In Microsoft 365 organizations with mailboxes in Exchange Online or Microsoft Teams, or in standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes or Teams, quarantine holds potentially dangerous or unwanted messages that were detected by EOP and Defender for Office 365.
Admins can view, release, and delete all types of quarantined messages and files for all users.
Admins and also users (depending on the user reported settings for the organization) can report false positives to Microsoft from quarantine.
You view and manage quarantined messages in the Microsoft Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
Watch this short video to learn how to manage quarantined messages as an admin.
Take action on quarantined messages for all users: Membership in the Quarantine Administrator, Security Administrator, or Organization Management role groups.
Submit messages from quarantine to Microsoft: Membership in the Security Administrator role groups.
Use Block sender to add senders to your own Blocked Senders list: Admins see Block sender only if they filter the quarantine results by Recipient > Only me instead of the default value All users. Assigning any permission that gives admin access to quarantine (for example, Security Reader or Global Reader) gives access to Block sender in quarantine if the user filters the quarantine results by Recipient > Only me.
Read-only access to quarantined messages for all users: Membership in the Security Reader or Global Reader role groups.
Microsoft Entra permissions: Membership these roles gives users the required permissions and permissions for other features in Microsoft 365:
Take action on quarantined messages for all users: Membership in the Security Administrator or Global Administrator* roles.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Submit messages from quarantine to Microsoft: Membership in the Security Administrator role.
Use Block sender to add senders to your own Blocked Senders list: Admins see Block sender only if they filter the quarantine results by Recipient > Only me instead of the default value All users. Assigning any permission that gives admin access to quarantine (for example, Security Reader or Global Reader) gives access to Block sender in quarantine if the user filters the quarantine results by Recipient > Only me.
Read-only access to quarantined messages for all users: Membership in the Global Reader or Security Reader roles.
Tip
The ability to manage quarantined messages using Exchange Online permissions ended in February 2023 per MC447339.
Guest admins from other organizations can't manage quarantined messages. The admin needs to be in the same organization as the recipients.
Quarantined messages and files are retained for a default period of time based on why they were quarantined. After the retention period expires, the messages are automatically deleted and aren't recoverable. For more information, see Quarantine retention.
For information about the order of precedence for user allows and blocks and organization allows and blocks, see User and tenant settings conflict.
By default, only the first 100 entries are shown until you scroll down to the bottom of the list, which loads more results.
On the Email tab, you can decrease the vertical spacing in the list by clicking
Change list spacing to compact or normal and then selecting
Compact list.
You can sort the entries by clicking on an available column header. Select
Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
Time received*
Subject*
Sender*
Quarantine reason* (see the possible values in the
Filter description.)
Release status* (see the possible values in the
Filter description.)
Policy type* (see the possible values in the
Filter description.)
Expires*
Recipient: The recipient email address always resolves to the primary email address, even if the message was sent to a proxy address.
Sender address override reason*: One of the following values:
None
Message sender is blocked by recipient settings
Message sender is blocked by administrator settings
Tip
If a sender is blocked and Don't show blocked senders is selected (default), messages from those senders are shown on the Quarantine page and are included in quarantine notifications when the Sender address override reason value is None. This behavior occurs because the messages were blocked due to reasons other than sender address overrides.
Released by*
Message ID
Policy name
Message size
Mail direction
Recipient tag
To filter the entries, select
Filter. The following filters are available in the Filters flyout that opens:
Message ID: The globally unique identifier of the message.
For example, you used message trace to look for a message, and you determine that the message was quarantined instead of delivered. Be sure to include the full message ID value, which might include angle brackets (<>). For example: <79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>.
Sender address
Recipient address
Subject
Time received: Select one of the following values:
Last 24 hours
Last 7 days (default)
Last 14 days
Last 30 days
Custom: Enter a Start time and End time (date).
Expires: Filter messages by when they expire from quarantine. Select one of the following values:
Today
Next 2 days
Next 7 days
Custom: Enter a Start time and End time (date).
Recipient tag: Currently, the only selectable user tag is Priority account.
Quarantine reason: Select one or more of the following values:
Transport rule (mail flow rule)
Bulk
Spam
Data loss prevention
Malware: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The Policy Type value indicates which feature was used.
Admin action - File type block: Messages blocked as malware by the common attachments filter in anti-malware policies. For more information, see Anti-malware policies.
All users (this is default value, even if it doesn't appear selected)
Only me: Show only messages where whomever is signed in is a recipient. This value is required for administrators to see the Allow sender and Block sender actions.
Blocked sender: One of the following values:
Don't show blocked senders (default)
Show all senders
Tip
If a sender is blocked and Don't show blocked senders is selected, messages from those senders are shown on the Quarantine page and are included in quarantine notifications when the Sender address override reason value is None. This behavior occurs because the messages were blocked due to reasons other than sender address overrides.
Release status: Select one or more of the following values
Needs review
Approved
Denied
Release requested
Released
Policy type: Filter messages by what type of protection policy quarantined the message. Select one or more of the following values:
Anti-malware policy
Safe Attachments policy
Anti-phishing policy
Anti-spam policy
Transport rule (mail flow rule)
Data loss prevention rule
The Policy type and Quarantine reason values are interrelated. For example, Bulk is always associated with an Anti-spam policy, never with an Anti-malware policy.
When you're finished on the Filters flyout, select Apply. To clear the filters, select
Clear filters.
Tip
Filters are cached. The filters from the last sessions are selected by default the next time you open the Quarantine page. This behavior helps with triage operations.
Use the
Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
Sender email address
Subject. Use the entire subject of the message. The search isn't case-sensitive.
After you've entered the search criteria, press Enter to filter the results.
Note
The Search box searches for quarantined items in the current view (which is limited to 100 items), not all quarantined items. To search all quarantined items, use
Filter and the resulting Filters flyout.
After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).
Tip
On mobile devices, the previously described controls are available under
More.
To see details about other quarantined messages without leaving the details flyout, use
Previous item and Next item at the top of the flyout.
Quarantine details section:
Received: The date/time when the message was received.
Expires: The date/time when the message is automatically and permanently deleted from quarantine.
Subject
Quarantine reason: Shows if a message has been identified as Spam, Bulk, Phish, matched a mail flow rule (Transport rule), or was identified as containing Malware.
Policy type
Policy name
Recipient count
Recipients: If the message contains many recipients, you can use Preview message or View message header to see the complete list of recipients.
Recipient email addresses always resolve to the primary email address, even if the message was sent to a proxy address.
Not yet released to, Released to, and/or Released by: Depending on the state of the message, one or more of the following values might be available:
Not yet released to: Email addresses of recipients that the message hasn't been released to.
Released to: Email addresses of recipients that the message has been released to.
Released by: The admin that released the message using the format: <email address of admin who released the message> released for <recipient>. For example, admin@contoso.onmicrosoft.com released to laura@contoso.onmicrosoft.com. If the end user releases the message, it shows the end user's SMTP address. If the release is carried out by the system, it says, "System released". If the release is not carried by an admin, an end user, or the system, it defaults to "Admin."
The rest of the details flyout contains the Delivery details, Email details, URLs, and Attachments sections that are part of the Email summary panel. For more information, see The Email summary panel.
To take action on the message, see the next section.
Tip
To see details about other quarantined messages without leaving the details flyout, use
Previous item and Next item at the top of the flyout.
On the Email tab, select the quarantined email message by using either of the following methods:
Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.
Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.
Using either method to select the message, many actions are available under
More or More options.
After you select the quarantined message, the available actions are described in the following subsections.
Tip
On mobile devices, the action experience is slightly different:
When you select the message by selecting the check box, all actions are under
More:
When you select the message by clicking anywhere in the row other than the check box, description text isn't available on some of the action icons in the details flyout. But, the actions and their order is the same as on a PC:
Release quarantined email
This action isn't available for email messages that have already been released (the Release status value is Released).
If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.
You can't release a message to the same recipient more than once.
When you select individual original recipients to receive the released message, you can select only recipients who haven't already received the released message.
Members of the Security Administrators role group can see and use the Submit the message to Microsoft to improve detection and Allow email with similar attributes options.
Users can report false positives to Microsoft from quarantine, depending on the value of the Reporting from quarantine setting in user reported settings.
Tip
Third party anti-virus solutions, security services, and outbound connectors can cause the following issues for messages that are released from quarantine:
The message is quarantined after being released.
Content is removed from the released message before it reaches the recipient's Inbox.
The released message never arrives in the recipient's Inbox.
Verify that you aren't using third party filtering before you open a support ticket about these issues.
Inbox rules (created by users in Outlook or by admins by using the *-InboxRule cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.
Admins can use message trace to determine if a released message was delivered to the recipient's Inbox.
Selecting Move or delete > Inbox on quarantined messages in
Take action from other Defender for Office 365 features (for example, Explorer (Threat Explorer) or the Email entity page) also allows you to release messages from quarantine. For more information, see Threat hunting: The Take action wizard.
After you select the message, use either of the following methods to release it:
On the Email tab: Select
Release.
In the details flyout of the selected message: Select
Release email.
In the Release email to recipient inboxes flyout that opens, configure the following options:
Select one of the following values:
Release to all recipients
Release to one or more of the original recipients of the email: Enter the recipients in the Recipients box that appears.
Send a copy of this message to another recipient: If you select this option, select one or more recipients by clicking in the Recipients box that appears.
Submit the message to Microsoft to improve detection: If you select this option, the erroneously quarantined message is reported to Microsoft as a false positive. Depending on the results of their analysis, the service-wide spam filter rules might be adjusted to allow the message through.
Selecting this option reveals the following options:
Allow this message: If you select this option, allow entries are added to the Tenant Allow/Block List for the sender and any related URLs or attachments in the message. The following options also appear:
Remove entry after: The default value is 30 days, but you can also select 1 day, 7 days, or a Specific date that's less than 30 days.
Allow entry note: Enter an optional note that contains additional information.
When you're finished on the Release email to recipient inboxes flyout, select Release message.
Back on the Email tab, the Release status value of the message is Released.
Approve or deny release requests from users for quarantined email
Users can request the release of email messages if the quarantine policy used Allow recipients to request a message to be released from quarantine (PermissionToRequestRelease permission) instead of Allow recipients to release a message from quarantine (PermissionToRelease permission) when the message was quarantined. For more information, see Create quarantine policies in the Microsoft Defender portal.
After a recipient requests the release of the email message, the Release status value changes to Release requested, and an admin can approve or deny the request.
Tip
One alert to release the message might be created for multiple release requests for that message. Use the quarantine link in the Details section of the alert message to take action on the release request from users in the organization for the past 7 days.
If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.
After you select the message, use either of the following methods to approve or deny the release request:
On the Email tab: Select
Approve release or
Deny.
In the details flyout of the selected message: Select
More and then select Approve release or
Deny release.
If you select Approve release, an Approve release flyout opens where you can review information about the message. To approve the request, select Approve release. A Release approved flyout opens where you can select the link to learn more about releasing messages. Select Done when you're finished on the Release approved flyout. Back on the Email tab, the Release status value of the message changes to Approved.
If you select Deny, a Deny release flyout opens where you can review information about the message. To deny the request, select Deny release. A Release denied flyout opens where you can select the link to learn more about releasing messages. Select Done when you're finished on the Release denied flyout. Back on the Email tab, the Release status value of the message changes to Denied.
Tip
You can deny release for all recipients only. You can't deny release for specific recipients.
Delete email from quarantine
When you delete an email message from quarantine, the message is removed and isn't sent to the original recipients.
If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.
After you select the message, use either of the following methods to remove it:
On the Email tab: Select
Delete from quarantine.
In the details flyout of the selected message: Select
More options >
Delete from quarantine.
In the Delete (n) messages from quarantine flyout that opens, use one of the following methods to delete the message:
Select Permanently delete the message from quarantine and then select Delete: The message is permanently deleted and isn't recoverable.
Select Delete only: The message is deleted, but is potentially recoverable.
After you select Delete on the Delete (n) messages from quarantine flyout, you return to the Email tab where the message is no longer listed.
Preview email from quarantine
After you select the message, use either of the following methods to preview it:
On the Email tab: Select
Preview message.
In the details flyout of the selected message: Select
More options >
Preview message.
In the flyout that opens, choose one of the following tabs:
Source: Shows the HTML version of the message body with all links disabled.
Plain text: Shows the message body in plain text.
View email message headers
After you select the message, use either of the following methods to view the message headers:
On the Email tab: Select
More >
View message headers.
In the details flyout of the selected message: Select
More options >
View message headers.
In the Message header flyout that opens, the message header (all header fields) is shown.
Use
Copy message header to copy the message header to the clipboard.
Select the Microsoft Message Header Analyzer link to analyze the header fields and values in depth. Paste the message header into the Insert the message header you would like to analyze section (CTRL+V or right-click and choose Paste), and then select Analyze headers.
Report email to Microsoft for review from quarantine
After you select the message, use either of the following methods to report the message to Microsoft for analysis:
On the Email tab: Select
More >
Submit for review.
In the details flyout of the selected message: Select
More options >
Submit for review.
In the Submit to Microsoft for analysis flyout that opens, configure the following options:
Add the network message ID or upload the email file: Select one of the following options:
Add the email network message ID: This value is selected by default, with the corresponding value in the box.
Upload the email file (.msg or eml): After you select this option, select the
Browse files button that appears to find and select the .msg or .eml message file to submit.
Choose a recipient who had an issue: Select one (preferred) or more original recipients of the message to analyze the policies that were applied to them.
Select a reason for submitting to Microsoft: Choose one of the following options:
I've confirmed it's clean (default): Select this option if you're sure that the message is clean, and then select Next. Then the following settings are available:
Allow this email: If you select this option, allow entries are added to the Tenant Allow/Block List for the sender and any related URLs or attachments in the message. The following options also appear:
Remove entry after: The default value is 30 days, but you can also select 1 day, 7 days, or a Specific date that's less than 30 days.
Allow entry note: Enter an optional note that contains additional information.
It appears clean: Select this option if you're unsure and you want a verdict from Microsoft.
When you're finished on the Submit to Microsoft for analysis flyout, select Submit.
Tip
Users can report false positives to Microsoft from quarantine, depending on the value of the Reporting from quarantine setting in user reported settings.
Allow email senders from quarantine
Tip
The Allow sender action is available to admins only if they filter the quarantine results by Recipient > Only me instead of the default value All users.
If the sender is already in the recipient's safelist collection, Allow sender isn't available.
The Allow sender action adds the sender of the selected email message to the Safe Senders list in the mailbox of whomever is signed in. Typically, this action is for end-users if it's available to them by quarantine policies. For more information about users allowing senders, see Add recipients of my email messages to the Safe Senders List.
After you select the message, use either of the following methods to add the message sender to the Safe Senders list in your own mailbox:
On the Email tab: Select
More >
Allow sender.
In the details flyout of the selected message: Select
More options >
Allow sender.
The flyout that opens indicates when the sender was successfully added to your Safe Senders list. Select Done.
Block email senders from quarantine
Tip
The Block sender action is available to admins only if they filter the quarantine results by Recipient > Only me instead of the default value All users.
The Block sender action adds the sender of the selected email message to the Blocked Senders list in the mailbox of whomever is signed in. Typically, this action is for end-users if it's available to them by quarantine policies. For more information about users blocking senders, see Block a mail sender
After you select the message, use either of the following methods to add the message sender to the Blocked Senders list in your own mailbox:
On the Email tab: Select
More >
Block sender.
In the details flyout of the selected message: Select
More options >
Block sender.
In the Block sender flyout that opens, review the information about the sender, and then select Block.
Tip
The organization can still receive mail from the blocked sender. Messages from the sender are delivered to user Junk Email folders or to quarantine depending on the policy precedence as described in User allows and blocks. To delete messages from the sender upon arrival, use mail flow rules (also known as transport rules) to Block the message.
Remove senders from user Blocked Senders lists from quarantine
The Remove sender from user block list is available only if the sender of the quarantined message is already in the recipient's Block Senders list.
Admins can remove senders from the Block Senders list of their own mailboxes (if quarantine is filtered by Recipient > Only me) or from the mailboxes of other users (if quarantine is filtered by Recipient > All users).
After you select the message, use either of the following methods to remove the sender from the user's Block Senders list:
On the Email tab: Select
More >
Remove sender from user block list.
In the details flyout of the selected message: Select
More options >
Remove sender from user block list.
The flyout that opens indicates when the sender was successfully removed from the recipient's Blocked Senders list. Select Done.
Share email from quarantine
You can send a copy of the quarantined email message, including potentially harmful content, to the specified recipients.
After you select the message, use either of the following methods to send a copy of it to others:
On the Email tab: Select
More >
Share email.
In the details flyout of the selected message: Select
More options >
Share email.
In the Share email with other users flyout that opens, select one or more recipients to receive a copy of the message. When you're finished, select Share.
Download email from quarantine
After you select the email message, use either of the following methods to download it:
On the Email tab: Select
More >
Download messages.
In the details flyout of the selected message: Select
More options >
Download message.
In the Download file flyout that opens, enter the following information:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to open the downloaded message file.
When you're finished on the Download file flyout, select Download.
When the download is ready, a Save As dialog opens for you to view or change the downloaded filename and location. By default, The .eml message file is saved in a compressed file named Quarantined Messages.zip in your Downloads folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
Accept or change the downloaded file details, and then select Save.
Back on the Download file flyout, select Done.
Actions for quarantined email messages in Defender for Office 365
In organizations with Microsoft Defender for Office 365 (add-on licenses or included in subscriptions like Microsoft 365 E5 or Microsoft 365 Business Premium), the following actions are also available in the details flyout of a selected message:
Take actions: This action starts the same Action wizard that's available on the Email entity page. For more information, see Actions on the Email entity page.
Take action on multiple quarantined email messages
When you select up to 100 quarantined messages on the Email tab by selecting the check boxes next to the first column, the following bulk actions are available on the Email tab (depending on the Release status values of the messages that you selected):
The only available options to select for bulk actions are Send a copy of this message to other recipients in your organization and Send the message to Microsoft to improve detection (false positive).
The only available options to select for bulk actions are Allow emails with similar attributes and the related Remove allow entry after and Allow entry note options.
By default, many security policy verdicts allow users to delete their quarantined messages (messages where they're a recipient). For more information, see the table at Manage quarantined messages and files as a user.
Admins can search the audit log to find events for messages that were deleted from quarantine by using the following procedures:
On the Audit page, verify that the New Search tab is selected, and then configure the following settings:
Date and time range (UTC)
Activities - friendly names: Click in the box, start typing "quarantine" in the
Search box that appears, and then select Deleted Quarantine message from the results.
Users: If you know who deleted the message from quarantine, you can further filter the results by user.
When you're finished entering the search criteria, select Search to generate the search.
For complete instructions for audit log searches, see Audit New Search.
Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365
Note
The procedures for quarantined files in this section are available only to Microsoft Defender for Office 365 Plan 1 or Plan 2 subscribers.
Files quarantined in SharePoint or OneDrive are removed from quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.
On the Files tab, you can decrease the vertical spacing in the list by clicking
Change list spacing to compact or normal and then selecting
Compact list.
You can sort the entries by clicking on an available column header. Select
Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
User*
Location*: The value is SharePoint or OneDrive.
Attachment filename*
File URL*
File Size
Release status*
Expires*
Detected by
Modified by time
To filter the entries, select
Filter. The following filters are available in the Filters flyout that opens:
Time received:
Last 24 hours
Last 7 days
Last 14 days
Last 30 days (default)
Custom: Enter a Start time and End time (date).
Expires:
Custom (default): Enter a Start time and End time (date).
Today
Next 2 days
Next 7 days
Quarantine reason: The only available value is Malware.
Policy type: The only available value is Unknown.
When you're finished in the Filters flyout, select Apply. To clear the filters, select
Clear filters.
Use the
Search box and a corresponding value to find specific files by filename. Wildcards aren't supported.
After you've entered the search criteria, press Enter to filter the results.
After you find a specific quarantined file, select the file to view details about it and to take action on it (for example, view, release, download, or delete the file).
On the Files tab, select the quarantined file by clicking anywhere in the row other than the check box.
In the details flyout that opens, the following information is available:
File details section:
File Name
File URL: URL that defines the location of the file (for example, in SharePoint Online).
Malicious content detected on The date/time the file was quarantined.
Expires: The date when the file will be deleted from quarantine.
Detected by
Released?
Malware Name
Document ID: A unique identifier for the document.
File Size
Organization Your organization's unique ID.
Last modified
Last modified By: The user who last modified the file.
Secure Hash Algorithm 256-bit (SHA-256) value: You can use this hash value to identify the file in other reputation stores or in other locations in your environment.
To take action on the file, see the next section.
Tip
To see details about other quarantined files without leaving the details flyout, use
Previous item and Next item at the top of the flyout.
On the Files tab, select the quarantined file by clicking anywhere in the row other than the check box.
After you select the quarantined file, the available actions in the file details flyout that opens are described in the following subsections.
Release quarantined files from quarantine
This action isn't available for files that have already been released (the Released status value is Released).
If you don't release or delete the file from quarantine, the file is removed from quarantine after the default quarantine retention period expires (as shown in the Expires column), but the blocked file remains in SharePoint or OneDrive in the blocked state.
After you select the file, select
Release file in the file details flyout that opens.
In the Release files and report them to Microsoft flyout that opens, view the file details in the Release the following files section, and then select Release.
Tip
Currently, you can't report quarantined files to Microsoft as you release them.
In the Files have been released flyout that opens, select Done.
Back on the file details flyout, select Close.
Back on the Files tab, the Release status value of the file is Released.
Download quarantined files from quarantine
After you select the file, select
Download file in the details flyout that opens.
In the Download file flyout that opens, enter the following information:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to open the downloaded file.
When you're finished on the Download file flyout, select Download.
When the download is ready, a Save As dialog opens for you to view or change the downloaded filename and location. By default, The file is saved in a compressed file named Quarantined Messages.zip in your Downloads folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
Accept or change the downloaded file details, and then select Save.
Back on the Download file flyout, select Done.
Delete quarantined files from quarantine
If you don't release or delete the file from quarantine, the file is removed from quarantine after the default quarantine retention period expires (as shown in the Expires column), but the blocked file remains in SharePoint or OneDrive in the blocked state.
After you select the file, select
More >
Delete from quarantine in the details flyout that opens.
Select Continue in the warning dialog that opens.
Back on the Files tab, the file is no longer listed.
Take action on multiple quarantined files
When you select multiple quarantined files on the Files tab by selecting the check boxes next to the first column (up to 100 files), a Bulk actions dropdown list appears where you can take the following actions:
Quarantine in Microsoft Teams is available only in organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5).
When a potentially malicious chat message is detected in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Admins can view and manage these quarantined Teams messages. The message is quarantined for 30 days. After that the Teams message is permanently removed.
On the Teams messages tab, you can decrease the vertical spacing in the list by clicking
Change list spacing to compact or normal and then selecting
Compact list.
You can sort the entries by clicking on an available column header. Select
Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
Teams message text: Contains the subject for the Teams message.*
Time received: The time the message was received by the recipient.*
Release status: Shows whether the message is already reviewed and released or needs review. *
Participants: The total number of users who received the message.*
Sender: The person who sent the message that was quarantined.*
Quarantine reason: Available options are "High confidence phish" and "Malware".*
Policy type: The organization policy responsible for the quarantined message.*
Expires: Indicates the time after which the message is removed from quarantine. By default, this value is 30 days.*
Recipient address: Email address of the recipients.*
Message ID: Includes the chat message ID.
To filter the entries, select
Filter. The following filters are available in the Filters flyout that opens:
Message ID
Sender address
Recipient address
Subject
Time received:
Last 24 hours
Last 7 days
Last 14 days
Last 30 days (default)
Custom: Enter a Start time and End time (date).
Expires:
Custom (default): Enter a Start time and End time (date).
Today
Next 2 days
Next 7 days
Quarantine reason: Available values are Malware and High confidence phishing.
Recipient: Select All users or Only me.
Review status: Select Needs review and Released.
When you're finished in the Filters flyout, select Apply. To clear the filters, select
Clear filters.
Use the
Search box and a corresponding value to find specific Teams messages. Wildcards aren't supported.
After you find a specific quarantined Teams message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).
View quarantined Teams message details
On the Teams messages tab of the Quarantine page, select the quarantined message by clicking anywhere in the row other than the check box next to the first column.
The following message information is available at the top of the details flyout:
The title of the flyout is the subject or the first 100 characters of the Teams message.
On the Teams messages tab, select the quarantined message by using either of the following methods:
Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.
Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.
Using either method to select the message, some actions are available under
More.
After you select the quarantined message, the available actions are described in the following subsections.
Release quarantined Teams messages
This action isn't available for Teams messages that have already been released (the Release status value is Released).
If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.
After you select the message, use either of the following methods to release it:
On the Teams messages tab: Select
Release.
In the details flyout of the selected message: Select
Release.
In the Release to all chat participants flyout that opens, decide whether to select Submit the message to Microsoft to improve detection (false positive), and then select Release.
Delete Teams messages from quarantine
If you don't release or remove a Teams message, it's automatically deleted from quarantine after the date shown in the Expires column.
After you select the Teams message, use either of the following methods to remove it:
On the Teams messages tab: Select
Delete messages.
In the details flyout of the selected message: Select
More options >
Delete from quarantine.
In the warning dialog that opens, read the information and then select Continue.
Back on the Teams messages tab, the message is no longer listed.
Preview Teams messages from quarantine
After you select the Teams message, use either of the following methods to preview it:
On the Teams messages tab: Select
Preview message.
In the details flyout of the selected message: Select
Preview message.
In the flyout that opens, choose one of the following tabs:
Source: Shows the HTML version of the message body with all links disabled.
Plain text: Shows the message body in plain text.
Report Teams messages to Microsoft for review from quarantine
After you select the message, use either of the following methods to report the message to Microsoft for analysis:
On the Teams messages tab: Select
More >
Submit for review.
In the details flyout of the selected message: Select
More options >
Submit for review.
When you select Submit message, the message is sent to Microsoft for analysis. You receive an Item submitted dialog where you select OK.
Download Teams messages from quarantine
After you select the Teams message, use either of the following methods to download it:
On the Teams messages tab: Select
More >
Download messages.
In the details flyout of the selected message: Select
More options >
Download message.
In the Download messages flyout that opens, enter the following information:
Reason for downloading file: Enter descriptive text.
Create password and Confirm password: Enter a password that's required to open the downloaded message file.
When you're finished on the Download file flyout, select Download.
By default, The .html message file is saved in a compressed file named Quarantined Messages.zip in your Downloads folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
Back on the Download messages flyout, select Done.
Take action on multiple quarantined Teams messages
When you select multiple quarantined messages on the Teams messages tab by selecting the check boxes next to the first column, the following bulk actions are available on the Teams messages tab:
Approve or deny release requests from users for quarantined Teams messages
When a user requests the release of a quarantined Teams message, the Release status value changes to Release requested, and an admin can approve or deny the request.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.