Search for and delete phishing emails on an Exchange server

Deleting phishing emails can help reduce exposure to a specific attack across an organization. You can manage phishing emails on an Exchange Server by searching, granting approvals, and deleting.

Before you begin

Role required: sn_si.basic

You can determine how many users were targeted by a phishing attack by querying an Exchange Server record associated with a security incident.

Supported software:
  • Microsoft® Exchange Server 2010

About this task

This feature is used by workflows to run a query against an Exchange Server. The search identifies all emails within a phishing attack, and returns the total number of emails affected or details from the emails affected.

Procedure

  1. Navigate to Security Incident > Show Open Incidents.
  2. Choose a security incident.
  3. Choose Exchange Search from the Related List.
    Exchange Search related link
  4. Click New or Edit.
  5. Fill in the fields, as appropriate.
    Table 1. Create Exchange email search group
    Field Description
    Name Name of the search query
    Description Describe what the search query is looking for.
    Query result Governs which results are returned and which workflows are triggered by the buttons on the form.

    Choices are:

    Return count
    Returns the total number of phishing emails discovered in the Exchange Server.
    Return details
    Returns details on each phishing email discovered on the Exchange Server such as email date received, email read status, recipient, and message ID.
    Query from criteria A preview of the query runs on the Exchange Server. Generated from all the associated active search criteria records.
  6. Click Submit.
    The Exchange Search Criteria Related List appears.
    Exchange Search Criteria
  7. Click New.
  8. Fill in or edit the fields, as appropriate.
    Table 2. Creating Exchange Search Criteria
    Field Description
    Operator Possible values are AND and OR. You can define how search criteria are combined to run in the Exchange Server.
    Search Field

    Field to search in the Exchange Server.

    The search field has the following choices:

    Subject
    String type. Searches for emails that contain this text string in the email subject line.
    From
    Full email address, for example, jane.doe@abc.com.
    Note: Cannot use with Recipient in the same query.
    Recipient
    Full email address, for example, john.doe@abc.com. It also searches for emails in the To, Cc:, and Bcc: fields.
    Note: Cannot use with From in the same query.
    Body
    String type. Searches for emails that contain this text string within the email body.
    Cc:
    Full email address, for example, jane.doe@abc.com.
    Bcc:
    Full email address,for example, john.doe@abc.com.
    Attachment
    String type. Searches for emails that contain the text string as an attachment file name or contains the text string in the attachment contents.

    Only plain text attachments are supported for searching the attachment contents.

    Retention Policy
    String type.
    Search Text The text to search for. Single quotation marks, double quotation marks, and colons are not supported.
    Exchange Search Reference to the Exchange search group that the criteria applies to.
    Order The order in which the search query is built from the search criteria.
  9. Click Submit.
  10. Once you have created a search criteria record, both the Delete from Exchange and Query Exchange buttons appear on the Exchange Search form and in the header context menu (). Clicking either of these buttons triggers the workflow associated with them.
    Note:

    When the Query result is set to Return Count:

    Delete from Exchange triggers the Security Incident Response -Search and Delete Threat Emails workflow.

    Query Exchange triggers the Security Incident Response - Return Total Emails Found in Exchange workflow.

    Note:

    When the Query result is set to Return Details:

    Delete from Exchange triggers the Security Incident Response - Get Threat Email Details and Delete workflow.

    Query Exchange triggers the Security Incident Response - Return Email Details from Exchange workflow.

    In either deletion case, you are asked to confirm your action. The default is No. Choose Yes.
    Deletion confirmation example

    Click Submit.