Exchange 2010/2013 Step-By-Step: Delete circulated Suspicious emails with Search-Mailbox

In this article, we will have a look at steps to identify the spam emails circulated in an environment. When a user suspects any spam email and informs the IT Team first and the foremost thing that would come to an Admin is that whether the emails have been circulated to everyone or not.

There are multiple scenarios where the spam messages can be circulated in an environment.

• From single spam source  email address to the single recipient.
• From Single spam email address to multiple recipients.
• From multiple spam email address to multiple recipients with a different subject line.

It's always better to make a search for the whole organization to make sure the emails are not circulated to all the users.

The easiest way to identify the spam emails is to run a search command with the subject line so that all the affected mailbox can be identified.

Now we will have a look at the steps to perform this action with search-mailbox command.

First, we need to add the user who is going to perform this task to Discovery Management group

This should be done in order to use the search-mailbox command. If we do not add this then the user won’t be able to run search command.

Create a new role group as below. We need this in order to export/Import the contents from the source mailbox and copy it to the target mailbox.

Run the below commands to create the role group if we don’t have already. If we have the import/export rolegroup already then just add the user who is going to perform this action into that rolegroup.

To Create –  New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export”
 
To Add user – Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator

https://exchangequery.files.wordpress.com/2014/10/newsearch5.png?w=600&h=87

Even if single user suspects a virus message it is better to search in the whole organization to make sure the emails are not circulated to others. Now run the below command to search the virus email throughout the organization. In our example we are going to identify an infected email with the subject “Virus Infected”

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -LogOnly -TargetMailbox administrator -TargetFolder filter -LogLevel Full

https://exchangequery.files.wordpress.com/2014/10/newsearch11.png?w=600&h=177

Once we run the command we could see the searching would be started as shown in the above screenshot. The search results may take some time depending on the environment and number of mailboxes we have.

Upon a successful completion of the search, we can see the logs and the emails in the zip file attached as shown in the screenshot.

https://exchangequery.files.wordpress.com/2014/10/newsearch2.png?w=600&h=330

 

Now we need to run the below command to search the infected emails and delete all of them in the whole organization:

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -TargetMailbox administrator -TargetFolder filter -deletecontent -LogLevel Full

https://exchangequery.files.wordpress.com/2014/10/newsearch4.png?w=600&h=120

Once it identifies the affected emails it would ask us for confirmation as shown above before deleting the suspected emails as shown in the screenshot above.

Apart from the above as an additional part of security check, we can also run a message tracking with the subject in the whole organization to see to whom all the infected emails have been circulated and ensure all the emails have been deleted.

Run the below command to perform a Message Tracking with a subject in the whole organization. In our case, we are using the subject “Virus Infected”.

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Messagesubject “Virus Infected” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

https://exchangequery.files.wordpress.com/2014/10/newsearch6.png?w=600&h=221

Above method can be used to identify and delete any circulated spam email in our organization.