Quick post on how to find and delete an email using Office 365 Security & Compliance
Scenario: You have been tasked to find a suspicious email that has been sent to N number of users, find and remove them from there inboxes.
First off, head to https://protection.office.com/threatexplorer
On the left hand side open “Threat Management” then click on “Explorer”.
From the threat management explorer view, you will see, by default, the Malware detection across your environment. We need to change this to view all email, this is done by clicking the “View” drop down along the top.
As you can see we have a few options, selecting one of the other options will show you all the email items that have been automatically or manually categorised as ether: Malware, Phishing, part of a campaign… What we wish to do is select “All email” so we are sure we have found them all.
We now have any options to help us find the email(s) in question, and the options are stack-able, so we
So, lets take the above email as being the one we are hunting down. If we get a forwarded copy or physicaly get to see the email then we have lots to go off to help search.
Easy one to search would be by subject, so lets go-ahead and input that:
Message Center Major Change Update Notification
Scroll down and you can see who received the email, if it was successfully delivered and if so what action was taken or where about the email was put.
So, we can see 30 emails where sent using our search criteria, next we get to choose of them emails what action to take. So select all of some of the emails, then click the “Actions” drop down.
Many options to pick, some self explanatery ones like delete, move to junk. The Track & notify optiuons are part of the Office 365 auto investigation AI, if you receive an email and its not picked up right away you can manualy start an investigation and it will add the emails to the queue and be passed through the O365 threat management process. However for this demo we just want to deleet from the users(s) inbox.
Two options: A soft–deleted message is moved to a user’s Recoverable Items folder and retained until the deleted item retention period expires. Hard–deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. I would recommend if the email has been sent in error or already found to be malicious in some nature just select Hard delete so you are sure its been removed and not recoverable.
Next we have to complete the audit trail so any questions asked later on we have a record of who/why/when the email(s) where removed without the users knowlage.
Set the Severity of the ticket, I’m not aware there is any more urgency applied, i.e High severity is queued higher then say a low job, so i have always applied on the basis of the urgency of the ticket sent in, ie if its a Phishing email, set to High, as anyone clicking the email before its deletion may act on the content, as apposed to wrongful email sent out that would be medium/low (depending on the content)
You will get an opertunity to review your settings before clicking Start.
