This Office 365 delete phishing procedure will show you how to delete a phishing email from all user mailboxes in the organization. You have to be very careful with the procedure, as this can cause some serious damage.
- Let’s create a search query in the Security and Compliance center here. You will need to have the Compliance Administrator Role to perform the functions, even if you are a global admin you still need to be part of this role.
- You can add the role under Permissions
- Once you have the Compliance role go to Search -> Content Search
2. The content search will pop on a new window. Here will see any previously saved searches. I usually use the same saved and modify the query.
- Click on New search to create a new query
- Add the conditions like a sender or a subject and save and run the query
- Make sure the query returns the correct result
3. Once the query is created and saved, connect to the Security and Compliance Center in PowerShell using the commands below
| Set-ExecutionPolicy RemoteSigned $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking |
4. The last step is to Delete the message
- Run the following command
| New-ComplianceSearchAction -SearchName “RemovePhishing” -Purge -PurgeType SoftDelete |
- You must confirm the deletion
As a result you will see the email disappear from your mailbox, and everyone else in the organization, within a couple of seconds. This office 365 delete phishing procedure can be reused multiple times. All you have to do is change the query within the saved search and re-run the same commands in PowerShell.
The official guide from Microsoft can be found here