Emergency message purge and transport rule processing in Office 365 dedicated
In Microsoft Office 365 dedicated, a user may experience one of the following issues:
- Many problems occur with mail queuing or performance.
- An email message that includes incorrect or sensitive content is sent to multiple mailboxes.
The first issue may occur if many email messages or very large email messages are sent to multiple users. This may be related to a denial of service attack.
The second issue may occur if an employee or outside sender sends an email message that is considered inappropriate or that contains sensitive or confidential information.
To resolve these issues, Microsoft can take the following actions:
- Emergency transport rule
- Removes instances of an email message from transport queues.
- Keeps new instances of an email message from being delivered to users.
- Emergency message purge
- Removes instances of an email message from mailboxes.
Scenario 1A user reports that an email message that includes an attachment was incorrectly sent to a distribution group that has thousands of members. The attachment contains salary information for several hundred users. This issue occurred 30 minutes earlier, and the sender of the email message engaged his or her service desk to request that the email message be removed from the recipients' mailboxes.
Scenario 1: ResolutionTo resolve the issue in this scenario, a MOSSUP-recognized authorized requester from your organization must contact Microsoft to request an emergency message purge. To do this, please use the Exchange Online topic and the Message Purge subtopic when you submit a support incident online to Microsoft Online Services Support, or contact Microsoft Online Services Support by telephone. In addition, please provide as much information about the email message as possible. The information should include the sender, the recipients, the subject, the day or time that the email message was sent, and the fact that the email message contains an attachment.
Scenario 2Users report that they are receiving many copies of an email message from an external sender. Some users reply all and forward the email message. There are some reports of internal messages taking a long time to be received.
Scenario 2: ResolutionTo resolve the issue in this scenario, a MOSSUP-recognized authorized requester from your organization must contact Microsoft to request an emergency message purge and an emergency transport rule. To do this, please use the Exchange Online topic and the Message Purge subtopic when you submit a support incident online to Microsoft Online Services Support, or contact Microsoft Online Services Support by telephone. In addition, please provide as much information about the email message as possible. The information should include the sender, the recipients, the subject, the day or time that the email message was sent, and the evidence that is available to indicate that other email messages are delayed. This lets us determine whether an emergency transport rule is necessary.
Scenario 3An internal process generated many email messages, and all mail delivery is delayed.
Scenario 3: ResolutionTo resolve the issue in this scenario, a MOSSUP-recognized authorized requester from your organization must contact Microsoft to request an emergency transport rule to delete these email messages. To do this, please use the Exchange Online topic and the Message Purge subtopic when you submit a support incident online to Microsoft Online Services Support, or contact Microsoft Online Services Support by telephone. In addition, please provide as much information about the email message as possible. The information should include the sender, the recipients, the subject, the day or time that the email message that was sent, and the evidence that is available to indicate that other email messages are delayed.
Emergency transport ruleIf it is necessary, an emergency transport rule will be created based on the characteristics that are provided, and corresponding email messages will be deleted.
Emergency message purgeThe emergency message purge process removes email messages from a user's mailbox based on specific characteristics. These characteristics can include sender, day or time that the message was sent, subject line, and whether there is an attachment. The emergency message purge searches for email messages that match the criteria and then removes these email messages from the mailbox. The email messages in the Recoverable Items folder of the mailbox are also removed. However, the email message is not removed from the Purges folder. This means that the purged item can be recovered individually by an administrator. However, the purged item is not recoverable from Microsoft Outlook and cannot be recovered in a bulk process.
For more information about deleted-item retention and recovery, go to the following Microsoft TechNet website:
Limitations and risks
- Only messages that exist in the customer's managed email environment can be purged.
- Email messages that are sent outside the environment cannot be removed by Microsoft in this process. This includes public email services such as Hotmail and other private email servers.
- If you are using a language that contains double-byte characters (for example, Korean is a language that uses double-byte characters), MOSSUP cannot complete the purge request. However, the customer can perform the message purge by using Windows PowerShell cmdlets in self-service tools.
- Email messages that are saved to .pst files or to a local drive cannot be purged by Microsoft in this process.
- Depending on the number of mailboxes that must be searched, the time to complete this request can vary.
- Email messages are deleted based on their subject, and this process searches for a complete string of words in the subject line. For example, a purge run against the subject "Welcome to the company" will also delete email messages such as "Welcome to the company Bob" or "I felt welcome to the company." Preparation work has to be done before the actual purge to make sure that the correct email messages and recipients are targeted.
- Forward and Reply messages in an email thread cannot be specifically targeted. The message purge must be run against what is known as the normalized subject. The normalized subject is the original message subject but with all system prefixes (for example, "Fw:" or "Re:") removed.
- A date restriction may be specified. However, this is limited to messages that are sent on or after a given date. Currently, you cannot specify a time restriction.
- Any email message that is deleted from a mailbox that has Single Item Retention (SIR) disabled cannot be recovered by Microsoft. Because there is a risk that messages will be unintentionally deleted from mailboxes that have SIR disabled, these mailboxes can be either excluded from the purge (this is the default) or included with the understanding that data that is deleted from these mailboxes cannot be recovered.
- By design, messages from Proofpoint archives cannot be deleted. Therefore, requests for the deletion of these messages will not be processed.
General process narrativeCustomers should be aware that they have to work closely with O365 Dedicated Support throughout the following process:
- A MOSSUP-recognized authorized requester must submit a support incident. Note If you are unsure whether the requester is a member of the list of MOSSUP-recognized authorized requesters, contact your service delivery manager (SDM).The support incident provides O365 Dedicated Support with the characteristics that are needed to identify the target email message. These include the sender, the subject line, and the date or time that the email message that was sent. If a customer other than the MOSSUP-recognized authorized requester should work with O365 Dedicated Support, this should be specified in the support incident. If the customer knows from which recipients' mailboxes they want the email message purged, they should include a list of recipients in the support incident.
- If the case is a Severity A escalation, customers must call O365 Dedicated Support after they submit the support incident.
- The O365 Dedicated Support agent will work to obtain a complete list of the recipients if the customer did not provide this or if the customer is not sure of who should be included in the list of recipients. The agent will do this by searching the message-tracking logs for the message in question and exporting all recipients. This lets the purge process be run against as few mailboxes as possible. Message tracking expedites the process and avoids unexpected consequences. However, message-tracking logs are maintained for only ten days. If the email message was sent more than ten days earlier, the requester must provide a list of recipients.
Note An environment-wide purge can be run against all mailboxes. Depending on the number of mailboxes in the environment and the size of the mailboxes, this process can require up to several days. Such a purge should be done only in situations in which O365 Dedicated Support and the customer requester agree that this is the method of choice.
- The O365 Dedicated Support agent will engage the MOSSUP-recognized authorized requester (or the customer contact who is specified by the MOSSUP-recognized authorized requester) to confirm the recipient list before the agent goes to the next step.
- A pre-purge process is run against the recipient list or all mailboxes. During this process, a search is run against the mailboxes to identify the email message that fits the criteria of the target email message. O365 Dedicated Support will provide the requester with a spreadsheet that includes a list of the users and the number of messages that were found that meet the criteria of the target email message. However, there may be a strong business reason to skip this part of the process. If this is the case, skipping the pre-purge search process should be approved by the MOSSUP-recognized authorized requester.
Note If an authorized requestor makes the request skip the pre-purge process, the CMD must be reviewed by a Technical Lead (TL) before the execution.
Even if the pre-purge search process is skipped, a check should nevertheless be made to make sure that the SIR feature is enabled for all expected recipients and all mailboxes. If the SIR feature is not enabled, the support agent will provide the customer with a list of SIR disabled mailboxes for review. The customer may select to either exclude these mailboxes from the message purge (the default behavior) or include these mailboxes in the purge, with the understanding that the data that is purged from these mailboxes cannot be recovered.
For more information about the SIR feature, go to the following Microsoft TechNet website:
- When O365 Dedicated Support receives the approval, the purge will be run, and a spreadsheet that contains the recipients and the number of email messages that were found will be sent to the customer.
2811786 How to control data spillage in Office 365 dedicated and ITAR
Article ID: 2736413 - Last Review: 08/05/2015 07:18:00 - Revision: 16.0
Microsoft Business Productivity Online Dedicated, Microsoft Business Productivity Online Suite Federal
- vkbportal226 KB2736413