Using PowerShell to Remove Phishing Emails from User Mailboxes on an Exchange Server

You’ve all seen those phishing emails that occasionally get past your spam filters and you all also know that no matter how many times you tell users not to open those suspicious emails and click on links contained in them, users are ultimately gullible so sometimes you have to take matters into your own hands and protect them from themselves.

Here’s an example of a recent phishing email that I’ve seen:


My question to a user who receives this email: “Did you recently purchase something from the Apple Web Store with an American Express card?” Most likely the answer is no and most of them probably don’t even have an American Express card so why would they click on the links contained in this email? You can also easily see that the URL contained in the email doesn’t go to the American Express website by hovering over it.

Disclaimer: All data and information provided on this site is for informational purposes only. Mike F Robbins ( makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

The examples shown in this blog article are being performed on an On-Premises Exchange 2010 server that is running PowerShell version 2.

Add the Exchange 2010 PSSnapin so the Exchange PowerShell cmdlets are available:


In this example, I’ll check to see if that particular email exists in John Doe’s mailbox:


You can check all the mailboxes in your organization just as easily, although consider the performance consequences of what you’re doing especially if you have thousands of mailboxes or more since it could take a considerable amount of time to complete:


In this example, I’ll delete that message from all mailboxes. It only existed in my mailbox and John Doe’s. Note: this does not look in the user’s PST files, only in their actual mailbox:


Blindly deleting those emails may not be the best approach though since if what you’re matching on is incorrect, you could end up with undesirable results to say the least. It could even end up being a RGE.

The better approach is to backup the emails using a one-liner similar to the following example and then delete them so it’s a lot easier to recover them if needed:


It’s also possible to combine backing up the emails and deleting them in one step:


You may also want to consider backing up the emails you plan to delete to an offline PST file before deleting them because if you’re deleting from all mailboxes, the backups you’re placing in a mailbox may also be deleted.


A user at one of the customer locations that I support made the comment: “You’ve got more power than the NSA” when I used a similar PowerShell command to remove some phishing emails from their mailboxes. Their emails automagically came up missing 🙂



  1. Joe

    This is the best write up I have found on this subject. These commands are really useful and you have done an excellent job showing how to utilize them.

  2. Jim Rodgers

    Hello Mike,

    Thanks for the all the scripting examples above – its very helpful. I’m running into a problem where the -deletecontent parameter “cannot be found” even though I’ve run the New-ManagementRoleAssignment command for -Role “Mailbox Import Export” for the admin user I’m logged in as. I’ve closed Powershell and opened it back up

    This command runs OK:

    Get-Mailbox -Identity “matthew” | Search-Mailbox -SearchQuery subject:”furniture”” -TargetMailbox “marisa” -TargetFolder “drafts”

    But for this command:

    Get-Mailbox -Identity “matthew” | Search-Mailbox -SearchQuery subject:”furniture” -DeleteContent

    I get an error message that:

    Search-Mailbox: A parameter cannot be found that matches parameter name ‘deletecontent’.
    At line :1 character …
    +get-mailbox …
    +Category Info

    I could send more description, but it the Search-Mailbox parameter missing message that’s most important right?


  3. DTX

    @Jim – Have you tried this, looks like the single quotes are missing ->

    Get-Mailbox -Identity “matthew” | Search-Mailbox -SearchQuery ‘subject:”furniture”’ -DeleteContent

  4. Sameer Salve


    This is a nice article.
    Is it also possible to read only the unread emails from a particular mailbox and then trigger some action ? Can we do similar for office365 ?

  5. John

    Is it possible to simply move the message to the user’s deleted items folder? They don’t normally look at that folder anyway and you don’t have to worry about a backup. It certainly doesn’t fully protect you but judging by the size of some deleted items folders of our users, it’s a fairly safe solution.

  6. Dean

    Thank you Mike. Always appreciate your posts…

  7. Alvin

    Worked like a charm. Thanks for the Comprehesive instructions.

  8. Allan

    Very good article… helping me get up to speed. Very clear and easy to read…

    The biggest issue for me and a lot of other people is to do Regular Expressions against all emails in the body section. I’m going in circles trying to find a way to search 1.2 TB of emails using specific regex information.

    I know it can be done in .PST. but yet to find any way against .EDB or inside exchange…


  9. Zaid

    im getting an invalid parameter on -DeleteContent

  10. Danny


    I want to delete an email from the entire organization using “subject of the email” AND the “Sender’s email address”.
    I am not sure of the OU as the mailboxes are hosted on Cloud (Office 365).

    Thanks for your help in advance.


  11. Peter Jurgens

    I know this is a fairly old post now but I just came across it today as you referenced it in a tweet.

    Since the task is still relevant I wanted to suggest possibly updating the blog as part of the method you use is actually not supported by Microsoft and not recommended.

    Specifically, importing exchange cmdlets via add-pssnapin. With exchange 2010 and 2013 this circumvents the application of RBAC with respect to what cmdlets and parameters are available to an administrator in an exchange environment (amongst other things). This could potentially cause irreversible damage to an exchange environment. (I know… Scary… Perhaps a bit over exaggerated… But it’s MS’s words, not mine… :))


    I certainly agree with your use of search-mailbox here though and I can say that it’s saved my butt on more than one occasion!!!

    My own preference at the moment is to install the exchange management tools locally, and I’ve created a simple function in my profile that, when run, basically does the same as the EMS shortcut you get with the management tools (pretty much copy and paste from the EMS shortcut arguments property). This allows me to connect to exchange from any open console session. Some benefits of having the tools installed locally as well is that the data does not go through the serialization and deserialization of a PSRemoting session and it preserves some extended object methods and properties like converting size values to KB/MB for example. Oddly I’ve never come across anyone else following my method…

    Anyway, great post and I must say I’ve been a fan of your contributions for years and I even remember you winning one of the first PowerShell scripting games events.

    Keep up the great work!

  12. Wayne Smith

    Bookmarked this page and refer to it often.

  13. Nabil IT

    Hi I’m trying this command to delete mail test in order to exécute for fiching mail ,

    this command
    >Get-Mailbox -Identity “bck.rest01” | Search-Mailbox -SearchQuery ‘Subject:”TESTTEST”‘ -EstimateResultOnly
    show me
    TargetFolder :
    ResultItemsCount : 0
    ResultItemsSize : 0 B (0 bytes) and un mail user test We can see on the subject TESTTEST ? Please how can’i delete this mail please

    >Get-Mailbox -Identity “bck.rest01” | Search-Mailbox -SearchQuery ‘Subject:”TESTTEST”‘ -DeleteContent -FORCE NADA

  14. Brad

    all i get is this error, wasted half a day on this powershell script, could have walked to the users desk and deleted it in 5 minutes

    [PS] C:\Windows\system32>Get-Mailbox -identity user | Search-Mailbox -SearchQuery ‘test123*”‘ -deleteContent | Where-Object {$_.ResultItemsCount}
    The target mailbox or .pst file path is required.
    + CategoryInfo : InvalidArgument: (:) [], ArgumentException
    + FullyQualifiedErrorId : 78792EBB

  15. NABIL IT

    Hi, Team, Could you share please the excat command to delete subejct mail from one mailbox on exchange 2013 ,
    Tested but not work 🙁
    Get-Mailbox -Identity “bck.rest01” | Search-Mailbox -SearchQuery ‘Subject:”TESTTEST”‘ DeleteContent

    Get-Mailbox -Identity “bck.rest01” | Search-Mailbox -SearchQuery ‘TESTTEST’ -DeleteContent | Where-Object{$_.resultitemscount}
    For organisation
    Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery ‘Subject:”Your query”‘ –DeleteContent


  16. Jorn

    Thanks for article. But if I will only move the item and not -deleteContent, will that be possible?
    I want to move the email only to a folder for all users called “SPAM” in outlook

  17. Jørn

    Do you have to deletecontent or can you move the items you search for and after to another folder for the users what have these emails with subject to another folder from the inbox?


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: