Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Applies to
- Exchange Online Protection
- Microsoft Defender for Office 365 Plan 1 and Plan 2
- Microsoft Defender XDR
This article provides frequently asked questions and answers about quarantined email messages for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
Note
In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC).
For questions and answers about anti-spam protection, see Anti-spam protection FAQ.
For questions and answers about anti-malware protection, see Anti-malware protection FAQ.
For questions and answers about anti-spoofing protection, see Anti-spoofing protection FAQ.
By default, only admins can manage messages that were quarantined for malware. For more information, see Manage quarantined messages and files as an admin.
But, admins can create and apply quarantine policies to anti-malware policies that define more capabilities for users. For more information, see Create quarantine policies.
Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware or high confidence phishing messages.
By default, messages that are classified as spam or bulk are delivered and moved to the Junk Email folder by the following anti-spam policies:
- The default anti-spam policy.
- Custom anti-spam policies.
- The Standard preset security policy.
Admins can configure the default anti-spam or custom policies to quarantine spam or bulk email messages instead. For more information, see Configure anti-spam policies in EOP.
The Strict preset security policy quarantines messages that are classified as spam or bulk.
For more information, see the following articles:
A user must have a valid account to access their own messages in quarantine. Standalone EOP requires that users are represented as mail users in EOP (manually created or created via directory synchronization). For more information about managing users in standalone EOP environments, see Manage mail users in standalone EOP.
Quarantine policies determine whether users can access their quarantined messages, and what they're allowed to do to them. For more information, see Anatomy of a quarantine policy.
If the quarantine policy requires users to request the release of messages or requires admins to release messages, an admin must approve the release request or release the message before the message is available to users.
You can't customize quarantine policies in preset security policies.
Quarantine policies define whether users can access quarantined messages based on why the message was quarantined.
For the default access to quarantined messages, see the table in Find and release quarantined messages as a user in EOP
Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware or high confidence phishing messages.
The default quarantine policy named AdminOnlyAccessPolicy prevents any user interaction with their quarantined messages. By default, this quarantine policy is used for messages that were quarantined as malware or high confidence phishing. In custom policies or the default policy for protection features that support quarantining messages, admins can specify the AdminOnlyAccessPolicy as the quarantine policy to use.
You can't prevent end users from seeing or accessing the Quarantine page at https://security.microsoft.com/quarantine.
The Quarantine reason column that's available on the Email tab of the Quarantine page in the Defender portal at https://security.microsoft.com/quarantine?viewid=Email. Common reasons are Transport rule, Bulk, Spam, Malware, Phishing, High confidence phishing, or Admin action - File type block. For more information, see View quarantined email.
Before you open a support ticket about this, see Find who deleted a quarantined message.
Quarantined messages also expire and are eventually removed from quarantine, depending on why the message was quarantined. For more information, see Quarantine retention.
The common attachments filter in anti-malware policies identifies message attachments with the specified file extensions (using true type matching were possible). The default action for these detections in the default anti-malware policy and in the Standard and strict preset security policies is to reject the message in a non-delivery report (also known as an NDR or bounce message). If the released message contains one of the specified file attachment types, it's possible that the message was returned to the sender in an NDR.
When a message expires from quarantine, you can't recover it.
By default, messages from blocked senders are hidden from view in quarantine (quarantine is filtered by Don't show blocked senders). To see messages from all senders, select Filter and then select Show all senders.
Tip
If a sender is blocked and Don't show blocked senders is selected (default), messages from those senders are shown on the Quarantine page and are included in quarantine notifications when the Sender address override reason value is None. This behavior occurs because the messages were blocked due to reasons other than sender address overrides.
A message was released from quarantine, but the original recipient can't find it. How can I determine what happened to the message?
Third party anti-virus solutions, security services, or outbound connectors can cause the following issues for messages that are released from quarantine:
- The message is quarantined after being released.
- Content is removed from the released message before it reaches the recipient's Inbox.
- The released message never arrives in the recipient's Inbox.
Verify that you aren't using third party filtering before you open a support ticket about these issues.
If a third party filter isn't preventing the message from reaching the user's Inbox and the first release attempt didn't work, admins can try using the Release-QuarantineMessage cmdlet in Exchange Online PowerShell with the Force switch to release the message.
If Release-QuarantineMessage with the Force switch doesn't work, admins should try releasing the message to an alternate mailbox after filtering by the third party service is turned off. Forced release might cause messages to be released multiple times.
You receive an error if you try to bulk release multiple messages to all recipients and a recipient-level message delete was done on any of the messages. The admin needs to release that specific message only to the recipient where delete from quarantine has not occurred.
Inbox rules (created by users in Outlook or by admins using the *-InboxRule cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.
Some mail flow rules that quarantined a message can cause the released message to be quarantined again.
Inform admins that routing released quarantine messages to onpremises recipients can cause messages to lose anti-spam headers, which makes the messages land in quarantine again after release.
Admins can use message trace to determine if a released message was delivered to the recipient's Inbox.
Third party anti-virus solutions or security services can randomly select action buttons in quarantine notifications.
Verify that you aren't using third party filtering before you open a support ticket about this issue.
Quarantined messages that have been released have the Status value Released and the Released by property available on the Quarantine page.
Admins can also use the audit log to see who released a message from Quarantine. Use the value Released Quarantine message in Activities - friendly names. For related instructions, see Find who deleted a quarantined message.
In the Microsoft Defender portal, you can select and release up to 100 messages at a time.
Admins can use the Get-QuarantineMessage and Release-QuarantineMessage cmdlets in Exchange Online PowerShell or standalone EOP PowerShell to find and release quarantined messages in bulk, and to report false positives in bulk.
For bulk actions that are available on the Quarantine page, see Take action on multiple quarantined email messages.
In Defender for Office 365 Plan 2, you can use Explorer (Threat Explorer) to do larger bulk release operations (a maximum of 200,000 messages).
Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain?
Wildcards aren't supported in the Microsoft Defender portal. For example, when searching for a sender, you need to specify the full email address. But, you can use wildcards in Exchange Online PowerShell or standalone EOP PowerShell.
For example, copy the following PowerShell code into NotePad and save the file as .ps1 in a location that's easy for you to find (for example, C:\Data\QuarantineRelease.ps1).
Then, after you connect to Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command to run the script:
& C:\Data\QuarantineRelease.ps1
The script does the following actions:
- Find unreleased messages that were quarantined as spam from all senders in the fabrikam domain. The maximum number of results is 50,000 (50 pages of 1000 results).
- Save the results to a CSV file.
- Release the matching quarantined messages to all original recipients.
$Page = 1
$List = $null
Do
{
Write-Host "Getting Page " $Page
$List = (Get-QuarantineMessage -Type Spam -PageSize 1000 -Page $Page | where {$_.Released -like "False" -and $_.SenderAddress -like "*fabrikam.com"})
Write-Host " " $List.count " rows in this page match"
Write-Host " Exporting list to appended CSV for logging"
$List | Export-Csv -Path "C:\Data\Quarantined Message Matches.csv" -Append -NoTypeInformation
Write-Host "Releasing page " $Page
$List | foreach {Release-QuarantineMessage -Identity $_.Identity -ReleaseToAll}
$Page = $Page + 1
} Until ($Page -eq 50)
After you release a message, you can't release it again.
How do I notify end users about their quarantined messages? How frequently are quarantine notifications sent?
If quarantine notifications are enabled in the associated quarantine policy, you can configure quarantine notifications to be sent every four hours, daily, or weekly. For more information, see Customize all quarantine notifications.
Tip
The fastest, most frequent notification schedule that's available is every four hours.
If you select every four hours, and a message is quarantined just after the last notification generation, the recipient will receive the quarantine notification slightly more than four hours later.
For messages quarantined by zero-hour auto purge (ZAP), quarantine notifications are generated based on when the message was quarantined, not when the message was delivered to the mailbox.
You can also set up quarantine notifications for internal (intra-organization) messages only in quarantine policies.
If the quarantine policy that's defined for the supported quarantine action doesn't have notifications turned on, the quarantine notifications aren't sent.
For more information, see the last table in Anatomy of a quarantine policy and the individual feature tables in Recommended settings for EOP and Microsoft Defender for Office 365 to see which default quarantine policies have quarantine notifications turned on.
Also, the protection policies in preset security policies are always applied before custom protection policies. A user who's defined in the Standard or Strict preset security policy will never get a customized protection policy where the quarantine policy is customized to turn on quarantine notifications. For more information, see Policy settings in preset security policies
Quarantine notifications aren't enabled for messages quarantined by Exchange mail flow rules (transport rules) or data loss prevention (DLP). These messages have the AdminOnly quarantine policy. Quarantine notifications are also no generated for messages with DefaultFullAccess quarantine policy.
See the permissions entry here.
Tip
The ability to manage quarantined messages using Exchange Online permissions ended in February 2023 per MC447339.
Guest admins from other organizations can't manage quarantined messages. The admin needs to be in the same organization as the recipients.
I created a custom quarantine notification for a specific language, but users aren't seeing it. What's going on?
A custom quarantine notification for a different language is shown to users only when their account/mailbox language matches the language in the custom quarantine notification.
If a user deletes the message from the Teams client, the message is gone, so Preview isn't available in quarantine for the deleted message.
I don't see the **Block sender** button in quarantine notifications or on the **Quarantine page**. I also don't see the **Approve release** button on the **Quarantine page**. What's going on?
Block sender is disabled by default for quarantined messages.
For end users, admins can create and assign a custom quarantine policy that includes the Block sender action. For more information, see [Quarantine policies](quarantine policies).
Admins see Block sender only if they filter the quarantine results by Recipient > Only me instead of the default value All users.
Approve release has been retired and is now included in Release.
The Search box applies to the visible results in quarantine. By default, only the first 100 entries are shown until you scroll down to the bottom of the list, which loads more results.
To filter quarantined messages by Internet Message ID, the value must include angle brackets (<>
), even in PowerShell.
Released messages remain visible in quarantine with the Status value Released, until:
The quarantine retention period expires and the message is automatically deleted.
or
The message is manually deleted from quarantine.
Audit logging needs to be turned on (it's on by default). For more information, see Turn auditing on or off.
Multiple or duplicate quarantine notifications are sent to the same user if the SendFromAliasEnabled parameter on the Set-OrganizationConfig cmdlet in Exchange Online PowerShell is set to the value $true.
Admins can use Preview message or View message header to see the complete list of recipients.