the details

​Get-ComplianceSearch -Identity <Name>
​Get-ComplianceSearch -Identity <Name> | fl

You see how many Items are found and the Mailbox it was found on


The Content Search can be viewed or created in the Microsoft Purview Portal https://compliance.microsoft.com/contentsearchv2?viewid=search




If you have the "Preview" Role you can view Samples.
This is useful to check if you have matched the correct Emails and not Mails that should not be there.
Then you have to refine your search query.


Now we can define the Action for this Search

#Purge to Recoverable Items for the User​
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType SoftDelete​

Purge to Exchange Dumpster​
#New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType HardDelete  


Get-ComplianceSearchAction ​


I can confirm, that i see this Mail in my "Recover Deleted Items" in Outlook


Sometimes it's more easy to create the Search in the Microsoft Purview Portal https://compliance.microsoft.com/contentsearchv2?viewid=search

You need to define a Name


Select the Location. You can select all Mailboxes or include or exclude specific Mailboxes


With the Conditions you can create your Search


This is the Search i've created


If you select "KQL Editor" then you see the KQL Query of the GUI you just created.
Over time you will understand the KQL Syntax and don't use the GUI anymore.


Summary


Search is created and submitted. A Search from the GUI is automatically started.



The Compliance Searches will stay there. You need to delete them in the GUI or with PowerShell

Remove-ComplianceSearch ​
Remove-ComplianceSearchAction

Search and Purge with Threat Explorer


Microsoft Defender for Office 365 security product overview

If you are Exchange Administrator and have the Emails & Collaboration Role
  • Search And Purge
  • Compliance Search
You will also be able to Search and Purge with Threat Explorer


Search in Threat Explorer

Select the Items you want to remove from the Result Table in the Bottom


Then select "Message actions" and "Soft delete"


Now you have to go through the Wizard


Select a severity. I think that this is a low severity





After a few Minutes you can see that in the Actioncenter



See de Details if you select one Action



Mail has been SoftDeleted - Remediation complete



Regards
Andres Bohren