Friday, April 1, 2016

Finding and removing emails from exchange mailboxes

In this case security office has sent notification, that potentially malicious email that bypassed antimalware protection has to be removed from user's mailboxes. In order to find out who has received the specified email (the sender of the malicious email was provided in the escalation information from the security office), in case of multirole exchange servers, I've checked the message tracking logs using following syntax:

Get-ExchangeServer | Get-MessageTrackingLog -start (Get-date).AddDays(-1) -End (Get-date)  -ResultSize unlimited -eventid deliver -Sender "malicioussender@domain.some"

Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the message with sender "malicioussender@domain.some" and send the results log to some auditor's mailbox (messages are not removed from the affected mailbox):

Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -LogOnly -LogLevel Full

In order to delete the message from the affected mailbox, Search-Mailbox has DeleteContent parameter. For using the DeleteContent parameter, user running the search-mailbox cmdlet, also has to have the Mailbox Import Export management role assigned.
For assigning Mailbox Import Export Role to a Role Group, please follow the TechNet article .

Now, it's time to remove the messages from affected mailbox, and copy them auditor's mailbox:

Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -DeleteContent

Messages were successfully deleted from affected mailbox, and copied to a auditor's mailbox.