It’s quite complicated to secure email attacks, yet the cybersecurity industry and email service providers have been making constant efforts to make the situation better. Microsoft quarantine is worse than marking it as spam because the intended recipient has no clue that your email has tried to reach them.
Whenever you send an email, you want it to get delivered to the intended recipient, who should open it and respond back if required. However, none of this would happen if your email is quarantined.
Microsoft quarantine policy was introduced to contain the spread of malware. The policy defines what users are permitted to do or not do to quarantined messages depending on why the email was quarantined in the first place. Admins are permitted to customize restrictions for users, and also activate notifications.
How Do I Access Microsoft Quarantine?
Your ability to access Microsoft quarantine messages depends on the quarantine policy applied. Here’s how you can access it.
- Go to Microsoft 365 Defender portal at https://security.microsoft.com/ and select Email & Collaboration > Review > Quarantine. You can also go to the quarantine page directly by clicking on https://security.microsoft.com/quarantine.
- Then you have to resolve the results by clicking on an available column header. You can click customize columns to change the following columns.
- Time received
- Quarantine Reason
- Release Status
- Policy Type
- Message ID
- Policy Name
- Message Size
- Mail Direction
Click on Apply when it’s done.
Does Quarantined Mean Deleted?
No, quarantine does not mean deleted. It means the message is spam-ish or potentially malicious; therefore, the suspected email is stored in a secure environment where you can open it without any risk.
Microsoft quarantine notification is popped after every three days. It’s permanently deleted from the mailbox after 30 days (or less if you have changed the settings).
What Causes An Email to be Quarantined?
To stop users from handling their own quarantined phishing emails, admins can assign a quarantine policy. The policy can deny access to all the quarantined messages. Microsoft quarantine occurs typically due to the following reasons:
|Quarantine Reason||Default Retention Period||Customizable or Not?||Comments|
|Messages quarantined by anti-spam policies; spam, high confidence spam, phishing, high confidence phishing, or bulk.||15 days as per the default Microsoft quarantine anti-spam policy. This is in the anti-spam policy created by you in PowerShell. |
It can also retent for 30 days in anti-spam policies created by you in the Microsoft Defender portal.
|Yes||You can lower its value in anti-spam policies.|
|Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365.||30 days||Yes||This retention period is under the control of the Quarantine Retention Period setting in the anti-spam policy. |
Here the value for the retention period is the same as the first matching anti-spam policy that the recipient is defined in.
|Messages quarantined by anti-malware policies (malware messages).||30 days||No||When you activate common attachments filtering in anti-malware policies, the attachments in the email are regarded as spiteful. This is only based on the file extension. There’s a predefined list of commonly executed file types, but you are allowed to make changes to them.|
|Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages)||30 days||No|
|Messages quarantined by mail flow rules: Deliver the message to the hosted quarantine (Quarantine).||30 days||No|
|Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files).||30 days||No||In this, the files are dismissed from SharePoint or OneDrive after 30 days. However, the blocked files remain in SharePoint or OneDrive in the blocked state.|
How Should I Treat Microsoft Quarantine Files?
Select Microsoft quarantined files from the list and take one of the following possible actions available in the details flyout.
1. Release Email
Start by resetting the following options.
- Add sender to your organization’s allow list: This option stops emails from getting Microsoft quarantined.
- Select either of the options:
- Release to all recipients
- Release to specific recipients: Select the recipients you want to add in the Recipient Box.
- Share a copy of the email with other recipients: Choose this option and add the recipients.
- Submit the message to Microsoft to improve detection (false positive): This is a default option which reports messages that are quarantined by mistake. These messages are highlighted as false positives. Emails considered spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Analysis Team.
- Allow messages like this: This option is deactivated by default, but you can activate it to temporarily stop messages with similar URLs, attachments, and other characteristics from being erroneously Microsoft quarantined. You will come across two options:
- Remove after: Select for how many days you want to allow such messages. The default value is set to 30 days.
- Optional note: Add a relevant description for the allow.
Click on the Release message once you are done configuring it.
2. Share Email
Enter one or more recipients in the flyout. These are the recipients that will receive a copy of the message. Click on Share once you are done adding their email addresses.
3. More Actions
- View message headers: Click this if you want to see the email header text. There will be the following options under it.
1. Copy Message Header
2. Microsoft Message Header Analyzer: To analyze the header fields and values, click the link, paste the message header and click Analyze headers.
- Preview messages: Choose one of the following tabs:
1. Source: You will see the HTML version with all the links disabled.
2. Plain text: You will see the message body in plain text.
- Delete from quarantine: If you click Yes, the message will be permanently deleted without being sent to the original recipient.
- Download email: Configure the following under it:
1. Reason for downloading file
2. Create password
- Block sender: Add the sender to the Blocked Senders list in your mailbox.
- Submit only: Reports the message to Microsoft for analysis. You will see some options under it.
DMARC Quarantine Vs Reject – Explained
If your DMARC policy has been set to p=none for a long time, it’s time you switch it to either p=reject or p=quarantine. These stricter policies prevent the malicious attempt of phishing and scamming planned by threat actors. But before implementing one of the DMARC policies, you need to understand their differences.
When you set the DMARC quarantine policy, you let the recipient server know how you want them to treat the unauthenticated emails sent from your domain. You can choose to have them quarantined, delivered to spam, or undergo aggressive spam filtering.
It’s advised to use this as a testing option as it lets your company start flexing their DMARC strength slowly and less aggressively. So, until you are confident that no right emails are quarantined erroneously, you set your DMARC policy to p=quarantine.
DMARC Reject Policy
p=reject policy lets you prevent all malicious activities completely. Moreover, the intended recipients are not at all notified of the mail, and there’s no chance they can get tricked if it hasn’t landed in their mailbox.
But it has a downside, as some legitimate emails can also get rejected erroneously. If you don’t monitor DMARC reports regularly, it can take months to spot that legitimate emails are not being delivered. This can hamper productivity, communication with clients, prospects and partners, sales growth, marketing efforts, etc.