Product · 5 MIN READ · JAKE GODGART · AUG 26, 2025 · TAGS: AI & automation
TL;DR
- This auto remediation series focuses on understanding the functionality of all of Expel’s auto remediations
- The remove malicious email action finds and deletes confirmed malicious emails from user inboxes after delivery, using API integrations with your email platform like Microsoft 365 or Google Workspace
- You can find blogs on our other auto remediations as well: Kill process, contain host, block bad hash, delete malicious file, delete registry key, disable access key, and reset credentials
No matter how good your secure email gateway is, something malicious will eventually slip through. It’s not a matter of if, but when. That one email—a slick credential harvester disguised as a password reset or a fake invoice carrying a malware loader—sits like a digital time bomb in a user’s inbox. The longer it sits there, the higher the chance someone clicks it, especially if it arrives after-hours or on a busy Monday morning.
This is the exact pain point the remove malicious email action is built to solve.
Think of it as a remote-controlled cleanup crew for your company’s inboxes. When we spot a malicious email that has already been delivered, we can reach in and pull it out of every single mailbox it landed in—that’s an immediate risk reduction. By removing the threat directly from the user’s line of sight, we slam the window of opportunity shut before they can click a bad link, open a weaponized attachment, or get tricked into wiring money to a fraudster. It turns a potential five-alarm fire into a non-event, and it does it fast.
How it works
Let’s walk through a scenario we’ve seen more times than we can count. An attacker, knowing your company uses a specific single-sign-on (SSO) provider, crafts a nearly perfect phishing email. It looks like an urgent security alert from your IT department, complete with company logos and branding, telling users they must click a link to update their security settings immediately or risk being locked out. The link looks legitimate; the sender address is spoofed to look convincing, and it bypasses your initial email filters because the malicious page it links to is brand new.
The email lands in the inboxes of a hundred employees. The clock is now ticking.
This is where Expel comes in. The response can be triggered in a few ways:
- A savvy user reports it: An employee spots something phishy and uses the phishing report button in their email client. This is the best-case scenario. That report lands directly in our queue for analysis.
- Post-delivery detection: One of your integrated security tools, like Proofpoint or Abnormal Security, re-scans the email hours later and flags a URL as malicious based on new intelligence.
- Our own investigation: During an investigation into other suspicious activity, our analysts might uncover a phishing campaign and realize that related emails have already hit user inboxes.
Once we get the signal, our analysts—or our own automated analysis engine—jump on it. And we’re not just taking an alert at face value. We’re tearing the email apart to confirm it’s the real deal before we act.
When to expect Expel to use this action
This isn’t an action we use lightly, but it’s incredibly effective in the right situations. Based on the permissions you set, you can expect us to pull the trigger on removing an email when we see:
- Confirmed phishing lures: These are the bread and butter of email threats. If we confirm an email is designed to steal credentials or trick users, we want it gone.
- Malware delivery attempts: An email with an attachment that we’ve confirmed is a loader, infostealer, or trojan has no business sitting in an inbox. We’ll pull it before it can be executed.
- Business email compromise (BEC) scams: When we identify a fraudulent email trying to get an employee to pay a fake invoice or buy gift cards, we remove it to prevent financial loss.
- Internal threat spread: If an attacker compromises an internal account and starts phishing your other employees, removing those internal emails is a critical containment step to stop the bleeding.
- Threat intel-driven removals: Sometimes a URL or attachment is benign on delivery but is weaponized later. When new intelligence flags a delivered message as hostile, we can go back and clean it up.
The remove malicious email auto remediation workflow
So, how does it all come together? Let’s use our fake IT security alert scenario and walk through the play-by-play.
1. Detection & identification
The process kicks off when a sharp-eyed employee in your accounting department notices the “urgent” email and thinks, “this feels off.” They use the integrated phishing reporting button in Outlook. This action forwards the email—with all its critical headers and metadata—straight into Expel Workbench™ for analysis. We now have our hands on the potential threat, identified by its unique message-id, sender, subject, and content.
Example: The reported email from “IT Security” with the subject “Urgent Action Required: Update Your Security Settings” is flagged and sent to our SOC.
2. Validation & context
This is where our analysts pop the hood. An automated alert is one thing, but we need to be certain before we start deleting things from user inboxes. The analyst runs a mental checklist: Is the sender’s domain legitimate or a clever look-alike? What do threat intelligence feeds say about the sending IP and the URL in the email body? The next step is to detonate that link in a sandbox and see where it really goes. They check the email headers for signs of spoofing. This validation step ensures we only act on genuinely malicious emails and avoid disrupting business by pulling a legitimate, albeit poorly written, email.
Example: Our analyst confirms the link leads to a credential harvesting site designed to clone your SSO portal. Threat intel confirms the domain was registered just hours ago. It’s 100% malicious.
3. Customer approval check
Before taking action, Workbench checks your settings to determine if remediation is automatically taken, or if the action is assigned to your team for manual completion.
Example: The analyst now confirms this is a high-confidence credential phishing attempt and triggers a remediation action. Based on your settings, Expel’s Workbench auto remediation will either automatically remove the email, or it will require action from your team to complete.
4. Execution
The Workbench platform sends a command via API to your email service (like the Microsoft Graph API or Google Workspace Admin SDK). This command tells your email server to run a search across all mailboxes for every single instance of that malicious message based on its unique identifiers. Once found, it executes the removal action—typically a soft delete, which moves the email to the user’s trash or deleted items folder. This removes it from view but keeps it recoverable for a short period, just in case.
Example: Workbench instructs Microsoft 365 to find all the copies of the malicious email and move them to each user’s ‘Deleted Items’ folder. Within minutes, the threat is gone from every inbox.
5. Confirmation & next steps
Workbench receives a confirmation from your email platform that the action was successful. This is logged for full transparency, so you can see exactly what we did, why, and when. But our job isn’t over. The immediate threat is contained, but now we need to assess the impact. We’ll immediately investigate to see if anyone clicked the link before we removed the email.
Example: The logs show three users clicked the link. This triggers a follow-up action. We notify your team, recommend immediate password resets for those three users, and add the malicious URL to your web proxy blocklist to prevent any further access. The incident is contained, the impact is quantified, and the follow-up actions are already in motion.
How to set it up
If you’re an Expel customer and you like the sound of this, getting it set up is straightforward. It mostly involves ensuring your email security integration is configured correctly in Workbench, and then defining the auto remediation rules you’re comfortable with. Reach out to your Expel account expert, and they can walk you through it.
Not an Expel customer yet, but tired of email-borne threats giving you heartburn? Let’s talk. We can show you how this kind of no-nonsense, practical automation can make a real difference for your team, using the security tools you already own.
