In this case security office has sent notification, that potentially malicious email that bypassed antimalware protection has to be removed from user's mailboxes. In order to find out who has received the specified email (the sender of the malicious email was provided in the escalation information from the security office), in case of multirole exchange servers, I've checked the message tracking logs using following syntax:
Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the message with sender "malicioussender@domain.some" and send the results log to some auditor's mailbox (messages are not removed from the affected mailbox):
In order to delete the message from the affected mailbox, Search-Mailbox has DeleteContent parameter. For using the DeleteContent parameter, user running the search-mailbox cmdlet, also has to have the Mailbox Import Export management role assigned.
For assigning Mailbox Import Export Role to a Role Group, please follow the TechNet article https://technet.microsoft.com/en-us/library/ee633452(v=exchg.141).aspx .
Now, it's time to remove the messages from affected mailbox, and copy them auditor's mailbox:
Messages were successfully deleted from affected mailbox, and copied to a auditor's mailbox.
Get-ExchangeServer | Get-MessageTrackingLog -start (Get-date).AddDays(-1) -End (Get-date) -ResultSize unlimited -eventid deliver -Sender "malicioussender@domain.some"
Fortunately, the number of users that have received the specified email message were few. Knowing the affected users, removing the email message from their mailbox can be done using Search-Mailbox cmdlet. For running the Search-Mailbox cmdlet, the user running this cmdlet must be a member of Discovery Management role group.
For example, to search the affected mailbox for the message with sender "malicioussender@domain.some" and send the results log to some auditor's mailbox (messages are not removed from the affected mailbox):
Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -LogOnly -LogLevel Full
In order to delete the message from the affected mailbox, Search-Mailbox has DeleteContent parameter. For using the DeleteContent parameter, user running the search-mailbox cmdlet, also has to have the Mailbox Import Export management role assigned.
For assigning Mailbox Import Export Role to a Role Group, please follow the TechNet article https://technet.microsoft.com/en-us/library/ee633452(v=exchg.141).aspx .
Now, it's time to remove the messages from affected mailbox, and copy them auditor's mailbox:
Search-Mailbox -Identity "user@affected.maibox" -SearchQuery 'From: "malicioussender@domain.some"' -TargetMailbox "auditor@mailbox.domain" -TargetFolder "SearchUsersLogs" -DeleteContent
Messages were successfully deleted from affected mailbox, and copied to a auditor's mailbox.