starred/CIPP
1
0
Fork 0
mirror of https://github.com/KelvinTegelaar/CIPP.git synced 2026-04-25 08:16:01 +03:00
Code Issues 20 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #186] Feature Request: Remove Malicious Emails from Inboxes/Folders within/across Tenant(s) #107

New issue
Closed
opened 2026-03-02 12:03:56 +03:00 by kerem · 8 comments
kerem commented 2026-03-02 12:03:56 +03:00
Owner
Copy link

Originally created by @scubes13 on GitHub (Nov 4, 2021).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/186

Is your feature request related to a problem? Please describe.
When a phishing attack targets multiple users at one or more clients, it is often difficult to quickly get rid of the offending emails that were sent to 10's or 100's of users. These emails are just sitting in Inboxes and/or other folders.

Describe the solution you'd like
It would be great to be able to identify an offending email (not sure how to suggest this would look in CIPP) and have the system look for an identical email across tenants that could then be placed into Quarantines, deleted or some other action (whatever is the best practice/suggestion of you all).

Originally created by @scubes13 on GitHub (Nov 4, 2021). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/186 **Is your feature request related to a problem? Please describe.** When a phishing attack targets multiple users at one or more clients, it is often difficult to quickly get rid of the offending emails that were sent to 10's or 100's of users. These emails are just sitting in Inboxes and/or other folders. **Describe the solution you'd like** It would be great to be able to identify an offending email (not sure how to suggest this would look in CIPP) and have the system look for an identical email across tenants that could then be placed into Quarantines, deleted or some other action (whatever is the best practice/suggestion of you all).
kerem 2026-03-02 12:03:56 +03:00
kerem commented 2026-03-02 12:03:57 +03:00
Author
Owner
Copy link

@freezscholte commented on GitHub (Nov 4, 2021):

@scubes13 you probably mean the use of content search right -> https://compliance.microsoft.com/contentsearchv2?viewid=search

In that case this would be a useful feature however this would be used with great caution! I think from the CIPP portal you only want to allow the -Purge and -Softdelete commands regarding deleting emails that way you could always recover within a certain point of time if something went the way it wasnt supposed to.

Some MS docs:
https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide

<!-- gh-comment-id:961377309 --> @freezscholte commented on GitHub (Nov 4, 2021): @scubes13 you probably mean the use of content search right -> https://compliance.microsoft.com/contentsearchv2?viewid=search In that case this would be a useful feature however this would be used with great caution! I think from the CIPP portal you only want to allow the -Purge and -Softdelete commands regarding deleting emails that way you could always recover within a certain point of time if something went the way it wasnt supposed to. Some MS docs: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide
kerem commented 2026-03-02 12:03:57 +03:00
Author
Owner
Copy link

@KelvinTegelaar commented on GitHub (Nov 4, 2021):

Risk vs reward is a great point here @freezscholte. We'll discuss this one in the discord before assigning it to a build.

<!-- gh-comment-id:961379161 --> @KelvinTegelaar commented on GitHub (Nov 4, 2021): Risk vs reward is a great point here @freezscholte. We'll discuss this one in the discord before assigning it to a build.
kerem commented 2026-03-02 12:03:57 +03:00
Author
Owner
Copy link

@KelvinTegelaar commented on GitHub (Nov 4, 2021):

Trying to find common ground; What if CIPP finds that e-mail, displays the result, and gives you the powershell script that will delete it for all tenants? I'm a little worried about all the implications around mass deletes.

<!-- gh-comment-id:961440330 --> @KelvinTegelaar commented on GitHub (Nov 4, 2021): Trying to find common ground; What if CIPP finds that e-mail, displays the result, and gives you the powershell script that will delete it for all tenants? I'm a little worried about all the implications around mass deletes.
kerem commented 2026-03-02 12:03:58 +03:00
Author
Owner
Copy link

@freezscholte commented on GitHub (Nov 5, 2021):

Good point @KelvinTegelaar , maybe you could restrict the function only to the admin rol for example and also only allow for example the
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

So no -PurgeType Harddelete !! 🗡️ And if you still want a extra confirmation maybe you could send out a mail (or teams webhook message) to the requestor with a pin-code in it. The pin-code would be needed to complete the delete action.

But I think it would be wise to let some more eyes have a look on this one before deciding to implement or not.

<!-- gh-comment-id:961681262 --> @freezscholte commented on GitHub (Nov 5, 2021): Good point @KelvinTegelaar , maybe you could restrict the function only to the admin rol for example and also only allow for example the New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete So no -PurgeType Harddelete !! 🗡️ And if you still want a extra confirmation maybe you could send out a mail (or teams webhook message) to the requestor with a pin-code in it. The pin-code would be needed to complete the delete action. But I think it would be wise to let some more eyes have a look on this one before deciding to implement or not.
kerem commented 2026-03-02 12:03:58 +03:00
Author
Owner
Copy link

@PsychoData commented on GitHub (Nov 5, 2021):

One thing that I would do with these personally is save an export of them before I purge them, so that if we wanted to review them for security reasons (or manual restore in an emergency) then you could.
so my process in one tenant was

  • search
  • preview
  • export results content
  • purge HardDelete
<!-- gh-comment-id:961874230 --> @PsychoData commented on GitHub (Nov 5, 2021): One thing that I would do with these personally is save an export of them before I purge them, so that if we wanted to review them for security reasons (or manual restore in an emergency) then you could. so my process in one tenant was - search - preview - export results content - purge HardDelete
kerem commented 2026-03-02 12:03:58 +03:00
Author
Owner
Copy link

@scubes13 commented on GitHub (Nov 5, 2021):

After a brief review of the Purge options, I could not find any method mentioned by MS regarding pushing the offending emails into Quarantine. In theory, if we could push to Quarantine, we could also have a Best Practice enabled that would only allow an admin to view/release/etc those emails from Quarantine in a tenant. By doing so, the emails wouldn't actually be hard or soft deleted.

Assuming that Quarantine is not an option (and I'm just not missing it), then I too would vote for the soft-delete.

I do like the idea of a PIN/secondary approval step for the process....

<!-- gh-comment-id:961894571 --> @scubes13 commented on GitHub (Nov 5, 2021): After a brief review of the Purge options, I could not find any method mentioned by MS regarding pushing the offending emails into Quarantine. In theory, if we could push to Quarantine, we could also have a Best Practice enabled that would only allow an admin to view/release/etc those emails from Quarantine in a tenant. By doing so, the emails wouldn't actually be hard or soft deleted. Assuming that Quarantine is not an option (and I'm just not missing it), then I too would vote for the soft-delete. I do like the idea of a PIN/secondary approval step for the process....
kerem commented 2026-03-02 12:03:58 +03:00
Author
Owner
Copy link

@PsychoData commented on GitHub (Nov 5, 2021):

I think the only way to force the emails into quarantine would be to get MS to ZAP them or use Threat Explorer (or rather underlying APIs) to move them to quarantine.... it ... might be possible?
I don't think that that would fall under ComplianceAction then though - that would probably be through Defender APIs

<!-- gh-comment-id:961941743 --> @PsychoData commented on GitHub (Nov 5, 2021): I think the only way to force the emails into quarantine would be to get MS to ZAP them or use [Threat Explorer](https://security.microsoft.com/threatexplorer) (or rather underlying APIs) to move them to quarantine.... it ... might be possible? I don't think that that would fall under ComplianceAction then though - that would probably be through Defender APIs
kerem commented 2026-03-02 12:03:58 +03:00
Author
Owner
Copy link

@KelvinTegelaar commented on GitHub (Nov 15, 2021):

for now, we're marking this as something we won't pick up., there's a bit too much dependency on the Exchange modules which slow down usage of the app considerably, combined with the risk/reward aspect. I am considering this for a later version.

<!-- gh-comment-id:969050787 --> @KelvinTegelaar commented on GitHub (Nov 15, 2021): for now, we're marking this as something we won't pick up., there's a bit too much dependency on the Exchange modules which slow down usage of the app considerably, combined with the risk/reward aspect. I am considering this for a later version.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
docs
dev
dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42
dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2
dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0
dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2
dependabot/npm_and_yarn/dev/recharts-3.8.1
dependabot/github_actions/dev/actions/setup-node-6.4.0
copilot/add-alert-for-report-only-ca
release/beta
release/nightly
docs-maintenance
v10.4.0
v10.3.0
v10.2.0
v10.1.0
v10.0.0
v8.8.0
v8.7.0
v8.6.0
v8.5.0
v8.4.0
v8.3.0
v8.2.0
v8.1.0
v8.0.0
v7.5.0
v7.4.0
v7.3.0
v7.2.0
v7.1.0
v7.0.1
v6.4.0
v6.3.0
v6.2.0
v6.1.0
v6.0.0
v5.9.0
v5.8.5
v5.8.0
v5.7.0
v5.6.0
v5.5.0
v5.4.0
v5.3.0
v5.2.0
v5.1.0
v5.0.0
v4.9.0
v4.8.0
v4.7.0
v.4.6.0
v4.5.0
v4.4.0
v4.3.0
v4.2.0
v4.1.0
v4.0.0
v3.8.0
v3.7.0
v3.6.0
v3.5.0
v3.4.0
v3.3.0
v3.2.0
v3.1.0
v3.0.0
v2.20.0
v2.19.0
v2.18.0
v2.17.0
v2.16.0
v2.15.0
v2.13.0
v2.12.0
v2.11.2
v2.1.11.0
v.2.10.0
v2.9.0
v2.8.0
v2.7.0
v2.6.0
v2.5.5
v2.5.0
v2.4.0
v.2.3.0
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
2.0.0
v1.5.1
v1.5.0
v1.4.3
v1.4.2
v1.4.0
v1.3.0
v1.2.1
v1.2.0
1.1.0
release
Labels
Clear labels   
API

   
Feature

   
NotABug

   
NotABug

   
Planned

   
Sponsor Priority

   
Sponsor Priority

   
bug

   
documentation

   
duplicate

   
enhancement

   
needs more info

   
no-activity

   
no-priority

   
not-assigned

   
pull-request

Mirrored from GitHub Pull Request

  
react-conversion

   
react-conversion

   
roadmap

   
security

   
stale

   
unconfirmed-by-user

   
unconfirmed-by-user

   
wontfix
No labels
API
Feature
NotABug
NotABug
Planned
Sponsor Priority
Sponsor Priority
bug
documentation
duplicate
enhancement
needs more info
no-activity
no-priority
not-assigned
pull-request
react-conversion
react-conversion
roadmap
security
stale
unconfirmed-by-user
unconfirmed-by-user
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/CIPP#107
No description provided.