GAM: Phishing Email IR

GAM is a powerful tool but with great power comes great responsibility. Some commands can cause irreversible changes if used incorrectly, so always test and proceed with caution.

GAM Documentation and Installation Instructions: https://github.com/GAM-team/GAM/wiki

GAM Commands

Query User Inbox for a Specific Message

You can locate a specific email by Message-ID or by Subject line.


gam user <user email> show messages query "rfc822msgid:<message ID>"

Or:


gam user <user email> messages query "subject:<Email Subject>"

Delete a Single Email

To delete an email (after exporting for safety), use:


gam user <user email> export messages query "rfc822msgid:<message ID>" targetfolder <folder path>

Delete a Single Email From Multiple Accounts

If you need to remove a message across many accounts, use a CSV list of users.

By Message-ID:


gam csv "users.txt" gam user "~<file header name>" delete messages query "rfc822msgid:<message id>" doit

Or by Subject line:


gam csv "users.txt" gam user "~<file header name>" delete messages query "subject:<subject line>" doit

Export Email for Analysis

If you need to capture a message before deletion:


gam user <user email> export messages query "rfc822msgid:<message ID>" targetfolder <folder path>

Final Thoughts

These commands are extremely helpful when cleaning up mailboxes or transferring files, but mistakes can result in permanent data loss. Always:

Test with non-critical accounts first
Double-check IDs, subjects, and emails
Consider exporting data before deletion

Greenbush K12 Tech Blog

Search This Blog