- What’s New in Exchange 2013 – “It’s impossible to summarize everything that’s new in Exchange 2013 into one hour and a half, yet this session will provide you with a good understanding of what’s new in the latest version of Exchange. We will be talking about many things including the new architecture, high availability and new features. A must for everyone who hasn’t been able to get up to speed yet!”
- Exchange 2013 ABC’s: Architecture, Best Practices and Client Access – “This session is packed with all there is to know to get started with Exchange 2013! See how the architecture evolved and learn how to deploy Exchange 2013 in coexistence with legacy version based on real-life experience and examples.”
It seems like I do a search and destroy to find and delete phishing attempts before they are opened–and possibly believed–by the end users at least once a month. We all see random phishing attempts using the names of banks and social media giants all the time. Most anti-spam software catches those easily. Unfortunately, if you have more than a few thousand users, you are probably big enough for someone to try crafting more targeted attacks against your organizations. Although most of these targeted phishing attacks are of the same spectacularly inept quality as the more run of the mill variety, some of them are very clever. (Not that it matters all that much. Despite years of training and at least a 7th grade education, some email users still fall for “Please do click on link to verfyi your account informations.” Sigh.) A few of these attempts are bound to sneak past your multi-layered anti-spam filters no matter what you do, and it’s important to yank them from the end user’s mailboxes as quickly as possible before someone gives away their username and password.
Here’s the cmdlet I run to search and destroy phishing attacks that get past all our other filters:
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery “Subject:’Company E-Mail Upgrade’ and From:’firstname.lastname@example.org’” -TargetMailbox “jay.test” -TargetFolder “Phishing-DeletedMessages” -LogLevel Full -DeleteContent
This cmdlet searches all mailboxes on the system for messages that meet the SearchQuery value and then moves them to the target mailbox, deleting them from the source mailbox. It’s critical that you get the SearchQuery value right. If you aren’t very careful, you could delete a lot of email that you shouldn’t. Here are some common values you can include in your SearchQuery:
- Subject: The message subject. Enclose in single quotes.
- From: The sender. Enclose in single quotes.
- To: A recipient in the To field. Enclose in single quotes.
- Cc: A recipient in the Cc field. Enclose in single quotes.
- Sent: The date the message was sent. Do not enclose in single quotes.
- Attachment: The name of an attachment. Enclose in single quotes.
You can combine these values in different ways using logical operators. Here are a couple more examples of strings I’ve used for the SearchQuery value:
- “Subject:’Company upgrade’ and To:’email@example.com’” – Searches for any messages with firstname.lastname@example.org in the To field and “Company upgrade” in the Subject field.
- “Subject:’Reset your password’ and (From:’email@example.com’ or From:’firstname.lastname@example.org’)” – Searches for any messages with a subject of “Reset your password” from either email@example.com or firstname.lastname@example.org.
Be very careful with the subject, recipient, and sender values. If you search for all messages with a subject of “Company” you will also get all messages with the subject “Company picnic” and “Company meeting – mandatory!” The SearchQuery assumes there is a wildcard at the end of the text strings. You might want to test your search against a single mailbox before running it against the entire system.
Tip: You can also use this cmdlet to remove a mass, derogatory email sent by a disgruntled, soon-to-be ex-employee.
And yet another caution: If your mailbox servers haven’t completed indexing all instances of the message you want to find and delete, guess what? It won’t find and delete them. In a small Exchange organization, that’s not a big deal. If you have thousands or tens of thousands of mailboxes, it might take some time.
You could probably do all of this using the Discovery features of the ECP, but I find the PowerShell interface to be much easier to understand and faster to use.
Earlier this week I had a Lync 2010 customer who couldn’t log in. He wasn’t getting any error messages; Lync just continued trying to connect to the server without erroring or timing out. This fixed it:
- Deleted these two folders:
- Open Credential Manager and deleted any credentials that referred to OC or SIP in connection with the Lync domain name.
I could have enabled Lync logging to diagnose exactly what was going on before taking out the hammer, but sometimes you just have to give it a good whack and move on.