This is a quick blogged guide for administrators who need to delete an email from their organization for some reason or another. In my case this was due to a cryptolocker like virus outbreak called Cerber.
The Task: Find the emails and delete them from the system to prevent further incidents from popping up making more work for us because we always have to re-image and physically replace the machines in some cases not to mention user downtime.
First we want to be able to locate and identify the emails targeted for deletion. In my case we received the payload from this address: [email protected] (first just want to say .ru its Russian!) we should never open emails like this but users will still go for it. There are several ways to find where the emails went and find out who read them and so on and this is what we will do going off this address.
Options for Searching: Exchange Powershell OR Exchange E-Discovery Gui
I’ll use both normally. In many cases if the search involves gathering emails it is easiest for me to just run an E-discovery search and shoot them over into a PST file. In the case of deletions though we want to use the Powershell since it is the only way as of now that I know of to delete emails from the system and user mailboxes in mass action.
-So log into your Exchange server as the Exchange Admin or verify you have proper rights to run search commands(ref:https://technet.microsoft.com/en-us/library/dd298059(v=exchg.160).aspx)
then open the Exchange Management Shell and we can now use the following commands to search for our items with the matching email address.
Get-mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery “From:[email protected]” Targetmailbox adminuser -TargetFolder “SearchAndDeleteLog” -LogOnly -LogLevel Full
-This command first grabs all mailboxes within the Organization then pipes it to our search function using the “|” symbol. In our Search operation we “Searh-Mailbox -Search Query” so here we will then specifcy with the “From:” text to find our matching address. The command then follows up with a “target” mailbox and user to send a report of the results. In my case I’m sending it to my adminuser’s mailbox under the “SearchAndDeleteLog” I created for it.
Here is a guide to other parameters I might use when running the search. We can use things like Subject line or Dates and get fairly specific. Keep in mind it is using KQL language which is the same syntax used in e-Discovery. Use this guide to have an idea of what search parameters you can use for the -SearchQuery: https://technet.microsoft.com/en-us/library/ms.o365.cc.searchquerylearnmore.aspx#emailproperties
Once you receive the results you like you can then move on to delete them. with the following command:
Get-mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery “From:[email protected].ru” -DeleteContent
This command will basically gather the results and delete them from the mailboxes. You will be asked to say yes to all deletions from each mailbox.
I advise running a backup on anything before deleting it but since this is virus in the email we clean our hands of it.