Share via

Email sent by External User are being Quarantined by EOP

Parsian02 20 Reputation points
2025-04-30T08:31:24.4133333+00:00

Hello,

We have recently observed a significant increase in legitimate emails being quarantined by Microsoft 365 Defender (EOP) for both Exchange Online and on-premises users. These emails are being flagged by the anti-spam policies, and this behavior started occurring suddenly across multiple clients.

Based on discussions in several community forums, it appears that this may be related to a recent change or update on Microsoft's end, as many users are experiencing similar issues. This suggests a potential shift in Microsoft's spam filtering algorithms or policy enforcement.

We would appreciate it if you could:

Confirm whether any recent changes have been made by Microsoft to EOP or Defender policies.

Provide any official articles, advisories, or announcements regarding this behavior.

Recommend the appropriate resolution or configuration changes to mitigate these false positives without compromising security.

Thank you for your support.

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
    2025-05-02T18:51:01.3966667+00:00

    Hi @Parsian02
    Yes, there is a significant increase in legitimate emails being quarantined by Microsoft 365 Defender (EOP) for both Exchange Online and on-premises users. These emails are being flagged by the anti-spam policies.

    The ability to view quarantined messages is controlled by the quarantine policy that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in Recommended settings for EOP and Microsoft Defender for Office 365 security).

    Microsoft Defender for Office 365 helps deal with important legitimate business emails that are mistakenly blocked as threats (False Positives). Defender for Office 365 can help admins understand why legitimate emails are being blocked, how to resolve the situation quickly, and prevent similar situations from happening in the future.

    For handling legitimate emails that are in quarantine folder of end users:

    1. An end user receives an email digest about quarantined messages as per the settings enabled by security admins.
    2. End users can preview the messages in quarantine, block the sender, release the messages, submit those messages to Microsoft for analysis, and request release of those emails from admins.

    Follow the document for more information: https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365?source=recommendations

    Hope this helps. Do let us know if you have any further queries.
    If this answers your query, do click `Accept Answer` and `Yes`.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.