LITIGATION SUPPORT TIP OF THE NIGHT

Microsoft Exchange limits the number of emails that can be simultaneously deleted from a single mailbox with one command to 10. While it’s possible to delete one email from thousands of mailboxes, the same command used to search for and delete messages across user accounts has a built in limitation on how many emails it will delete at once.

New-ComplianceSearchAction is a cmdlet (a PowerShell script or operation) which an admin can implement on Exchange that can search through the subject line, body, and metadata fields for certain key terms.

The cmdlet is designed to respond to cyber security breaches (such as purging a phishing email) not help businesses comply with the need to remediate data pursuant to a protective order.

See confirmation on this limitation for the purge switch here: https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps

The PowerShell script to delete emails will specify a named search:

New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete

Not any Exchange admin can run this cmdlet. The admin needs to have Discovery Management rights.

The cmdlet transfers emails to the Deletions folder of a user account’s Recoverable Items. (When an Outlook user holds down the SHIFT key and presses DEL the message is not gone forever - it goes to Recoverable Items.). On Exchange, users’ Outlook data is divided between Recoverable Items, Interpersonal Messaging (IPM - all of the data visible to the user), and non-IPM data (operational data). Recoverable Items contains additional folders:

Purges - items hard deleted when a litigation hold is in place. Emails sent here won’t be deleted until the period set for retention ends. But even then it will only be deleted until the mailbox is processed by the Managed Folder assistant, which can be set to run once every 1 to 7 days.

Audits - logs activity in the account.

DiscoveryHolds - items subject to an Office 365 litigation hold that are hard deleted.

Versions - this folder will retain multiple versions of Outlook items that have been modified.

Note that when rerun the cmdlet will include messages in the Recoverable Items folder in the results, so the total count in the results will not change as successive searches are run.

Microsoft has posted a PowerShell script which can be used to delete multiple batches of 10 emails automatically:

https://answers.microsoft.com/en-us/msoffice/forum/all/delete-more-than-10-items-from-a-mailbox-using/f28efa60-3766-4f50-af2d-e1f9be588931

. . . but it notes that this is not a supported script, and it cannot be run on multiple mailboxes.

Exchange will retain deleted items by default for up to 14 days but this period can be increased to 30 days.

Running searches in Outlook is not necessarily a straightforward affair. You can use standard Boolean operators when running a search:

A search for: law firm will return any messages which include both terms.

A search for: law, firm will return any messages which include either term.

A search for: law OR firm will return any messages which include either term.

A search for: law AND firm will return any messages which include both terms.

A search for: “law firm” will return any messages which include this phrase.

See confirmation on this here. Note that when you run a search for “law, firm” in the standard Find tool accessed in the Inbox, it will be run as an ‘AND’ Boolean search, law AND firm, BUT a search for “law, firm” in Advanced Find acts as an ‘OR’ Boolean search, breach OR report.

Entering a search term in Outlook without an asterisk, will run a wildcard search for the term (or string). So a search for: law will return messages which include the terms, ‘lawful’; ‘lawyer', etc.

If you search in the find tool at the top right of the Inbox, Outlook will, with the default setting to search the current mailbox, search through the text of all attachments to email messages. However, the default setting in Outlook will limit the results to 250 messages. You can remove this limit, in Outlook 2019, by going to File . . . Options . .. Search, and unchecking the ‘Improve search speed by limiting the number of results shown’ box.

This only increases the search result limit to about 1000. [The limit appears to be 1050 – based on my tests when a search is run for very common terms in a full Inbox such as “conflict check” or “district court", only 1050 messages appear in the results. I can’t find confirmation of this on Microsoft site. ] It’s possible that a change to registry key would remove the limit altogether. See: https://answers.microsoft.com/en-us/outlook_com/forum/all/critical-outlook-search-issue/36980334-1a74-4db8-b989-39ea12b693c8

In order get complete search results, you need to switch the setting from ‘Current Mailbox’ to ‘All Outlook Items’

[To be clear, if the ‘Improve search speed by limiting the number of results shown’ box is checked, it won’t matter if you have ‘All Outlook Items’ selected, the result limit will still be 250.]

After the search is run, you will still need to click the option to pull up more results at the bottom of the screen.

When searching in Outlook, there's also the option of using the Advanced Find tool. Click in the search box at the top right of the screen and a new ‘Search’ tab will appear. Select ‘Advanced Find’ from the Search tools menu.

Advanced Find does not have the same search results limitation. However even if the search is set to be run in “subject field and message body”, or “frequently used text fields”, the search will not include the text of attachments to email messages. So far as I know, Advanced Find does not give you a way to search the text of attachments.

It would be possible to run a search in Advanced Find for references to a term or terms that occur in the email body or subject field, and then run a search using the standard find tool which was only focused on the text of attachments. On the Search tab, from the + More menu, select ‘Attachment Contains’

If the search term you’re looking for appears in the text of an attachment to no more than 1,000 messages, you should get everything you’re targeting by combining the results from Advanced Find and the standard search tool.

Also note that when a running a search in the standard Find tool, it may take some time to complete even after you have clicked the option to show More results. Look for this notification at the bottom of the screen:

Here's a simple tip showing how you can color code your unread emails in Outlook to help organize your inbox.

You've probably noticed that you can categorize emails in a separate field which is accessed simply by selecting one or more emails and right clicking:

However this will only add a colored block next to the date, author, and subject, other displayed metadata email fields.

To change the color of the entire row, go to View . . . View Settings:

Click on 'Conditional Formatting . .

. . . and then click 'Add' to create a new rule, and set a specific font and color for the rule.

. . . then click on 'Condition' and in the new dialog box on the 'More Choices' tab, click on 'Categories'.

Set and rename the category you want the Font color change to be assigned to.

The appearance of the messages in your Inbox will update each time they are categorized.