Quarantined email messages in EOP and Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine is available to hold potentially dangerous or unwanted messages.

Whether a detected message is quarantined by default depends on the following factors:

The default actions for protection features in EOP and Defender for Office 365, including preset security policies, are described in the feature tables in Recommended settings for EOP and Microsoft Defender for Office 365 security.

For anti-spam and anti-phishing protection, admins can also modify the default policy or create custom policies to quarantine messages instead of delivering them to the Junk Email folder. For instructions, see the following articles:

The protection policies for supported features have one or more quarantine policies assigned to them (each action within the protection policy has an associated quarantine policy assignment).

Quarantine policies define what users are able to do or not do to quarantined messages, and whether users receive quarantine notifications for those messages. For more information, see Anatomy of a quarantine policy.

The default quarantine policies that are assigned to protection feature verdicts enforce the historical capabilities that users get for their quarantined messages (messages where they're a recipient). For more information, see the table in Find and release quarantined messages as a user in EOP. For example, only admins can work with messages that were quarantined as malware or high confidence phishing. By default, users can work with their messages that were quarantined as spam, bulk, phishing, spoof, user impersonation, domain impersonation, or mailbox intelligence.

Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see Create quarantine policies.

Note

Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware or high-confidence phishing messages.

Both users and admins can work with quarantined messages:

How long quarantined messages or files are held in quarantine before they expire depends why the message or file was quarantined. Features and their corresponding retention periods are described in the following table:

Quarantine reason Default retention period Customizable? Comments
Messages quarantined by anti-spam policies: spam, high confidence spam, phishing, high confidence phishing, or bulk. 15 days:
  • In the default anti-spam policy.
  • In anti-spam policies that you create in PowerShell.

30 days in anti-spam policies that you create in the Microsoft 365 Defender portal.
Yes You can configure (lower) this value in anti-spam policies. For more information, see the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) setting in Configure anti-spam policies.
Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365. 30 days Yes This retention period is also controlled by the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) setting in anti-spam policies. The retention period that's used is the value from the first matching anti-spam policy that the recipient is defined in.
Messages quarantined by anti-malware policies (malware messages). 30 days No If you turn on common attachments filtering in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see Anti-malware policies.
Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages). 30 days No
Messages quarantined by mail flow rules: the action is Deliver the message to the hosted quarantine (Quarantine). 30 days No
Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files). 30 days No Files quarantined in SharePoint or OneDrive are removed fom quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state.

When a message expires from quarantine, you can't recover it.

For more information about quarantine, see Quarantine FAQ.