Is it possible for a user to delete emails without a trace in Microsoft 365? Can a user bypass Recoverable Items?

If nefarious employees want to cover their tracks, it might be tempting to delete incoming emails as soon as they’re received, or outgoing emails as soon as they’re sent. But will this actually work? Is it possible to bypass the Recoverable Items feature in Exchange Online?

TL;DR summary 

We ran some experiments to see if it’s possible to permanently delete emails without a trace. Here’s what we found: 

  1. Ordinary users cannot delete items “without a trace.” 
  2. Microsoft 365 in its default configuration is sufficient. You don’t need to turn on Journaling or use any of the Enterprise features like Legal Hold. 
  3. A good backup solution for Microsoft 365, like BackupAssist 365, can capture deleted emails when configured to back up the Recoverable Items folder. 

Why are people confused about this? 

It’s clear that if you run one of these kinds of solutions: 

  1. Journaling in Exchange Online 
  2. Legal Hold 

then every incoming and outgoing email to any mailbox will be captured. If you run a mail archiver on your mail gateway, then additionally, emails coming in and out of the domain will be captured there. 

However, what if you’re not running any of these kinds of solutions? Is there a grey area here? 

This article assumes you haven’t turned on those enterprise features, and you’re running Microsoft 365 (Office 365) in its default configuration. Is it still possible for your users to delete items without a trace? 

There is confusion about this topic because there are webpages that say this is possible. For instance, the article Securely Deleting Email published by Tufts University suggests that it’s possible to securely delete and purge emails from your account, such that “they can no longer be recovered.” It also gives instructions on how to purge your items from the Recoverable Items folder. 

This creates the impression that Recoverable Items can be bypassed. 

We ran through their process and gathered the results. 

Our experiments and the results 

We followed this process to examine whether the “securely deleting email” procedure can work: 

  1. Create a test email from an external domain. 
  2. Follow the instructions outlined in the Tufts University guide. 
  3. Configure BackupAssist 365 to back up the Recoverable Items folder. 
  4. Inspect the backup to see if the item, which should no longer exist, was captured in the backup. 

Step 1: a test email was sent from an external domain to an account called “bill.gates@rarenerds.com” 

Step 2: we log in as bill.gates@rarenerds.com and follow the steps. 

  1. Delete the email from Inbox. It now ends up in the Deleted Items folder.  
  1. Delete the email from Deleted Items. It now ends up in Recoverable Items folder. 
  1. Delete the email from Recoverable Items. It is now “permanently deleted.” 

Step 3: configure BackupAssist 365 to back up the mailbox and then run the backup. 

You can download BackupAssist 365 and follow the instructions given to set up a backup of Microsoft 365. Here are our pointers: 

  1. Make sure you check the “Download recoverable items” checkbox when configuring the backup.  
  1. Run the backup. You’ll get a backup report showing the result – clearly here, 1 item was downloaded.
  1. You can see in the progress information, 1 item was downloaded from Recoverable Items / Purges folder. 

Step 4: inspect the PST file.  

If we open the backup PST file created by BackupAssist 365, we can see the purged item is correctly backed up. 

You can see clearly that the test email was eventually backed up and stored in the backup PST file, created by BackupAssist 365. 

There was no way for bill.gates@rarenerds.com to circumvent a good backup strategy! 

Out of scope: malicious action by the administrator 

We have not examined the case where there is malicious action by the administrator. This is out of scope, because of the complexities of what an administrator can do – such as deleting the entire tenant, deleting the backups, and so on. 

Conclusion 

As demonstrated by our experiment, following the Tufts University guide does not cause emails to vanish without a trace. An ordinary user cannot “securely delete email” and bypass company backup policies. 

Even Microsoft 365 in its default configuration will enable you to capture purged items via backup software such as BackupAssist 365. 

This will be very reassuring for business owners and corporate HR, who need to protect themselves from malicious employee action. 

However, if you do not perform backups of Microsoft 365, then items will eventually disappear. Recoverable Items only stay there up to the Deleted Item retention time, which is 14 days by default. So, for a permanent copy of these deleted and purged items, we recommend using a backup solution for Microsoft 365, such as BackupAssist 365. BackupAssist 365 will also retain backup data for users that have been deleted, making it ideal for keeping historic data. 

If protecting your company from nefarious activities is a priority, then you can download a free 30 day trial of BackupAssist 365 and thwart such activities today! 

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Download

BackupAssist

Start your free 30-day trial today