If you've ever used Microsoft's Security portal Email Explorer to hard delete compromised or malicious messages, you might have noticed something puzzling: even after selecting messages that clearly show both sender and recipient, and even after the remediation reports "success," the messages remain in the sender's mailbox. Is this a bug? Did it actually work?
The short answer: Yes, it worked - but not the way you might expect.
The Problem: Explorer Only Deletes from Recipients
When I first encountered this issue, I searched for messages from a specific sender in Email Explorer. The results showed me all the messages between ta sender and various recipients. I selected these messages and chose "Hard Delete." The portal reported success, and sure enough, the messages vanished from the recipient inbox.
But here's the catch - they were still sitting in the senders Sent Items folder.
At first, I thought the remediation had failed. The portal showed both sender and recipient in the message list. I naturally assumed "hard delete" meant removing the message from everywhere. But that's not how Explorer works, and this isn't clearly documented anywhere obvious.
Visual of the "mediated actions"
This is the report from Defender where you can clearly see the wrong label of "Suspicious" it was not but then you can see the 9 messages and the report says "9 successful" which would lead you to believe that the mails have been removed from the sender and recipients mailbox:
This however is not true for the sender because here are some of those messages that have not been moved to the "Deleted Items" then are still in the "Sent Items"
Why Explorer Behaves This Way
Email Explorer is designed primarily for threat remediation - its main job is removing malicious or phishing emails that have been delivered to recipients. The typical scenario is:
- A compromised account sends phishing emails
- Security team needs to remove these dangerous messages from recipient inboxes
- The sender's copy is less urgent from a threat perspective
When you search by sender and run remediation actions, Explorer:
- Finds messages sent BY that sender
- Applies actions only to WHERE those messages were delivered (recipient mailboxes)
- Leaves the sender's Sent Items untouched
This makes sense for threat hunting, but it's confusing when you're trying to completely purge messages from your environment, especially during a security incident where the sender's account might also be compromised.
The Solution: Using Content Search in Purview
To delete messages from both sender AND recipient mailboxes, I need to use Content Search in Microsoft Purview (formerly the Compliance Center) instead. Here's how:
Step-by-Step Process:
Navigate to Content Search
- Open the Microsoft Purview compliance portal
- Go to Solutions > Content search
- Click "New search"
Configure the Search - This is the Critical Part
- Name your search something descriptive
- Under "Locations," choose "Specific locations"
- Select "Exchange mailboxes"
- Add BOTH the sender's and recipient's email addresses
- Add your search criteria (keywords, date range, subject, etc.)
Run and Review
- Start the search and wait for completion
- Review the results to confirm messages are found in both mailboxes
- The results will show you exactly which mailboxes contain the messages
Delete from All Mailboxes
- Click "Action" > "Purge"
- Select "Hard delete"
- This removes the messages from ALL mailboxes included in your search scope
Using PowerShell for More Control
If you prefer PowerShell or need to automate this process, here's how I accomplish the same thing:
# First, connect to Security & Compliance PowerShell
Install-Module -Name ExchangeOnlineManagement # If not already installed
Connect-IPPSSession
# Create a search targeting both mailboxes
New-ComplianceSearch -Name "PurgeBothMailboxes" `
-ExchangeLocation "receiver@bear.local","sender@bear.local" `
-ContentMatchQuery "sent>=2025-11-15 AND sent<=2025-11-15"
# Start the search
Start-ComplianceSearch -Identity "PurgeBothMailboxes"
# Check the results
Get-ComplianceSearch -Identity "PurgeBothMailboxes" | Format-List Status,Items,Size
# Hard delete from both mailboxes
New-ComplianceSearchAction -SearchName "PurgeBothMailboxes" `
-Purge -PurgeType HardDelete -Confirm:$false
# Monitor the deletion status
Get-ComplianceSearchAction -Identity "PurgeBothMailboxes_Purge"
For more specific targeting, you can refine the ContentMatchQuery:
# Specific sender and recipient
-ContentMatchQuery "(from:receiver@bear.local) AND (to:sender@bear.local)"
# Subject line and date
-ContentMatchQuery "(subject:'Urgent Invoice') AND (sent:2025-11-15)"
What About Litigation Hold?
If litigation hold is enabled (which it often is for compliance reasons), "hard delete" doesn't actually remove messages permanently. Instead, it moves them to the Purges subfolder within Recoverable Items. This folder is:
- Invisible to users
- Retained for compliance
- Still searchable by administrators
- Only cleared when retention expires or litigation hold is removed
This is by design and ensures you maintain compliance while still removing messages from user visibility.
When to Use Each Tool
Use Email Explorer when:
- You need to quickly remove phishing/malware from recipient inboxes
- You're focused on threat remediation
- Speed is more important than comprehensive removal
Use Content Search in Purview when:
- You need to remove messages from specific multiple mailboxes
- You want to purge from both senders and recipients
- You need more granular control over the scope
- You're doing data spillage cleanup
Understanding this distinction has saved me hours of confusion and helped me respond more effectively to security incidents. The tools work as designed - they're just designed for different purposes, and Microsoft could definitely make this clearer in their documentation.
Final Note on Safety
The fact that remediation reports "success" when it hasn't touched the sender's mailbox could be dangerous if you're not aware of this behavior. During a security incident, you might think you've fully contained a threat when compromising messages still exist in the sender's mailbox. Always verify your remediation scope and use the right tool for your specific needs.
Remember: Email Explorer is for cleaning up delivered threats. Content Search is for comprehensive message purging across specified mailboxes. Choose accordingly.