Does’t matter how good is your security and design in your environment with with complex spam filters, gateways and appliances… sooner or later you’ll need to remove some sort of unwanted communication from one or more mailboxes on your Exchange Server.
In a very common incident response scenario like this, PowerShell is a very useful tool, this time the cmdlet used is New-ComplianceSearch and is available on-premises and on cloud services for Exchange Server 2016.
I found this cmd-let few weeks ago reading the KB of Exchange 2016 and part of Office 365 Security & Compliance Center which I think, by the way, is one of the best features of Office 365 from a system administrator perspective.
The simple seach-mailbox cmd-let is a good starting point from the Exchange Management Shell and can be good enough in most of the common scenarios where the results are far below its limitations (10.000 mailboxes / 10.000 of search results).
You can search a maximum of 10,000 mailboxes using the Search-Mailbox cmdlet. If you’re an Exchange Online organization and have more than 10,000 mailboxes, you can use the Compliance Search feature (or the corresponding New-ComplianceSearch cmdlet) to search an unlimited number of mailboxes. Then you can use the New-ComplianceSearchAction cmdlet to delete the messages returned by a compliance search. For more information, see Search for and delete email messages from your Office 365 organization.
Search-Mailbox was the only tool available on Exchange 2013 and Exchange Online and can be still used effectively, this is an interesting place to start if you also haven’t upgrade to Exchange 2016.
The new compliance search push the limits and scope 5X further ( 50.000 mailboxes and 50.000 results) has the same requirements and is limited to 10 items per mailbox at once as you can expect from an Incident Response tool.
If you’re curious of how simple is the cmd-let to run this is how it looks like
#Create a search for our phishing email
New-ComplianceSearch -Name 'IR_CASE_001' -ExchangeLocation "HR Department" ‑ContentMatchQuery from:'Nefarius Sender'
#Will move the matching messages to the recover deleted items of the user mailbox
New-ComplianceSearchAction -SearchName 'IR_CASE_001' -Purge -PurgeType SoftDelete
This article will have some useful tips and examples of how to use it.