Managing Quarantined Email Messages in Microsoft 365 (Office 365)

Exchange Online Protection (EOP) provides spam and malware e-mail filtering for Microsoft 365 (ex. Office 365) tenant user mailboxes. EOP filters are a built-in tool for protecting user mailboxes from spam, malicious emails (phishing scams), or attachments containing viruses and trojans. EOP anti-malware policies allow you to automatically detect potentially dangerous or unwanted messages and place them in quarantine.

When receiving an email message that Exchange Online Protection recognized as unsafe, the user receives a special notification in his mailbox that there are messages that have been placed in quarantine. The user can release legitimate e-mails that are recognized as dangerous directly from this message.

The screenshot below shows an example of a quarantine notification that a dangerous message has been detected and that it has been quarantined. The user can perform one of three actions

  • Review message — the email will be displayed in plain text or HTML code with a message header;
  • Release email from quarantine to Inbox – use this option if EOP filters mistakenly flag it as dangerous. After that, the email will be removed from the quarantine and placed in the Inbox folder of your mailbox;
  • Block sender (allows to prevent from receiving such an email in the future)

quarantine emails office 365

ADVERTISEMENT

Microsoft 365 user has the option to do nothing. In this case, the email will be quarantined for 30 days (by default), after which it will be automatically deleted by EOP policies.

A Microsoft 365 administrator can manage quarantined email messages from the Quarantine Portal. The Quarantine Portal is available from the Microsoft 365 Security center.

Go to Review > Quarantine

office 365 mail quarantine

Note. There is no way to completely disable the quarantine feature in Exchange Online.

You will see a list of quarantined messages that are classified by EOP:

  • Malware;
  • Phishing;
  • High Confidence Phishing;
  • Spam;
  • Bulk Email.

quarantine mail office 365

Click on any message to get more details. In this example, the message says “Quarantined due to Antis-pam policy”. The administrator can also do one of the following actions:

  • Release email;
  • Share email;
  • Preview message;
  • View message headers;
  • Delete from quarantine;
  • Block sender;
  • Submit only.

If you click the ‘Release email’ button, this item will deliver to the target user’s Inbox.

office 365 quarantine notification settings

Various filters are available in the quarantine console to help you find specific messages by:

  • Message ID;
  • Sender SMTP address;
  • Recipient address;
  • Subject;
  • Time received.

office 365 quarantine emails

ADVERTISEMENT

If we have several e-mails that we would like to release from quarantine, you can select multiple emails in the list at once and click the Release button.

You can configure an anti-spam policy through the Microsoft 365 Defender Portal. Go to Policies & rules > Threat policies > Anti-spam policies. By default, two quarantine policies are available here:

  • DefaultFullAccessPolicy;
  • AdminOnlyAccessPolicy.

office 365 quarantine policy

You can also manage quarantined messages using PowerShell. To do this, you must have the Exchange Online EXO V2 module installed on your computer. Let’s look at some examples of cmdlets for managing quarantined emails.

List messages in quarantine:

Get-QuarantineMessage -PageSize 1000 -Page 1

Note. Only 1000 messages per page are displayed by default.

List messages that are released from the quarantine:

Get-QuarantineMessage -PageSize 1000 -page 1 | where{ $_.ReleaseStatus -eq “RELEASED”}

Find unreleased quarantine messages from a specific domain or email address:

ADVERTISEMENT
Get-QuarantineMessage -SenderAddress "*@contoso.com" -pagesize 1000 | where {$_.ReleaseStatus -eq "NOTRELEASED"}

Release the messages from the quarantine:

Get-QuarantineMessage -PageSize 1000 -page 1 -Type transportrule -SenderAddress "info@contoso.com" | where{($_. ReleaseStatus -eq “NOTRELEASED”)} | Release-QuarantineMessage -ReleaseToAll
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.