Tuesday, October 20, 2020

O365 Spam Remover Script - now with a GUI and supports MFA (updated to use Content Search)

Problem: A spam campaign has hit your company and you want to remove the email from all inboxes in the tenant to help prevent people clicking bad links, freaking out, etc.

Solution: I've created a script as an update to the original script for this post. The newer ExchangeOnlineManagement powershell options appeared and the Search-Mailbox cmdlet has been deprecated...so, the new version creates a Content Search and also creates the appropriate purge actions to delete all email. This script will try to load a GUI for you with several options to control the senders, subject lines, and time frames the spam campaign was sent to make it much simpler on you to remove that phishing or spam campaign that made it through. If the GUI fails, it will fail back to an interactive cmd line script requesting the same info. As with any script you get from the internet, no warranty is expressed or implied for this script so test it and tweak to your environment. I have tried to make it use UTC and avoid hard-coding any regional settings but your mileage may vary.


Update 10/20/2020 - The code has been overhauled and updated for content searches! Update 6/17/2019 - Moved the code to GitHub for easier updating. DO NOT WORRY - my github does not look like some giant mess of folders with cryptic things...the powershell files are right there on the screen and you can click any of them to view them in their entirety.

Update on May 22, 2019 - I have added some support to attempt to auto-load the Exchange Online for Powershell module and use it as priority over basic authentication.


  1. I had to modify Line 188...

    $Senders = $Senders.keys -join ","
    $Senders = $SendersHash.keys -join ","

    The script wasn't getting my sender otherwise.

    1. Thank you for this - I updated both scripts on github to correct. Have an awesome day!