Handling Hacked Accounts and Purging Emails in M365

calendar Feb 7, 2023 · 3 min read · email security hacked accounts M365 ExchangeOnlineManagement  ·
Share on: linkedin copy

Overview

Block Unwanted Emails

Objective: Prevent sending or receiving emails from specific external email addresses or domains.

Action: Navigate to the Tenant Allow/Block List in the Microsoft Security Center. Configure the settings to block specific email addresses or domains. For direct access, use this link: Tenant Allow/Block List.

Review Past Week of Sign-In History

Objective: Review sign-in history to identify any unusual user activity.

Action: Access the Azure portal's sign-in history section. Specify the user of interest and examine their sign-in locations and activities. Access the portal here: Azure Sign-In History.

Define Content Search Criteria

Objective: Search and identify specific emails that need to be removed from your organization.

Action: Utilize the Content Search feature in the Microsoft Compliance center. Define your search criteria to target specific emails. Access Content Search here: Content Search in Compliance Center.

Connect to Exchange Online Management

Preparation: The following steps require PowerShell. Ensure you launch powershell_ise with administrative privileges.

Action: Establish a connection to Exchange Online Management using an elevated PowerShell session.

1Set-ExecutionPolicy -ExecutionPolicy RemoteSigned # If not already set.
2Install-Module -Name ExchangeOnlineManagement # If not installed.
3Import-Module ExchangeOnlineManagement # This is a necessary step.
4Connect-IPPSSession # Launches a Modern Authentication Window.

Purge Unwanted Content

Confirmation: Ensure that your content search in the Compliance Center is valid. If the search name isn't visible, it might still be processing.

1Get-ComplianceSearch | Sort-Object JobEndTime # Retrieve and sort all compliance searches by job end time.
2# or
3Get-ComplianceSearch -Identity "05297487" | Select-Object * # Retrieveall stats of only one content search that you know the name of.

Action: Execute a "hard delete" on the identified content based on your search.

1New-ComplianceSearchAction -SearchName "name_of_content_search" -Purge -PurgeType HardDelete # Perform a hard delete of the search results.

Status Check: Monitor the progress of the hard delete operation. The names of purge actions are typically appended with _Purge.

1Get-ComplianceSearchAction -Identity "name_of_content_search_Purge" | Format-List # Check the status of the purge operation.

Disconnect: End your session with Exchange Online Management.

1Disconnect-ExchangeOnline # Disconnect from Exchange Online Management.

Check Inbox Rules

Objective: Review and analyze inbox rules for each user to detect any unusual or unauthorized rules.

Action: Run the following PowerShell script to extract inbox rules for a list of specified user email addresses.

 1Import-Module ExchangeOnlineManagement
 2Connect-ExchangeOnline # Launches a Modern Authentication Window.
 3
 4# Define an array of user email addresses
 5$userEmails = @(
 6    'example-one@contoso.com',
 7    'example-two@contoso.com',
 8    'example-three@contoso.com'
 9)
10 
11# Iterate through each user and retrieve their inbox rules
12foreach ($userEmail in $userEmails) {
13    Write-Host ("Getting inbox rules for: " + $userEmail)
14    # Attempt to fetch inbox rules for each user
15    try {
16        $inboxRules = Get-InboxRule -Mailbox $userEmail
17        if ($inboxRules) {
18            Write-Host ("Inbox rules for " + $userEmail + ":")
19            $inboxRules | Format-List *  # Display all properties of the inbox rules
20        } else {
21            Write-Host ("No inbox rules found for " + $userEmail + ".")
22        }
23    } catch {
24        Write-Host ("Error retrieving inbox rules for " + $userEmail + ": " + $_.Exception.Message)
25    }
26}