Using PowerShell to Remove Phishing Emails from User Mailboxes on an Exchange Server

You’ve all seen those phishing emails that occasionally get past your spam filters and you all also know that no matter how many times you tell users not to open those suspicious emails and click on links contained in them, users are ultimately gullible so sometimes you have to take matters into your own hands and protect them from themselves.

Here’s an example of a recent phishing email that I’ve seen:

removing-email1

My question to a user who receives this email: “Did you recently purchase something from the Apple Web Store with an American Express card?” Most likely the answer is no and most of them probably don’t even have an American Express card so why would they click on the links contained in this email? You can also easily see that the URL contained in the email doesn’t go to the American Express website by hovering over it.

Disclaimer: All data and information provided on this site is for informational purposes only. Mike F Robbins (mikefrobbins.com) makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

The examples shown in this blog article are being performed on an On-Premises Exchange 2010 server that is running PowerShell version 2.

Add the Exchange 2010 PSSnapin so the Exchange PowerShell cmdlets are available:

removing-email11

In this example, I’ll check to see if that particular email exists in John Doe’s mailbox:

removing-email2

You can check all the mailboxes in your organization just as easily, although consider the performance consequences of what you’re doing especially if you have thousands of mailboxes or more since it could take a considerable amount of time to complete:

removing-email3

In this example, I’ll delete that message from all mailboxes. It only existed in my mailbox and John Doe’s. Note: this does not look in the user’s PST files, only in their actual mailbox:

removing-email4

Blindly deleting those emails may not be the best approach though since if what you’re matching on is incorrect, you could end up with undesirable results to say the least. It could even end up being a RGE.

The better approach is to backup the emails using a one-liner similar to the following example and then delete them so it’s a lot easier to recover them if needed:

removing-email5

It’s also possible to combine backing up the emails and deleting them in one step:

removing-email6

You may also want to consider backing up the emails you plan to delete to an offline PST file before deleting them because if you’re deleting from all mailboxes, the backups you’re placing in a mailbox may also be deleted.

removing-email7

A user at one of the customer locations that I support made the comment: “You’ve got more power than the NSA” when I used a similar PowerShell command to remove some phishing emails from their mailboxes. Their emails automagically came up missing 🙂

µ

11 Comments

  1. Joe

    This is the best write up I have found on this subject. These commands are really useful and you have done an excellent job showing how to utilize them.

    Reply
  2. Jim Rodgers

    Hello Mike,

    Thanks for the all the scripting examples above – its very helpful. I’m running into a problem where the -deletecontent parameter “cannot be found” even though I’ve run the New-ManagementRoleAssignment command for -Role “Mailbox Import Export” for the admin user I’m logged in as. I’ve closed Powershell and opened it back up

    This command runs OK:

    Get-Mailbox -Identity “matthew” | Search-Mailbox -SearchQuery subject:”furniture”” -TargetMailbox “marisa” -TargetFolder “drafts”

    But for this command:

    Get-Mailbox -Identity “matthew” | Search-Mailbox -SearchQuery subject:”furniture” -DeleteContent

    I get an error message that:

    Search-Mailbox: A parameter cannot be found that matches parameter name ‘deletecontent’.
    At line :1 character …
    +get-mailbox …
    +Category Info
    +FullyQualifiedErrorID

    I could send more description, but it the Search-Mailbox parameter missing message that’s most important right?

    Jim

    Reply
  3. DTX

    @Jim – Have you tried this, looks like the single quotes are missing ->

    Get-Mailbox -Identity “matthew” | Search-Mailbox -SearchQuery ‘subject:”furniture”’ -DeleteContent

    Reply
  4. Sameer Salve

    Hi,

    This is a nice article.
    Is it also possible to read only the unread emails from a particular mailbox and then trigger some action ? Can we do similar for office365 ?

    Reply
  5. John

    Is it possible to simply move the message to the user’s deleted items folder? They don’t normally look at that folder anyway and you don’t have to worry about a backup. It certainly doesn’t fully protect you but judging by the size of some deleted items folders of our users, it’s a fairly safe solution.

    Reply
  6. Dean

    Thank you Mike. Always appreciate your posts…

    Reply
  7. Alvin

    Worked like a charm. Thanks for the Comprehesive instructions.

    Reply
  8. Allan

    Very good article… helping me get up to speed. Very clear and easy to read…

    The biggest issue for me and a lot of other people is to do Regular Expressions against all emails in the body section. I’m going in circles trying to find a way to search 1.2 TB of emails using specific regex information.

    I know it can be done in .PST. but yet to find any way against .EDB or inside exchange…

    Peace

    Reply
  9. Zaid

    im getting an invalid parameter on -DeleteContent

    Reply
  10. Danny

    Hi,

    I want to delete an email from the entire organization using “subject of the email” AND the “Sender’s email address”.
    I am not sure of the OU as the mailboxes are hosted on Cloud (Office 365).

    Thanks for your help in advance.

    Regards,
    Danny.

    Reply

Leave a Reply

%d bloggers like this: