Today we had a mass of emails sent to users that managed to bypass the spam filter – horray!

In order to stop users from opening the (virus) attachment, we decided it would be prudent to remove them from their mailboxes.

In order to perform this search and delete, you need to be a member of the ‘Mailbox Import Export’ group within AD. This Exchange PowerShell command grants this right to you:

New-ManagementRoleAssignment –Role “Mailbox Import Export” –User “Administrator”

Once you have done this, close and reopen the Exchange Shell and enter the following:

Search-Mailbox –SearchQuery ‘Subject: “searchforthisinsubject”‘ –DeleteContent –Identity “[email protected]”

This will perform a search of the ‘testuser’ mailbox and delete any emails with ‘searchforthisinsubject’ in the subject.
Note: there is no per-email confirmation – Microsoft has an article where you can log to a mailbox, but for this example I just wanted to remove the emails. http://technet.microsoft.com/en-us/library/ff459253(v=exchg.150).aspx

Once you’re sure you’ve got the right search query, modify the PowerShell line, by adding ‘get-mailbox | ‘ at the start, and removing ‘-identity….’ from the end:

Get-Mailbox | Search-Mailbox –SearchQuery ‘Subject: “searchforthisinsubject”‘ –DeleteContent

PowerShell will ask you per mailbox if you want to proceed, but it won’t actually delete any messages until you’ve said yes/no to each mailbox.