By BRITECITY | 17+ years experience
Published February 13, 2026
Expertise: Microsoft 365 Security, Email Threat Response, Cybersecurity
Complete guide to scanning Microsoft 365 mailboxes for malicious email. Covers Defender Threat Explorer, Content Search, eDiscovery, PowerShell commands, and MSP multi-tenant workflows.
To scan Microsoft 365 mailboxes for malicious email, use Threat Explorer in Microsoft Defender for Office 365 Plan 2 to search by sender, subject, URL, or attachment hash and remediate directly. If you do not have Defender P2, use Content Search in the Purview Compliance Portal with PowerShell purge commands. Both methods let you scope the blast radius and remove threats across all affected mailboxes.
When a phishing email lands in your organization, every minute counts. The faster you identify affected mailboxes and remove the threat, the lower your risk of credential theft, data exfiltration, or ransomware deployment. This guide covers every method available in Microsoft 365 for scanning, finding, and removing malicious email, from built-in Defender tools to PowerShell automation and MSP-scale multi-tenant workflows.
Microsoft 365 includes several built-in tools for scanning mailboxes. The right tool depends on your licensing level and the scale of the investigation.
Defender for Office 365 Plan 2 is the most powerful native tool for email threat investigation and remediation. It is included in Microsoft 365 E5, or available as an add-on for E3 and Business Premium plans.
Threat Explorer lets you search across all mailboxes by sender address, subject line, URL, attachment hash, delivery action, and date range. Once you identify the malicious messages, you can remediate directly from the same interface. Options include soft delete, hard delete, and move to junk. Real-Time Detections provides the same search capabilities on a narrower time window for Plan 1 customers.
AIR triggers automatically when certain alerts fire, or you can launch it manually from Threat Explorer. It investigates the threat, identifies all affected users, and recommends or executes remediation actions. For organizations that receive high volumes of phishing, AIR dramatically reduces the manual burden on security teams.
Threat Trackers are saved queries that let you monitor for specific indicators of compromise (IOCs) on an ongoing basis. If you are tracking a campaign that targets your industry, you can create a tracker for the sender domain or subject pattern and get notified when new matches arrive.
If your organization does not have Defender for Office 365 Plan 2, Content Search in the Microsoft Purview Compliance Portal is your primary tool. It is included in most Microsoft 365 plans, including Business Basic, Business Standard, E1, and E3.
New-ComplianceSearchAction -Purge via PowerShell (see below).Content Search supports KQL (Keyword Query Language) for complex queries. You can search across mailboxes, SharePoint, OneDrive, and Teams. For email-specific investigations, filter by kind:email and use properties like from:, subject:, and received:.
PowerShell gives you granular control over mailbox searches and is essential for automating repetitive threat hunting tasks. Here are the key commands every M365 administrator should know.
Get-Mailbox -ResultSize Unlimited | Search-Mailbox \
-SearchQuery "from:malicious@domain.com" \
-TargetMailbox "DiscoveryMailbox" \
-TargetFolder "Investigation"Searches all mailboxes for messages from a specific sender and copies them to a discovery mailbox for review. Replace the sender address with your IOC.
Get-MessageTrace \
-SenderAddress "malicious@domain.com" \
-StartDate (Get-Date).AddDays(-10) \
-EndDate (Get-Date)Traces message delivery over the last 10 days. Shows recipient, status, date, and subject. Useful for quickly scoping how many users received a specific message.
# Create the compliance search
New-ComplianceSearch -Name "PhishRemoval" \
-ExchangeLocation All \
-ContentMatchQuery 'from:malicious@domain.com AND subject:"Invoice"'
# Start the search
Start-ComplianceSearch -Identity "PhishRemoval"
# After search completes, purge (soft delete)
New-ComplianceSearchAction -SearchName "PhishRemoval" \
-Purge -PurgeType SoftDeleteCreates a compliance search, runs it, then purges matching messages. Use SoftDelete to move to Recoverable Items, or HardDelete for permanent removal.
Important: The Search-Mailbox cmdlet is being deprecated. Microsoft recommends using Content Search with New-ComplianceSearchAction -Purge for new workflows. However, Search-Mailbox remains useful for quick ad-hoc investigations where you need to copy messages to a discovery mailbox.
When you discover a malicious email has reached your users, follow this structured workflow to contain the threat quickly and thoroughly.
Collect the sender address, subject line, URLs in the message body, and attachment names or file hashes. The more IOCs you have, the more precise your search will be. Check the email headers for the true sending IP and domain.
Use Threat Explorer or Content Search to find every instance of the malicious message across all mailboxes. Determine how many users received it, how many opened it, and whether anyone clicked links or downloaded attachments.
Purge or soft-delete the malicious messages from every mailbox where they were delivered. In Threat Explorer, select all results and choose your remediation action. With Content Search, use the PowerShell purge command.
Add the sender address, domain, or URL to your Tenant Allow/Block List in the Microsoft 365 Defender portal. This prevents the same IOC from reaching users again. For URLs, also add them to your Safe Links block list.
Check whether anyone clicked links (URL trace in Threat Explorer) or opened attachments. If users interacted with the threat, initiate password resets, check for mail forwarding rules, and review sign-in logs for suspicious activity.
Not every Microsoft 365 plan includes the same scanning tools. Here is a quick reference for matching your license to the best available method.
| Tool | Required License | Best For |
|---|---|---|
| Threat Explorer | Defender for Office 365 P2 / M365 E5 | Full investigation and remediation with click tracking |
| Real-Time Detections | Defender for Office 365 P1 | Quick threat visibility with limited remediation |
| Content Search | Most M365 plans (E1, E3, Business) | Searching and purging when Defender P2 is not available |
| Message Trace | All Exchange Online plans | Quick delivery status check (last 10 days) |
| AIR | Defender for Office 365 P2 / M365 E5 | Automated investigation for high-volume environments |
For managed service providers (MSPs) managing multiple Microsoft 365 tenants, the single-tenant tools above need to be scaled across every client environment. There are several approaches to achieve cross-tenant visibility.
Microsoft 365 Lighthouse provides a multi-tenant management portal for MSPs with GDAP access. It aggregates security alerts and incidents across all client tenants into a single view. While it does not replace Threat Explorer for deep investigation, it helps you identify which tenants are affected by a campaign quickly.
Tools like Hornet Security, Avanan (Check Point), and SaaS Alerts provide cross-tenant email security monitoring from a single dashboard. These platforms can detect threats that bypass Microsoft's native filters and provide unified reporting across your entire client base.
For MSPs that want full control, the Microsoft Graph API provides programmatic access to email data across tenants. The /security/alerts and /messages endpoints let you build automated IOC sweep workflows that search every client tenant for a specific threat indicator and report results in minutes rather than hours.
The most mature MSP security operations automate the IOC sweep process entirely. When a new threat indicator is identified, an automated workflow can search every managed tenant simultaneously and generate a consolidated report. Here is the typical architecture:
Even experienced administrators make mistakes during email threat investigations. Here are the most common pitfalls and how to avoid them.
When a user reports a phishing email, always search the entire organization. The same message was likely delivered to dozens or hundreds of mailboxes.
Deleting the message is not enough. If you do not add the sender or URL to your block list, follow-up messages from the same campaign will land in inboxes again.
Removing the email is step one. If users already clicked a link or opened an attachment, you need to investigate further, including password resets and session revocation.
Attackers vary subject lines across campaigns. Search by sender address, sending domain, URL patterns, and attachment hashes in addition to subject lines.
As a Microsoft Solutions Partner for cybersecurity, BRITECITY provides proactive email threat monitoring and rapid incident response for Microsoft 365 environments. Our security operations team monitors for threats around the clock and can execute the full investigation-to-remediation workflow in minutes, not hours.
Whether you manage your own Microsoft 365 environment or need a partner to handle email security for you, the tools and workflows in this guide give you the foundation for effective email threat response. For organizations that want expert support, BRITECITY's managed IT services include comprehensive email security as part of every plan.
Call us at 949-243-7440 or book a free consultation to discuss your Microsoft 365 security posture.
Answers
Use Threat Explorer in Microsoft Defender for Office 365 Plan 2 to search by sender, subject, URL, or attachment hash across all mailboxes. If you do not have Defender P2, use Content Search in the Purview Compliance Portal. Both tools let you scope affected mailboxes and remediate directly.
Yes. In Threat Explorer, select the messages and choose soft delete, hard delete, or move to junk. With Content Search, run the search and then execute New-ComplianceSearchAction -Purge via PowerShell. Both methods remove the message from all affected mailboxes simultaneously.
Use Get-MessageTrace to check delivery status for a sender over the last 10 days. Use Search-Mailbox to copy matching messages to a discovery mailbox. For bulk purging, use New-ComplianceSearch with New-ComplianceSearchAction -Purge to remove messages across all mailboxes.
Threat Explorer is part of Defender for Office 365 Plan 2 and provides rich investigation features including click tracking, URL analysis, and direct remediation. Content Search is available in most M365 plans and supports searching and purging email but lacks the advanced threat intelligence features.
MSPs use Microsoft Lighthouse for cross-tenant alert visibility, third-party platforms like Hornet Security or Avanan for unified monitoring, and the Microsoft Graph API to automate IOC sweeps across all client tenants programmatically.
After purging the email, add the sender, domain, or URL to the Tenant Allow/Block List. Then investigate whether any users clicked links or opened attachments. If interaction occurred, reset passwords, revoke sessions, and check for mail forwarding rules.
No. Content Search in the Purview Compliance Portal is available in most M365 plans and supports searching and purging email via PowerShell. However, Defender for Office 365 Plan 2 provides significantly better investigation tools, automated response, and click tracking.
Next Step
Get personalized advice based on your specific situation. No pressure, just honest guidance.