Data Spillage Playbook Part 1
Do you have a plan on how to permanently delete sensitive data accidentally delivered to your organization through email? If you do not, buckle up, read on and you are welcome!
How To Search and Purge Email Messages
The procedure in this document can only be used to delete items in Exchange Online mailboxes and public folders. It cannot be used to delete content from SharePoint or OneDrive for Business sites.
The Content Search feature can be used to search for and delete an email message from all mailboxes in the organization’s Microsoft 365 tenant. This can help find and remove potentially harmful or high-risk email, such as:
· Messages that contain dangerous attachments or viruses
· Phishing messages
· Messages that contain sensitive data (data spillage use-cases)
Note: Search and purge is a powerful feature that allows anyone that is assigned the necessary permissions to delete email messages from mailboxes in your organization. Limit this capability.
Requirements
1. To run a Content Search: You have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role.
2. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search and Purge management role.
3. Security & Compliance Center PowerShell is required to delete messages.
4. A maximum of 10 items per mailbox can be removed at one time.
5. The maximum number of mailboxes in a content search that you can use to delete items by doing a search and purge action is 50,000.
6. Email items in a review set in an Advanced eDiscovery case cannot be deleted by using the procedures in this article.
a. That is because items in a review set are stored in an Azure Storage location, and not in the live service. This means they will not be returned by a content search. To delete items in a review set, delete the Advanced eDiscovery case that contains the review set.
Step 1: Create a Content Search to find the Message(s) to Delete.
Create and run a Content Search to find messages that are to be removed from mailboxes in the organization. The search can be created by either using the Security & Compliance Center or by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets.
Search Tips:
The goal is to narrow the search only to the messages that need to be deleted.
· If the email subject is known, use the email subject in the “Subject” property in the search query.
· If you know that exact date (or date range) of the message, include the Received property in the search query.
· If you know who sent the message, include the From property in the search query.
· Important - Preview the search results to verify that the search returned only the message (or messages) that you want to delete.
· Use the search estimate statistics (displayed in the details pane of the search in the Security & Compliance Center or by using the Get-ComplianceSearch cmdlet) to get a count of the total number of results.
Examples:
This query returns messages that were received by users between April 13, 2016 and April 14, 2016 and that contain the words "action" and "required" in the subject line.
(Received:4/13/2016..4/14/2016) AND (Subject:'Action required')
This query returns messages that were sent by chatsuwloginsset12345@outlook.com and that contain the exact phrase "Update your account information" in the subject line.
(From:chatsuwloginsset12345@outlook.com) AND (Subject:"Update your account information")
Here's an example of using a query to create and start a search by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets to search all mailboxes in the organization:
$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity
Step 2: Connect to Security & Compliance Center PowerShell
a. Connect to Security & Compliance Center PowerShell for your organization:
a. Connect-IPPSSession -UserPrincipalName -ConnectionUri https://ps.compliance.protection.office365.us/powershell-liveid/
b. After you have connected to Security & Compliance Center PowerShell, run the New-ComplianceSearch and Start-ComplianceSearch cmdlets, using the parameters for the results you want. See example in step 1.
c. Use Get-ComplianceSearch to get a summary list of all compliance searches.
d. Use Get-ComplianceSearch -Identity "Case 1234" | Format-List to get the details of a specific search.
Step 3: Delete the Message
After you have created and refined a Content Search to return the message that you want to remove and are connected to Security & Compliance Center PowerShell, the final step is to run the New-ComplianceSearchAction cmdlet to delete the message.
You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant (default is one day but may be run on-demand). If single item recovery is enabled for the mailbox (In Microsoft 365, single item recovery is enabled by default when a new mailbox is created), hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.
In the following example, the command soft deletes the search results returned by a Content Search named "Remove Phishing Message":
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
To hard-delete the items returned by the "Remove Phishing Message" content search, you would run this command:
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete
To get the status of the delete job, run Get-ComplianceSearchAction
Other Notes:
The New-ComplianceSearchAction -Purge command does not delete unindexed items.
To understand partially indexed items, see these URLs:
Step 4: Delete Items from the Recoverable Items Folder and Subfolders.
See this URL for details on this step.
Step 5: Disconnect from EXO V2
Run this command “Disconnect-ExchangeOnline” to disconnect from Exchange Online.
Run this command “Get-PSSession | Remove-PSSession” to disconnect from Security And Compliance PowerShell
Step 6: Confirm that the Emails are Deleted.
Check for any of the emails in scope that was deleted and confirm it no longer exists both in the user’s mailbox(es) and in a content search run.
Reference:
[2] https://docs.microsoft.com/en-us/microsoft-365/compliance/content-search?view=o365-worldwide (about content search beyond Exchange/emails)
[3] https://docs.microsoft.com/en-us/compliance/assurance/assurance-exchange-online-data-deletion (soft/hard delete)
[5] https://docs.microsoft.com/en-us/compliance/assurance/assurance-data-immutability
[6] https://docs.microsoft.com/en-us/compliance/assurance/assurance-data-destruction (data destruction)
[8] Clean up or delete items from the Recoverable Items folder in Exchange Online | Microsoft Docs