Our FOI/Privacy Officer was informed of a an unauthorized disclosure of PII via email by one of our staff members. I was looped in to
a) quantify how many other people in our organization had that particular email in their mailbox, and
b) administratively remove it.

This is fairly straightforward with Powershell. The hardest part is finding the right message(s) among hundreds of mailboxes containing thousands of messages each.

To start, I got the message details. When I’m not familiar with the information I’ll get back, I like to store the output in a variable before manipulating it. It saves time because I don’t need to requery the information (all Exchange mailboxes in this case). I then used the Search-Mailbox cmdlet to track it down:

> $results = get-mailbox | Search-Mailbox -SearchQuery "subject:Attention: John Doe AND from:customer@gmail.com AND received:07/28/2021"
> $results
>

Well that’s not good. There were no results. This time, I’ll look for the specific attachment that contained the PII, then display any results that have a resultcount > 0 (that is, a message with the attachment was found):

> $results = get-mailbox | Search-Mailbox -SearchQuery "attachment:tax_07-10-2021-080049.pdf" -EstimateResultOnly
> $results | where {$_.resultitemscount -ne 0} | select identity,resultitemscount | ft -a

Identity                                   ResultItemsCount
--------                                   ----------------
company.com/Corporate Users/JDoe                3
company.com/Corporate Users/GWashington         2

Much better! 5 messages found across Exchange. Now, let’s purge them from JDoe’s mailbox, but leave them in GWashington’s mailbox. We need the -DeleteContent switch for that:

> "JDoe" | Search-Mailbox -SearchQuery "attachment:tax_07-10-2021-080049.pdf" -DeleteContent