Phishing incidents do not always come from unknown attackers. Sometimes, the most dangerous phishing emails come from trusted business partners whose accounts were compromised. In other cases, the phishing message comes from a completely unknown domain, and the correct response may include both deleting the message and blocking the sender or domain.

In this post, we will cover two common scenarios:

1. A phishing email was sent from a compromised account belonging to a trusted partner company.
2. A phishing email was sent from a random external domain that your company does not do business with.

We will also cover how to remove the message from user mailboxes using Microsoft 365 Purview or PowerShell, and when it makes sense to block the sender domain.

---

Scenario 1: Phishing Email from a Compromised Partner Account

Example Situation

Company A receives a phishing email that was sent to many users.

The email appears to come from Company B, a real business partner. However, after investigation, the IT team discovers that the email was sent from a compromised mailbox inside Company B.

Example:

From: [email protected]
Subject: Updated Invoice Payment Details
Attachment/Link: Suspicious payment link
Recipients: Multiple users in Company A

Because Company B is a legitimate partner, Company A should not immediately block the entire companyb.com domain. Blocking the domain may stop important business communication.

Instead, the correct response is usually:

• Identify all users who received the phishing email. This can be done from Message Trace in Exchange Online.
• Delete the phishing email from affected mailboxes.
• Warn users not to open the message or click any link.
• Notify Company B that one of their accounts may be compromised.
• Monitor for more suspicious messages from the same account or similar subjects.

---

Scenario 2: Phishing Email from a Random External Domain

Example Situation

Company A receives a phishing email from a domain that has no business relationship with the company.

Example:

From: [email protected]
Subject: Urgent Password Verification Required
Recipients: Multiple users in Company A

In this case, after deleting the phishing email from the users’ mailboxes, the IT admin can also block the sender address or the entire domain.

The response would usually be:

• Identify all users who received the phishing email. This can be done from Message Trace in Exchange Online.
• Delete the phishing email from affected mailboxes.
• Block the sender address or sender domain.
• Submit the message to Microsoft as phishing if needed.
• Review whether any user clicked the link or replied to the email.

---

Option 1: Delete the Email Using Microsoft 365 Defender / Purview Portal

This option is useful if you prefer using the GUI instead of PowerShell.

Using Microsoft Defender Threat Explorer

This method usually requires Microsoft Defender for Office 365 Plan 2.

1. Go to the Microsoft Defender portal:

https://security.microsoft.com

2. Go to:

Email & collaboration > Explorer

3. Search for the suspicious message using details such as:

• Sender address
• Subject
• Recipient
• Date received
• Internet Message ID
• URL
• Attachment name

4. Open the message investigation results.
5. Select the matching messages.
6. Choose:

Take action

7. Select the remediation action, for example:

Soft delete

or

Hard delete

8. Submit the action.

Soft Delete vs Hard Delete

Option	What it does
Soft delete	Moves the message to the user’s Recoverable Items area. This is safer and usually recommended for first response.
Hard delete	Marks the message for permanent removal. This is more aggressive and should be used carefully.

For most phishing cleanup cases, I prefer starting with Soft delete unless the security team specifically requires hard deletion.

---

Option 2: Delete the Email Using PowerShell

PowerShell is very useful when you need to search and delete a phishing email across many mailboxes.

Step 1: Connect to Security & Compliance PowerShell

Run PowerShell as administrator, then connect:

Install-Module ExchangeOnlineManagement -Scope CurrentUser

Import-Module ExchangeOnlineManagement

Connect-IPPSSession -UserPrincipalName [email protected]

Replace:

[email protected]

with your Microsoft 365 admin account.

---

Step 2: Create a Compliance Search

You need to build a search query that identifies only the phishing message.

Try to use multiple conditions to avoid deleting legitimate emails by mistake.

Example search based on sender, subject, and received date:

$SearchName = "Remove phishing email - CompanyB compromised account"

New-ComplianceSearch `
  -Name $SearchName `
  -ExchangeLocation All `
  -ContentMatchQuery '(From:"[email protected]") AND (Subject:"Updated Invoice Payment Details") AND (Received:06/06/2026)'

Then start the search:

Start-ComplianceSearch -Identity $SearchName

Check the search status:

Get-ComplianceSearch -Identity $SearchName | Format-List Name,Status,Items,Size

Wait until the status shows:

Completed

---

Step 3: Review the Search Result Before Deleting

Before deleting anything, verify that the search found the expected number of messages.

Get-ComplianceSearch -Identity $SearchName | Format-List

Look carefully at:

Items
Size
Status

If the result count is much higher than expected, do not purge yet. Adjust your query first.

For example, if the subject is too generic, add more conditions such as sender, date, or exact phrase from the message body.

---

Step 4: Soft Delete the Email

Soft delete is the safer option.

New-ComplianceSearchAction `
  -SearchName $SearchName `
  -Purge `
  -PurgeType SoftDelete

This removes the message from the user’s mailbox view and moves it into Recoverable Items.

---

Step 5: Hard Delete the Email

Only use hard delete when you are sure the search results are correct.

New-ComplianceSearchAction `
  -SearchName $SearchName `
  -Purge `
  -PurgeType HardDelete

Hard delete is more aggressive. If the mailbox is under hold or retention, the item may still be preserved according to compliance rules.

---

Example: Scenario 1 PowerShell Script — Partner Account Compromised

In this scenario, the sender belongs to a trusted company, so we delete the email but do not block the whole domain.

# Scenario 1:
# Phishing email came from a compromised account in a trusted partner company.
# Do NOT block the whole partner domain unless there is a clear business/security decision.

$AdminUPN = "[email protected]"
$SearchName = "Remove phishing - Compromised partner account"
$Sender = "[email protected]"
$Subject = "Updated Invoice Payment Details"
$ReceivedDate = "06/06/2026"

Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName $AdminUPN

$Query = "(From:`"$Sender`") AND (Subject:`"$Subject`") AND (Received:$ReceivedDate)"

New-ComplianceSearch `
  -Name $SearchName `
  -ExchangeLocation All `
  -ContentMatchQuery $Query

Start-ComplianceSearch -Identity $SearchName

Write-Host "Wait for the search to complete, then review the result:" -ForegroundColor Yellow
Get-ComplianceSearch -Identity $SearchName | Format-List Name,Status,Items,Size

Write-Host "If the result is correct, run the purge command manually:" -ForegroundColor Yellow
Write-Host "New-ComplianceSearchAction -SearchName `"$SearchName`" -Purge -PurgeType SoftDelete"

After confirming the results, run:

New-ComplianceSearchAction `
  -SearchName "Remove phishing - Compromised partner account" `
  -Purge `
  -PurgeType SoftDelete

---

Example: Scenario 2 PowerShell Script — Random Malicious Domain

In this scenario, the sender domain is not trusted and has no business relationship with the company. After deleting the message, we can block the sender or domain.

# Scenario 2:
# Phishing email came from a random external domain.
# Delete the message first, then block the sender/domain.

$AdminUPN = "[email protected]"
$SearchName = "Remove phishing - Random malicious domain"
$Sender = "[email protected]"
$SenderDomain = "random-attacker-domain.com"
$Subject = "Urgent Password Verification Required"
$ReceivedDate = "06/06/2026"

Import-Module ExchangeOnlineManagement
Connect-IPPSSession -UserPrincipalName $AdminUPN

$Query = "(From:`"$Sender`") AND (Subject:`"$Subject`") AND (Received:$ReceivedDate)"

New-ComplianceSearch `
  -Name $SearchName `
  -ExchangeLocation All `
  -ContentMatchQuery $Query

Start-ComplianceSearch -Identity $SearchName

Write-Host "Wait for the search to complete, then review the result:" -ForegroundColor Yellow
Get-ComplianceSearch -Identity $SearchName | Format-List Name,Status,Items,Size

Write-Host "If the result is correct, run this purge command manually:" -ForegroundColor Yellow
Write-Host "New-ComplianceSearchAction -SearchName `"$SearchName`" -Purge -PurgeType SoftDelete"

After confirming the search result, delete the email:

New-ComplianceSearchAction `
  -SearchName "Remove phishing - Random malicious domain" `
  -Purge `
  -PurgeType SoftDelete

---

Blocking the Random Sender or Domain

After deleting the email, connect to Exchange Online PowerShell:

Connect-ExchangeOnline -UserPrincipalName [email protected]

Block Only the Sender Address

Use this if you want to block only the exact sender address:

New-TenantAllowBlockListItems `
  -ListType Sender `
  -Block `
  -Entries "[email protected]" `
  -NoExpiration `
  -Notes "Blocked after phishing campaign on 06/06/2026"

Block the Entire Domain

Use this if the whole domain is clearly malicious and your company does not need to receive email from it:

New-TenantAllowBlockListItems `
  -ListType Sender `
  -Block `
  -Entries "random-attacker-domain.com" `
  -NoExpiration `
  -Notes "Blocked after phishing campaign on 06/06/2026"

View Current Blocked Senders and Domains

Get-TenantAllowBlockListItems -ListType Sender -Block

Remove a Block Later

If the domain was blocked by mistake or is no longer needed:

Remove-TenantAllowBlockListItems `
  -ListType Sender `
  -Entries "random-attacker-domain.com"

---

Important Notes Before Deleting Emails

1. Do Not Use a Very Broad Search Query

Avoid using only the subject if the subject is common.

Bad example:

Subject:"Invoice"

Better example:

(From:"[email protected]") AND (Subject:"Urgent Password Verification Required") AND (Received:06/06/2026)

The more specific the query is, the lower the chance of deleting legitimate messages.

---

2. Start with Soft Delete

Soft delete is safer because the message is moved to Recoverable Items. If something goes wrong, there is usually a better chance of recovery compared to hard delete.

---

3. Be Careful with Trusted Partner Domains

If the phishing email came from a compromised account in a real partner company, do not immediately block the whole partner domain.

Instead:

• Delete the phishing email.
• Inform the partner.
• Temporarily block the specific compromised sender only if needed.
• Monitor for more suspicious messages.

Blocking the entire partner domain may interrupt business communication.

---

4. Blocking a Domain Does Not Delete Existing Emails

Blocking a sender or domain helps with future emails. It does not remove messages that are already delivered.

That is why the correct order is usually:

1. Search for the delivered phishing email.
2. Delete the email from affected mailboxes.
3. Block the sender/domain if appropriate.
4. Investigate user clicks and sign-in activity.

---

Recommended Incident Response Checklist

After removing the phishing email, the IT team should also check the following:

• Did any user click the link?
• Did any user open the attachment?
• Did any user reply to the attacker?
• Did any user enter credentials into a fake login page?
• Are there suspicious sign-ins in Entra ID?
• Are there risky users or risky sign-ins?
• Are there mailbox forwarding rules created by attackers?
• Are there suspicious inbox rules?
• Was the email reported to Microsoft?
• Was the partner company notified if the sender was compromised?

---

Useful PowerShell Commands for Investigation

Search Mailboxes for Suspicious Inbox Rules

Connect-ExchangeOnline -UserPrincipalName [email protected]

Get-Mailbox -ResultSize Unlimited | ForEach-Object {
    Get-InboxRule -Mailbox $_.UserPrincipalName |
    Where-Object {
        $_.ForwardTo -or
        $_.RedirectTo -or
        $_.ForwardAsAttachmentTo
    } |
    Select-Object MailboxOwnerId,Name,Enabled,ForwardTo,RedirectTo,ForwardAsAttachmentTo
}

Check Mailbox Forwarding

Get-Mailbox -ResultSize Unlimited |
Select-Object DisplayName,UserPrincipalName,ForwardingAddress,ForwardingSmtpAddress,DeliverToMailboxAndForward |
Where-Object {
    $_.ForwardingAddress -or $_.ForwardingSmtpAddress
}

Check Recent Message Trace from the Sender

Get-MessageTrace `
  -SenderAddress "[email protected]" `
  -StartDate "06/06/2026 00:00" `
  -EndDate "06/06/2026 23:59" |
Select-Object Received,SenderAddress,RecipientAddress,Subject,Status

---

Summary

When a phishing email is delivered to many Microsoft 365 users, the IT admin should act quickly but carefully.

If the sender belongs to a trusted partner company, the best action is usually to delete the phishing message and notify the partner, not block the entire domain.

If the sender belongs to a random malicious domain, the admin can delete the message and then block the sender address or the whole domain using the Tenant Allow/Block List.

The safest cleanup process is:

1. Identify the phishing message.
2. Create a precise Compliance Search.
3. Review the search result.
4. Soft delete or hard delete the message.
5. Block the sender/domain only when appropriate.
6. Investigate whether any user interacted with the email.

This approach removes the immediate threat while avoiding unnecessary disruption to legitimate business communication.