Exchange Online Protection (EOP) provides spam and malware e-mail filtering for Microsoft 365 (ex. Office 365) tenant user mailboxes. EOP filters are a built-in tool for protecting user mailboxes from spam, malicious emails (phishing scams), or attachments containing viruses and trojans. EOP anti-malware policies allow you to automatically detect potentially dangerous or unwanted messages and place them in quarantine.
When receiving an email message that Exchange Online Protection recognized as unsafe, the user receives a special notification in his mailbox that there are messages that have been placed in quarantine. The user can release legitimate e-mails that are recognized as dangerous directly from this message.
The screenshot below shows an example of a quarantine notification that a dangerous message has been detected and that it has been quarantined. The user can perform one of three actions
- Review message — the email will be displayed in plain text or HTML code with a message header;
- Release email from quarantine to Inbox — use this option if EOP filters mistakenly flag it as dangerous. After that, the email will be removed from the quarantine and placed in the Inbox folder of your mailbox;
- Block sender (allows to prevent from receiving such an email in the future)
Microsoft 365 user has the option to do nothing. In this case, the email will be quarantined for 30 days (by default), after which it will be automatically deleted by EOP policies.
A Microsoft 365 administrator can manage quarantined email messages from the Quarantine Portal. The Quarantine Portal is available from the Microsoft 365 Security center.
Go to Review > Quarantine.
Note. There is no way to completely disable the quarantine feature in Exchange Online.
You will see a list of quarantined messages that are classified by EOP:
- Malware;
- Phishing;
- High Confidence Phishing;
- Spam;
- Bulk Email.
Referer. How to disable multi-factor authentication (MFA) in Office 365?
Click on any message to get more details. In this example, the message says “Quarantined due to Antis-pam policy”. The administrator can also do one of the following actions:
- Release email;
- Share email;
- Preview message;
- View message headers;
- Delete from quarantine;
- Block sender;
- Submit only.
If you click the ‘Release email’ button, this item will deliver to the target user’s Inbox.
Various filters are available in the quarantine console to help you find specific messages by:
- Message ID;
- Sender SMTP address;
- Recipient address;
- Subject;
- Time received.
If we have several e-mails that we would like to release from quarantine, you can select multiple emails in the list at once and click the Release button.
You can configure an anti-spam policy through the Microsoft 365 Defender Portal. Go to Policies & rules > Threat policies > Anti-spam policies. By default, two quarantine policies are available here:
- DefaultFullAccessPolicy;
- AdminOnlyAccessPolicy.
You can also manage quarantined messages using PowerShell. To do this, you must have the Exchange Online module installed on your computer. Let’s look at some examples of cmdlets for managing quarantined emails.
List messages in quarantine:
Get-QuarantineMessage -PageSize 1000 -Page 1
Note. Only 1000 messages per page are displayed by default.
List messages that are released from the quarantine:
Get-QuarantineMessage -PageSize 1000 -page 1 | where{ $_.ReleaseStatus -eq “RELEASED”}
Find unreleased quarantine messages from a specific domain or email address:
Get-QuarantineMessage -SenderAddress "*@contoso.com" -pagesize 1000 | where {$_.ReleaseStatus -eq "NOTRELEASED"}
Release the messages from the quarantine:
Get-QuarantineMessage -PageSize 1000 -page 1 -Type transportrule -SenderAddress "info@contoso.com" | where{($_. ReleaseStatus -eq “NOTRELEASED”)} | Release-QuarantineMessage -ReleaseToAll
