Quarantined email messages in EOP and Defender for Office 365


Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine is available to hold potentially dangerous or unwanted messages.

Anti-malware policies automatically quarantine a message if any attachment is found to contain malware. For more information, see Configure anti-malware policies in EOP.

By default, anti-spam policies quarantine phishing and high confidence phishing messages, and deliver spam, high confidence spam, and bulk email messages to the user's Junk Email folder. But, you can also create and customize anti-spam policies to quarantine spam, high confidence spam, and bulk-email messages. For more information, see Configure anti-spam policies in EOP.

Both users and admins can work with quarantined messages:

  • Quarantine policies define what users are allowed to do or not do to quarantined messages based on why the message was quarantined for supported features. Default quarantine policies enforce the historical capabilities for the security feature that quarantined the message as described in the table here. The default quarantine policies that are used by supported security features are described in Recommended settings for EOP and Microsoft Defender for Office 365 security. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see Quarantine policies.

  • Admins can work with all types of quarantined messages for all users. By default, only admins can work with messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). For more information, see Manage quarantined messages and files as an admin in EOP.

  • By default, users can work with quarantined messages where they are a recipient and the message was quarantined as spam, bulk email, or phishing (not high confidence phishing). For more information, see Find and release quarantined messages as a user in EOP.

    To prevent users from managing their own quarantined phishing (not high confidence phishing) messages, admins can assign a quarantine policy that denies access to quarantined messages from the Phishing email filtering verdict in anti-spam policies. For more information, see Assign quarantine policies in anti-spam policiesQuarantine policies.

  • Admins can report false positives to Microsoft from quarantine. For more information, see Take action on quarantined email and Take action on quarantined files.

  • Depending on the User reported settings in the organization (specifically, the Let your organization report messages from quarantine setting), users can report false positives to Microsoft from quarantine.

  • How long quarantined messages are held in quarantine before they expire varies based on why the message was quarantined. The features that quarantine messages and their corresponding retention periods are described in the following table:

    Quarantine reason Default retention period Customizable? Comments
    Messages quarantined by anti-spam policies: spam, high confidence spam, phishing, high confidence phishing, or bulk. 15 days:
    • In the default anti-spam policy.
    • In anti-spam policies that you create in PowerShell.

    30 days in anti-spam policies that you create in the Microsoft 365 Defender portal.
    Yes You can configure (lower) this value in anti-spam policies. For more information, see the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) setting in Configure anti-spam policies.
    Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365. 30 days Yes This retention period is also controlled by the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) setting in anti-spam policies. The retention period that's used is the value from the first matching anti-spam policy that the recipient is defined in.
    Messages quarantined by anti-malware policies (malware messages). 30 days No If you turn on common attachments filtering in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see Anti-malware policies.
    Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages). 30 days No
    Messages quarantined by mail flow rules: the action is Deliver the message to the hosted quarantine (Quarantine). 30 days No
    Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files). 30 days No Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.

    When a message expires from quarantine, you can't recover it.

For more information about quarantine, see Quarantine FAQ.