If you are using managing an enterprise, you will undoubtedly encounter malicious emails targeting your end users. Ideally, you could delete these messages from within your end users’ mailboxes. Normally, this is a premium feature, but if you have configured your G-Suite environment to use PSGSuite, it can be accomplished with some pretty basic scripting.
Run an Email Log Search from within the GUI, validate your results, and generate/download the .CSV file. This script will ingest the message information from that file and delete all of the emails permanently from end users’ mailboxes, even if it is in their spam or trash. There is no hope for recovering emails deleted in this manner, so an abundance of caution is warranted.
How does it work? The G-Suite GUI provides a message’s RFC 822-format message ID, but we need the GUID that Google is designating each unique message to remove the message from mailboxes. This script uses the RFC 822-format message ID to get Google’s message GUID, then removes it from the end users mailbox.
Here is the link to the script on my GitHub: https://github.com/p8nflnt/Cloud-Toolbox/blob/main/PSG-SearchAndDestroy.ps1
<#
.SYNOPSIS
ingest the auto-generated .CSV file from a G-Suite Email Log Search
& permanently delete those specified emails from end users' mailboxes
.NOTES
Name: PSG-SearchAndDestroy
Author: Payton Flint
Version: 1.0
DateCreated: 2024-Apr
.LINK
https://github.com/p8nflnt/Cloud-Toolbox/blob/main/PSG-SearchAndDestroy.ps1
Cloud – Search and Destroy Malicious Emails From End Users’ G-Suite Mailboxes
#>
# import message events from .CSV file
$messageEvents = Import-Csv "<FILEPATH>"
# get messages where event status is 'INSERTED'
$messageEvents= $messageEvents | Where-Object {$_."Event Status" -eq 'INSERTED'}
# add Rfc822MsgId property to each object
$messageEvents | ForEach-Object {
# initialize variable and modify Id to remove < > characters
$rfc822MsgId = $null
$rfc822MsgId = ($_."Message ID".Replace('<', '').Replace('>', ''))
# add Rfc822MsgId property to object containing the modified Id
$_ | Add-Member -Name 'Rfc822MsgId' -Type NoteProperty -Value $rfc822MsgId -Force
}
# get each message's Google id
$messageEvents | ForEach-Object {
# initialize variable
$message = $null
# get additional message information
$message = Get-GSGmailMessageList -User $_."Recipient address" -Rfc822MsgId $_.Rfc822MsgId -IncludeSpamTrash
# add message's Google id to messageEvent object
$_ | Add-Member -Name 'Id' -Type NoteProperty -Value $message.Id -Force
}
# permanently delete target messages by id (if present)
$messageEvents | ForEach-Object {
# if messageEvent's id property is present...
if ($_.Id -ne $null) {
# permanently delete target message by id
Remove-GSGmailMessage -User $_."Recipient address" -Id $_.Id -Method Delete
}
}