This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 68%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi Team,
I am trying to write a script, please excuse me for my mistakes on syntax just thinking a loud on my target to achieve.
As soon as we get a spam/Phishing email to organisation-> I would like to trace it-> create a new-compliance search with name Spam-Phishing-(Presentdaysdate) but exchange locations on only on receipients list-> start compliance search Spam-Phishing-(Presentdaysdate)-> New compliance search action with mycontent match query-> purge softdelete-> Export the message trace for my reference.
I am conveying my logic below, Please correct if any syntax is wrong in below one's or can suggest any simplify method.
You can also suggest if anything important I need to look at or take care of.
$Date1 = (Get-Date).AddDays(-2)
$Date2 = (Get-Date).AddDays(-0)
$Recipients=Get-MessageTrace -SenderAddress *@domain.com -StartDate $date1 -EndDate $date2 | select RecipientAddress
New-ComplianceSearch -Name "Spam-Phishing.$date2" -ExchangeLocation $Recipients -ContentMatchQuery 'sender:"*@domain.com"'
Start-ComplianceSearch
(Not sure how can I wait here untill the search completes)
New-ComplianceSearchAction -SearchName "Spam-Phishing.$date2" -Purge -PurgeType SoftDelete
Get-MessageTrace -SenderAddress *@domain.com -StartDate $date1 -EndDate $date2 | Export-csv $Date2.csv
Honestly, I don't see how this could really work well for the amount of SPAM and Phishing most orgs get.
If you don't have it licensed , https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-advanced-threat-protection-service-description, it might be worth considering and let it do all the work for you.
Having said that, your error is because the recipient column in that csv needs to be extracted from that csv.
Assuming your column in that csv for the mailbox is "RecipientAddress"
Something like :
$Recipients | % {New-ComplianceSearch -Name "Spam-Phishing.$date2" -ExchangeLocation $_.RecipientAddress -ContentMatchQuery 'sender:"*@keyman .com"' }
Note that using the sender as a query filter will probably include a lot of false positives.
Also, since multiple mailboxes will prob be passed in the -ExchangeLocation field, you will need split those out and put a comma between the mailbox names.
See https://social.technet.microsoft.com/Forums/office/en-US/556517cb-f135-4587-80f2-deba7d1d34c9/importcsv-with-a-column-that-needs-to-be-multivalued?forum=ITCG
Bottom Line:, In my opinion, the compliance search command is not a good incident response tool for phish and SPAM given the amount of messages that you will potentially be searching for and handling. I would look at the built-in ATP features.
Thank You Andy, Sorry for the delayed response.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Please note that Get-MessageTrace is applied to Exchange Online, Exchange Online Protection
New-ComplianceSearch is applied to Office 365 Security & Compliance Center
You may need to export the recipients and re-import them to the compliance powershell.
In addition, add a variable like below
$Search = New-ComplianceSearch -Name "Spam-Phishing.$date2"
Start-ComplianceSearch $Search.identity
Explained my query more better, need help on including multiple email addresses in exchange search location
enter code here
I am not able to enter complete code here it says, 1000 characters exceeded
Hi @Sriman Rao
As rightly mentioned by AD-7937, you shouldn't be using eDiscovery in Exchange or Compliance center as a tool to purge real time incidents, issues reported to you.
Microsoft has a better tool, which does this work automatically for you and minimal user intervention.
Threat Explorer (and real-time detections)
Steps:
It usually completes everything in 30mins to 1hr for around 3k emails. However the report does take time to showup. (In Review). If you have more than 10000 matches, break the search by date or some filter to reduce it below that.
Once complete you can do a eDiscovery report to check the email's current location too to be doubly sure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 12%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
(Not sure how can I wait here untill the search completes)
how did i do it...
$Search = New-ComplianceSearch -Name "Content_Search" -ExchangeLocation all -ContentMatchQuery "sent>=$($StartTime) AND sent<=$($EndTime) AND sender:$($Sender) AND subject:$($Subject)"
Start-ComplianceSearch -Identity $Search.Identity
Write-Host
Write-Host Strart search from $Sender
While ($status.Status -ne "Completed")
{
$status = Get-ComplianceSearch -Identity Content_Search
Write-Host Status: $status.Status "Working on it..." -ForegroundColor Yellow
Start-sleep 60
}
if ($status.Status -eq "Completed")
{
Write-Host "Search Completed!" -ForegroundColor Green
$status
}
New-ComplianceSearchAction -SearchName "Content_Search" -Purge -PurgeType SoftDelete