Wednesday, 14 October 2015

Exchange 2010, 2013, 2016 - Delete virus email from mailboxes using Search-Mailbox

Occasionally but hopefully not too often you may get a virus that bypasses your spam filters and ends up in end users' mailboxes. In this post, I'll demonstrate how to delete the email from users' mailboxes in one quick and easy command which you can have on hand to run quickly.

A classic spam email with a zip attachment is below:





First, ensure you have the correct permissions:


  1. Log into the Exchange Admin Center using an account that is a member of the Organization Management AD Group
  2. Click on Permissions
  3. Double click on Discovery Management and add your user account as a member
  4. Open a new Exchange Management Shell



To delete the email from all users' mailboxes:

Run the below command on a single line:

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery from:sales@sales.com,subject:invoice -DeleteContent -Force





Above, you can see a report where it shows that one email was deleted from the Administrator mailbox (ResultItemCount: 1). 

To delete an email from all mailboxes and copy the email to the Spam mailbox


Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery from:sales@sales.com,subject:invoice -TargetMailbox Spam -TargetFolder DeletedMessages -DeleteContent

To delete an email according to the attachment file name


Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:document_826321_pdf.zip -DeleteContent


No comments:

Post a Comment