Search and Destroy functionality for emails in Microsoft Exchange 2019
If your account does not have sufficient rights in Active Directory to read the Exchange configuration objects, you can manually enter your Exchange servers in this variable.
$global:ExchangeServers = @(
"server1.domain.local",
"server2.domain.local",
"server3.domain.local"
)
Set your email server to use for email reports with the following global variable.
$global:SmtpServer = $null
Set the email address to send emails from here.
$global:MailFrom = "[email protected]"
Enable or disable Exchange server autodiscovery from Active Directory with the below variable. $true enables it, $false disables it.
$global:UseAutoDiscovery = $true
Enable or disable the use of inherited credentials. If this is set to $true, the module will use the credentials provided by the Windows session rather than prompting for credentials. This is useful for automation tasks that can't supply credentials, or in environments where the user account used to log into Windows has rights to manage Exchange.
$global:InheritCredentials = $false
To manually import into PowerShell, you must first set your Execution Policy to bypass. The below command will do so temporarily only for the PowerShell session you're running in without affecting the overall security posture of your machine.
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
The following can be used as a shortcut or in Windows Terminal to import the module for you automatically:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoLogo -NoExit -Command "& {Import-Module C:\PathTo\EmailSearchAndDestroy.psm1}"
CSV File Sample Format
MessageID
<[email protected]>
<[email protected]>
<[email protected]>
...
To perform a standard search using the Exchange message tracking logs to sanitize, you must have a CSV file which contains a column named MessageID (no spaces). All columns other than MessageID are ignored by a standard search. With the prepared CSV, perform the following steps:
-
Create the workspace and perform the preview search. NOTE: The CSV file must contain a column named exactly MessageID.
> New-SDSearchRequest -TicketNumber <TicketNumber> -Requester [email protected] -CsvFilePath "C:\Folder\file.csv"
-
Check the discovery mailbox in Outlook to verify the search preview matches what you want to purge. !!! WARNING !!! Purge is a destructive operation that cannot be undone. You will be held responsible for the results.
-
Execute the search and destroy which will purge the matching messages and clean up the search environment.
> Execute-SDPurgeRequest -TicketNumber <TicketNumber> -CsvFilePath "C:\Folder\file.csv"
CSV File Sample Format
MessageID,Sender,Recipient,Subject
<[email protected]>,[email protected],[email protected],Arabian prince looking for heir
<[email protected]>,[email protected],[email protected],Pu$$y p1cs f0r y0u
<[email protected]>,[email protected],[email protected],I love you
...
Sometimes the message tracking logs don't contain the emails you're looking for anymore, such as if the logs have rotated or been cleared manually. In this situation, you can use the fuzzy search option to directly specify search and destroy criteria from your CSV file. The CSV file must contain a MessageID, a Sender, a Recipient, and a Subject column and those columns must be named exactly as written. No column may contain multiple values. For example, if a message went to 3 recipients, you must list each recipient in a separate row.
-
Create the workspace and perform the preview search.
> New-SDSearchRequest -TicketNumber <TicketNumber> -Requester [email protected] -CsvFilePath "C:\Folder\file.csv" -Fuzzy
-
Check the discovery mailbox in Outlook to verify the search preview matches what you want to purge. !!! WARNING !!! Purge is a destructive operation that cannot be undone.
-
Execute the search and destroy which will purge the matching messages and clean up the search environment.
> Execute-SDPurgeRequest -TicketNumber <TicketNumber> -CsvFilePath "C:\Folder\file.csv" -Fuzzy
If you need to purge a specific email and don't wish to supply a CSV input, you can perform a fuzzy search using the following commands.
-
Create the workspace.
> $NewWorkspace = New-SDWorkspace -TicketNumber <TicketNumber>
-
Assign permissions to the workspace so you can review the results.
> $NewWorkspace |Add-MailboxPermission -User <[email protected]> -AccessRights FullAccess
-
Perform the preview search. NOTE: If the subject contains any apostraphes ('), you must escape them (`'), otherwise they will cause unreliable behavior.
> New-SDSearch -TicketNumber <TicketNumber> -Fuzzy -FuzzySender <[email protected]> -FuzzyRecipient <[email protected]> -FuzzySubject '<Subject>'
-
After you review the results, perform the purge with the following command.
> New-SDSearch -TicketNumber <TicketNumber> -Fuzzy -FuzzySender <[email protected]> -FuzzyRecipient <[email protected]> -FuzzySubject '<Subject>' -Delete
-
Remove the workspace.
> Remove-SDWorkspace -TicketNumber <TicketNumber>