Best approach to programmatically hard delete emails on Exchange Server

Jose Raeiro 0 Reputation points
2023-05-18T11:03:26.4166667+00:00

I have a script that is able to extract the following information from a phishing incident on Defender 365:

Sender - The original sender of the phishing email

Subject - The subject of the phishing email

internetMessageId - The Internet message identifier of the phishing email

What I would like to know would be the best approach using an API (or some other automated way) to hard delete all the emails (on all user's inboxes) on an Exchange Server using any of the information retrieved in the previous step.

Thank you in advance!

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
4,723 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,815 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Andy David - MVP 147.5K Reputation points MVP
    2023-05-18T11:10:47.5266667+00:00
    0 comments No comments

  2. Jose Raeiro 0 Reputation points
    2023-05-18T11:38:33.4566667+00:00

    Hi Andy,

    Thanks for your informative response, it's truly valuable. I've investigated the roadmap you've shared, and I'm excited to see Graph getting this functionality. It seems it will provide a very programmatically friendly way to handle these kinds of tasks in the future. However, for the time being, it seems I'll have to resort to other means, and your suggestion about the SCC PowerShell module looks interesting.

    Speaking of the SCC PowerShell module, I had a few queries regarding its functionality. You mentioned that it could be used as an alternative for hard deleting emails on an Exchange Server. Considering the vast number of emails and mailboxes we might need to manage, especially during an incident like phishing, I'm wondering about a few things:

    1. Does the SCC PowerShell module provide an option to search across all mailboxes? Will it be possible to execute such a comprehensive search?
    2. When it comes to deleting emails, is there a cap or limit on the number of emails the SCC PowerShell module can hard delete? In case the phishing email was sent to a substantial number of mailboxes, we might end up with a situation where we must delete a large volume of emails.

    Also, is there a way to control or specify the deletion to make it a 'Hard Delete'? As you probably know, in phishing incidents it's crucial that we not only delete the email from the user's inbox but also ensure it's removed from the 'Deleted Items' folder to prevent any accidental clicks.

    I believe your expertise and guidance could provide more insight into how effectively the SCC PowerShell module can serve in such situations.

    Thank you once again for your time and assistance. I'm looking forward to your response.

    0 comments No comments

  3. Jose Raeiro 0 Reputation points
    2023-05-18T13:07:12.82+00:00

    Hi Andy,

    Thanks once again for your insights. There's another question that came to my mind about the SCC PowerShell module, and I was hoping you could provide an answer.

    You've pointed out how this module can help with hard deleting phishing emails on Exchange Server. However, as our organization operates in a hybrid environment, we have both Office 365 and on-premises Exchange Server deployments.

    So, I wanted to ask: does the SCC PowerShell module also support on-premises Exchange Server? Can we use it to search and hard delete phishing emails in an equivalent manner as we do in the cloud-based Exchange Server?

    0 comments No comments

  4. Andy David - MVP 147.5K Reputation points MVP
    2023-05-18T18:16:08.2266667+00:00

    Hi, no it only works in Exchange Online.

    For on-prem, you would use:

    search-mailbox:

    https://learn.microsoft.com/en-us/powershell/module/exchange/search-mailbox?view=exchange-ps

    ALso, Here are the limits from that article.

    User's image

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.