Office365 Message Purge

by Vince
in Blog
Hits: 981

We are seeing a ton of email account compromises that are from known sources.  In other words, a vendor, a customer, or an acquaintance, gets compromised.  Frequently, the attacker will reply to an existing email thread from the known source  to you and they will add an attachment or a link.  In that latter scenario, the link is typically leading to a fake credentials page.  This type of attack is so common that we're seeing it several times per week.  It will only get worse. 

With the credentials attack, two-factor authentication (2fa) will typically stop this in its tracks.  You can steal credentials all day long but bypassing 2fa is a much bigger challenge.  And honestly, it's not worth it to the attacker unless the victim has been specifically targeted -- typically not the case.

Convincing some clients to use 2fa is similar to herding cats.  It boils down to the fact that they don't perceive a threat, they feel like a username and password have worked thus far and it should continue to work.  Until it doesn't. 

We had such an incident yesterday.  The attacker compromised an email account for our client, began mass-mailing everyone in an out of the organization, deleted their tracks with an Outlook Rule, and what followed was the clean up process.  Fortunately, in Office365, we can take advantage of some built-in functionality that allows us to perform a clean-up across the entire mail system. 

As an example, I send an email like what you see below:



Before we can effectively go through this process, we need to grant permissions to our administrator user account:


We choose the Permissions option and we select the eDiscovery Manager:



Choose Edit on eDiscovery Manager:



We can Choose eDiscovery Administrator:



We add a user and when we're finished, we see our account listed:



And finally, when we're finished:



Under Security & Compliance, we choose Search and then Content search:



We then choose Guided search:



Provide a name for our search, make this somewhat unique (this will make sense later):



We need to enable the locations.  This first option is all that's required for what we're trying to accomplish:



We want to add a condition:



You could obviously fine tune this but generically, if we have an easily identifiable subject, that is all we need:



For our target emails, we enter the subject line from the email at the top of this post:



When we choose finish, the search begins:



The reason why we set the eDiscovery Permission at the start was due to the fact that this screen would rendered blurry.  But with the permission set, we can view the messages:



We see two instances because one is in sent and the other is in the inbox.

From the admin console, we have the ability to remove these messages but I seem to recall this not working all that great sometimes.  I'm showing it here for reference but I'm going to use PowerShell to remove the messages which seems to work consistently and faster.



Again, "if" we were going this route, if we select Delete, we're brought to this screen:



I would also point out that when you perform this search, the administrator account will receive a notification which is a sanity check -- at least that's what I think.  You won't want just anyone searching for messages.



Alright, moving on to the PowerShell option.  Here are all of the commands, screenshots and explanation to follow:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get-ComplianceSearchAction

New-ComplianceSearchAction -SearchName "Delete Malicious Email" -Purge -PurgeType SoftDelete

The first command captures the Office365 credentials:



We enter the admin creds:



This next option shows us the search we created:



Finally, we're deleting the messages.  Obviously, this is MY search, you need to change your SearchName to match YOUR search.  The SoftDelete option will delete it from the existing location and the messages will NOT appear in the deleted folder.  However, the messages can still be retrieved I believe for 90 days which is their recovery option for messages deleted from the deleted folder.



While the purge is in process, I believe the status is "starting".  How long it takes to finish will depend on a number of factors but in a small business with a large amount of emails, we're talking minutes at most.