I'm a relatively new administrator for Microsoft 365 and faced a situation where a phishing email reached multiple inboxes. One user managed to identify and report it, but I only tracked it down through our filtering system. I'm looking for a way to automate the removal of these phishing emails so I don't have to call each affected user. Is there a feature in Microsoft 365 that allows me to efficiently find and delete these phishing emails?
5 Answers
Here are the methods I know for this issue: 1. Use automatic actions in Defender, but I wouldn't trust those too much with live inboxes. 2. You can run a KQL query in Defender's online interface (not the antivirus part). I had a template I used that looked something like this: Select from EmailEvents, EmailPostDeliveryActions where SenderFromDomain contains "domain.com" and EmailDirection == "Inbound" and DeliveryAction == "Delivered". It's quick but has a limit of 100 or 200 emails to act on, which can be frustrating. Just remember, you'll need an E3 or Defender 1 license for this.
Check out the guide on Microsoft’s site for Threat Explorer: https://learn.microsoft.com/microsoft-365/security/office-365-security/threat-explorer. You can also use Content Search in the Compliance Center by creating a search based on the sender and using PowerShell for deleting. If you have Plan 2, Threat Explorer is a much quicker way to find and delete those emails without needing PowerShell intervention.
You might want to try using the Email and Collaboration settings in Microsoft Defender. It sounds like a promising area to explore! That said, have you already attempted to search for solutions before posting? Sometimes a quick check can save a lot of time! 😊
Try the content search option for purging emails. You can even go hardcore and completely remove them if needed.
You can handle this directly from the Explorer screen in Exchange. It's pretty straightforward!
That query sounds really useful! Do you have to modify it for different domains, or does it work broadly?