Email Security breach
For any account compromised or security breach must do the following:
- disable account in local AD and Azure AD if hybrid
- identify the device or server affected and remove from any network it is attached to
- start any AV scans with tools available
Then you will need to check through logs to find out the logins of the account and any other servers that could be affected.
Follow the following guide: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide
O365 Mail security
If a malicious email is sent and you need to clear from any or all mailboxes in O365 exchange you can use the compliance tool
The compliance tool uses the exchangeonline powershell module
Connect to the compliance tool with the following cmdlet - it connects in the same way as with exchange online:
- Connect-IPPSSession -UserPrincipalName <username@domain.com>
Then you can create a compliance search to identify the emails you need eg:
- New-ComplianceSearch -Name "<name for search>" -ContentMatchQuery "<words to match in email>" -ExchangeLocation All
The exchange location can be specified to be the domain or a security group or a specific mailbox, there are options.
You will then need to start the compliance search:
- Start-ComplianceSearch <name of compliancesearch>
You can check the progress by using the command:
- Get-ComplianceSearch
To see the details of the search you can use the following (output to file for easier reading):
- Get-ComplianceSearch -Identity <compliance search name> | fl | out-file C:\temp\searchresults.txt
To complete the deletion of the emails use the following command:
- New-ComplianceSearchAction -SearchName "<search name>" -Purge -PurgeType HardDelete