Delete Phishing emails using powershell script

Hi,

We have this script to delete phising emails from our organisation, however we also these requirements:

1)      We need to add into the search-mailbox after -searchquery an additional requirement for date or time, as we only want to search for emails since a certain date. We use this script to delete phishing attack emails, so we know when they started, so need to be able to search for all emails since a date and delete them if the subject matches. So the most recent example, would be all emails containing subject “RE: NOTICE: MC Support UPGRADE.” however only emails received after 01/03/2018. I assume we can just do -searchquery “Subject:’Content of Subject’ AND ReceivedDate:>01/03/2018” or something like that?
2)      We need to be able to search for subjects with special characters in. –searchquery “Subject:’RE: NOTICE: MC Support UPGRADE.’ Will currently give an error as it won’t like the : in the subject.
3)      We need to be able to search for the above criteria, but also potentially include only emails from certain email addresses. One of the phishing emails was “RE: Attention (Staff Migration)” which could be very close to something we actually send to users. The phishing email only came from a certain email though, so if we add an extra criteria for sender, that would help us focus the search.


Please can someone show me how to achieve this?

also I would appreciate if you any other suggestions for improvement.


$mbs = Get-Mailbox -ResultSize unlimited -Filter {(ExchangeUserAccountControl -ne 'AccountDisabled')}

$count=0

foreach ($mb in $mbs) {

search-mailbox  -identity $mb –searchquery “Subject:’Intense Action Required!’” -deletecontent -force
search-mailbox  -identity $mb –searchquery 'Subject:"*RE: Attention (Staff Migration)*"' -deletecontent -force


$count = $count+1
echo "Processed $count mailboxes so far"

}

Open in new window


thank you in advance,
Kelly
Kelly GarciaSenior Systems AdministratorAsked:
Who is Participating?
 
timgreen7077Exchange EngineerCommented:
The below should satisfy your entire search criteria including special characters like ':'  and you can add or remove what you don't need

Search-Mailbox username -SearchQuery {subject:'"RE:" "NOTICE:" MC Support UPGRADE' AND From:"sender@domain.com" AND received:>01/3/2018} -DeleteContent -Confirm:$false -Force
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.