Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Applies to
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
This topic provides frequently asked questions and answers about quarantined email messages for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
For questions and answers about anti-spam protection, see Anti-spam protection FAQ.
For questions and answers about anti-malware protection, see Anti-malware protection FAQ.
For questions and answers about anti-spoofing protection, see Anti-spoofing protection FAQ.
How do I manage messages that were quarantined for malware?
By default, only admins can manage messages that were quarantined for malware. For more information, see Manage quarantined messages and files as an admin.
But, admins can create and apply quarantine policies to anti-malware policies that define more capabilities for users. For more information, see Quarantine policies.
How do I quarantine spam?
By default, messages that are classified as spam or bulk email by spam filtering are delivered to the user's mailbox, and are moved to the Junk Email folder. But you can configure anti-spam policies to quarantine spam or bulk email messages instead. For more information, see Configure anti-spam policies in EOP.
How do I give users access to the quarantine?
A user must have a valid account to access their own messages in quarantine. Standalone EOP requires that users are represented as mail users in EOP (manually created or created via directory synchronization). For more information about managing users in standalone EOP environments, see Manage mail users in standalone EOP.
What messages can end users access in quarantine?
Quarantine policies define whether users can access quarantined messages based on why the message was quarantined for supported features. For more information, see Quarantine policies.
By default, users can access the following types of quarantined messages where they're a recipient:
- Anti-spam policies: Spam, bulk email, and phishing messages (not high confidence phishing messages).
- Anti-phishing policies: Spoofed senders, user impersonation protection (Defender for Office 365), domain impersonation protection (Defender for Office 365), and mailbox intelligence protection (Defender for Office 365).
For more information, see Find and release quarantined messages as a user.
By default, end users can't access the following types of quarantined messages where they're a recipient:
- Anti-spam policies: High confidence phishing.
- Anti-malware policies
- Safe Attachments (Defender for Office 365): Email messages from Safe Attachments policies and files from Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
- Mail flow rules (transport rules): Messages that were quarantined because of the Deliver the message to the hosted quarantine action in mail flow rules.
For more information, see Manage quarantined messages and files as an admin.
How long are messages kept in the quarantine?
It depends why the message was quarantined. For more information, see Quarantined messages in EOP and Defender for Office 365.
Can I release or report more than one quarantined message at a time?
In the Microsoft 365 Defender portal, you can select and release up to 100 messages at a time.
Admins can use the Get-QuarantineMessage and Release-QuarantineMessage cmdlets in Exchange Online PowerShell or standalone EOP PowerShell to find and release quarantined messages in bulk, and to report false positives in bulk.
Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain?
Wildcards aren't supported in the Microsoft 365 Defender portal. For example, when searching for a sender, you need to specify the full email address. But, you can use wildcards in Exchange Online PowerShell or standalone EOP PowerShell.
For example, copy the following PowerShell code into NotePad and save the file as .ps1 in a location that's easy for you to find (for example, C:\Data\QuarantineRelease.ps1).
Then, after you connect to Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command to run the script:
& C:\Data\QuarantineRelease.ps1
The script does the following actions:
- Find unreleased messages that were quarantined as spam from all senders in the fabrikam domain. The maximum number of results is 50,000 (50 pages of 1000 results).
- Save the results to a CSV file.
- Release the matching quarantined messages to all original recipients.
$Page = 1
$List = $null
Do
{
Write-Host "Getting Page " $Page
$List = (Get-QuarantineMessage -Type Spam -PageSize 1000 -Page $Page | where {$_.Released -like "False" -and $_.SenderAddress -like "*fabrikam.com"})
Write-Host " " $List.count " rows in this page match"
Write-Host " Exporting list to appended CSV for logging"
$List | Export-Csv -Path "C:\Data\Quarantined Message Matches.csv" -Append -NoTypeInformation
Write-Host "Releasing page " $Page
$List | foreach {Release-QuarantineMessage -Identity $_.Identity -ReleaseToAll}
$Page = $Page + 1
} Until ($Page -eq 50)
After you release a message, you can't release it again.