Office 365 has protections against phishing and virus emails in Outlook, but sometimes malicious messages slip past security measures. If this happens, it’s possible to use the Security and Compliance Center and PowerShell to remove these harmful phishing and virus messages from inboxes.
Start by going to the Office 365 Security & Compliance Center in a web browser. Under Search and Investigation section, do a Content Search. Give this search a descriptive name, as you will need to refer to this later. For this example, let’s call it “Virus message.”
Use the search filters to whittle down your results to find the message, or messages, that you need to remove. Filter by date ranges, exact phrases, and/or subject-only searches to find the exact messages you need. Once you have a search that contains the message(s) you want to remove, it’s time to open PowerShell. Be sure to run this session as an administrator.
Make sure that you configure PowerShell to run scripts. If it’s not, use the command Set-ExecutionPolicy RemoteSigned to enable running scripts on your computer.
Now use the command $UserCredential = Get-Credential, and then enter your account email and password to log in. Now run this command: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection and finally run Import-PSSession $Session to initiate your session with the Security & Compliance Center.
Note that these steps will not work if you use multi-factor authentication. Microsoft has a guide to connect using MFA. Once you complete this process, you can continue with the compliance action.
Once you connect to Security and Compliance Center through PowerShell, run the command New-ComplianceSearchAction -SearchName “Virus message” -Purge -PurgeType SoftDelete. This will pull up the search you defined with the name “Virus message.” The command will move the message to users’ Recoverable Items folder. Microsoft’s PowerShell documentation covers additional commands that work with the New-ComplianceSearchAction command if additional steps are required for managing user messages while you are in this session.
Once you finish, run the command Remove-PSSession $Session to ensure that you free up your remote PowerShell session slot without waiting for it to expire.
You are now finished, but make sure that users are aware of the concerns of emails that might be phishing or viruses. Built-in security measures will always be a step behind the latest work of phishers and virus creators.
Have more questions about Office 365? Let’s chat. Sikich is an award-winning Microsoft Office 365 partner. We’ve helped hundreds of others and we can help you too.