• Log In
  • Sign Up
  • Contact Us
PowerDMARC
  • Features
    • PowerDMARC
    • Hosted DKIM
    • PowerSPF
    • PowerBIMI
    • PowerMTA-STS
    • PowerTLS-RPT
    • PowerAlerts
    • Reputation Monitoring
  • Services
    • Deployment Services
    • Managed Services
    • Support Services
    • Service Benefits
  • Pricing
  • Power Toolbox
  • Partners
    • Reseller Program
    • MSSP Program
    • Technology Partners
    • Industry Partners
    • Become a Partner
  • Resources
    • DMARC: What is it and How does it Work?
    • Datasheets
    • Case Studies
    • Blog
    • DMARC Training
    • DMARC in Your Country
    • DMARC by Industry
    • Support
  • About
    • Our company
    • Clients
    • Contact us
    • Book a demo
    • Events
  • Menu Menu

What is Microsoft Quarantine?

Blogs
What is Microsoft Quarantine

It’s quite complicated to secure email attacks, yet the cybersecurity industry and email service providers have been making constant efforts to make the situation better. Microsoft quarantine is worse than marking it as spam because the intended recipient has no clue that your email has tried to reach them. 

Whenever you send an email, you want it to get delivered to the intended recipient, who should open it and respond back if required. However, none of this would happen if your email is quarantined. 

Microsoft quarantine policy was introduced to contain the spread of malware. The policy defines what users are permitted to do or not do to quarantined messages depending on why the email was quarantined in the first place. Admins are permitted to customize restrictions for users, and also activate notifications. 

How Do I Access Microsoft Quarantine?

Your ability to access Microsoft quarantine messages depends on the quarantine policy applied. Here’s how you can access it.

  1. Go to Microsoft 365 Defender portal at https://security.microsoft.com/ and select Email & Collaboration > Review > Quarantine. You can also go to the quarantine page directly by clicking on https://security.microsoft.com/quarantine.
  2. Then you have to resolve the results by clicking on an available column header. You can click customize columns to change the following columns.
  • Time received
  • Subject
  • Sender
  • Quarantine Reason
  • Release Status
  • Policy Type
  • Expires
  • Recipient
  • Message ID
  • Policy Name
  • Message Size
  • Mail Direction

Click on Apply when it’s done.

Does Quarantined Mean Deleted?

No, quarantine does not mean deleted. It means the message is spam-ish or potentially malicious; therefore, the suspected email is stored in a secure environment where you can open it without any risk. 

Microsoft quarantine notification is popped after every three days. It’s permanently deleted from the mailbox after 30 days (or less if you have changed the settings).

What Causes An Email to be Quarantined? 

To stop users from handling their own quarantined phishing emails, admins can assign a quarantine policy. The policy can deny access to all the quarantined messages. Microsoft quarantine occurs typically due to the following reasons:

Quarantine Reason Default Retention Period Customizable or Not? Comments
Messages quarantined by anti-spam policies; spam, high confidence spam, phishing, high confidence phishing, or bulk. 15 days as per the default Microsoft quarantine anti-spam policy. This is in the anti-spam policy created by you in PowerShell.

It can also retent for 30 days in anti-spam policies created by you in the Microsoft Defender portal.

Yes You can lower its value in anti-spam policies.
Messages quarantined by anti-phishing policies: spoof intelligence in EOP; user impersonation, domain impersonation, or mailbox intelligence in Defender for Office 365. 30 days Yes This retention period is under the control of the Quarantine Retention Period setting in the anti-spam policy.

Here the value for the retention period is the same as the first matching anti-spam policy that the recipient is defined in.

Messages quarantined by anti-malware policies (malware messages). 30 days No When you activate common attachments filtering in anti-malware policies, the attachments in the email are regarded as spiteful. This is only based on the file extension. There’s a predefined list of commonly executed file types, but you are allowed to make changes to them.
Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware messages) 30 days No
Messages quarantined by mail flow rules: Deliver the message to the hosted quarantine (Quarantine). 30 days No
Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files). 30 days No In this, the files are dismissed from SharePoint or OneDrive after 30 days. However, the blocked files remain in SharePoint or OneDrive in the blocked state.

 How Should I Treat Microsoft Quarantine Files? 

Select Microsoft quarantined files from the list and take one of the following possible actions available in the details flyout. 

1. Release Email

Start by resetting the following options.

  • Add sender to your organization’s allow list: This option stops emails from getting Microsoft quarantined.
  • Select either of the options: 
  1. Release to all recipients
  2. Release to specific recipients: Select the recipients you want to add in the Recipient Box.
  • Share a copy of the email with other recipients: Choose this option and add the recipients.
  • Submit the message to Microsoft to improve detection (false positive): This is a default option which reports messages that are quarantined by mistake. These messages are highlighted as false positives. Emails considered spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Analysis Team. 
  • Allow messages like this: This option is deactivated by default, but you can activate it to temporarily stop messages with similar URLs, attachments, and other characteristics from being erroneously Microsoft quarantined. You will come across two options:
  1. Remove after: Select for how many days you want to allow such messages. The default value is set to 30 days.
  2. Optional note: Add a relevant description for the allow.

Click on the Release message once you are done configuring it.

2. Share Email

Enter one or more recipients in the flyout. These are the recipients that will receive a copy of the message. Click on Share once you are done adding their email addresses.

3. More Actions

  • View message headers: Click this if you want to see the email header text. There will be the following options under it.
    1. Copy Message Header
    2. Microsoft Message Header Analyzer: To analyze the header fields and values, click the link, paste the message header and click Analyze headers.
  • Preview messages: Choose one of the following tabs:
    1. Source: You will see the HTML version with all the links disabled.
    2. Plain text: You will see the message body in plain text.
  • Delete from quarantine: If you click Yes, the message will be permanently deleted without being sent to the original recipient.
  • Download email: Configure the following under it:
    1. Reason for downloading file
    2. Create password 
  • Block sender:  Add the sender to the Blocked Senders list in your mailbox.
  • Submit only:  Reports the message to Microsoft for analysis. You will see some options under it.

DMARC Quarantine Vs Reject – Explained 

If your DMARC policy has been set to p=none for a long time, it’s time you switch it to either p=reject or p=quarantine. These stricter policies prevent the malicious attempt of phishing and scamming planned by threat actors. But before implementing one of the DMARC policies, you need to understand their differences.

DMARC Quarantine

When you set the DMARC quarantine policy, you let the recipient server know how you want them to treat the unauthenticated emails sent from your domain. You can choose to have them quarantined, delivered to spam, or undergo aggressive spam filtering.

It’s advised to use this as a testing option as it lets your company start flexing their DMARC strength slowly and less aggressively. So, until you are confident that no right emails are quarantined erroneously, you set your DMARC policy to p=quarantine.

DMARC Reject Policy

p=reject policy lets you prevent all malicious activities completely. Moreover, the intended recipients are not at all notified of the mail, and there’s no chance they can get tricked if it hasn’t landed in their mailbox.

But it has a downside, as some legitimate emails can also get rejected erroneously. If you don’t monitor DMARC reports regularly, it can take months to spot that legitimate emails are not being delivered. This can hamper productivity, communication with clients, prospects and partners, sales growth, marketing efforts, etc.

Microsoft Quarantine

  • About
  • Latest Posts
Ahona Rudra
Digital Marketing & Content Writer Manager at PowerDMARC
Ahona works as a Digital Marketing and Content Writer Manager at PowerDMARC. She is a passionate writer, blogger, and marketing specialist in cybersecurity and information technology.
Latest posts by Ahona Rudra (see all)
  • Web Security 101 – Best Practices and Solutions - November 29, 2023
  • What is Email Encryption and What are its Various Types? - November 29, 2023
  • What is MTA-STS? Setup the Right MTA STS Policy - November 25, 2023
January 29, 2023/by Ahona Rudra
Tags: Microsoft Quarantine, microsoft quarantine folder, quarantined email, what is microsoft quarantine
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Twitter
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Secure Your Email

Stop Email Spoofing and Improve Email Deliverability

15-day Free trial!


Categories

  • Blogs
  • News
  • Press Releases

Latest Blogs

  • Web Security 101 - Best Practices and Solutions
    Web Security 101 – Best Practices and SolutionsNovember 29, 2023 - 4:52 pm
  • What-is-Email-Encryption-and-What-are-its-Various-Types
    What is Email Encryption and What are its Various Types?November 29, 2023 - 12:39 pm
  • mta sts blog
    What is MTA-STS? Setup the Right MTA STS PolicyNovember 25, 2023 - 3:02 pm
  • Microsoft Quarantine
    DMARC Black Friday: Fortify Your Emails This Holiday SeasonNovember 23, 2023 - 8:00 pm
logo footer powerdmarc
SOC2 GDPR PowerDMARC GDPR comliant crown commercial service
global cyber alliance certified powerdmarc csa

Knowledge

What is Email Authentication?
What is DMARC?
What is DMARC Policy?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
What is RUA?
What is RUF?
AntiSpam vs DMARC
DMARC Alignment
DMARC Compliance
DMARC Enforcement
BIMI Implementation Guide
Permerror
MTA-STS & TLS-RPT Implementation Guide

Tools

Free DMARC Record Generator
Free DMARC Record Checker
Free SPF Record Generator
Free SPF Record Lookup
Free DKIM Record Generator
Free DKIM Record Lookup
Free BIMI Record Generator
Free BIMI Record Lookup
Free FCrDNS Record Lookup
Free TLS-RPT Record Checker
Free MTA-STS Record Checker
Free TLS-RPT Record Generator

Product

Product Tour
Features
PowerSPF
PowerBIMI
PowerMTA-STS
PowerTLS-RPT
PowerAlerts
Reputation Monitoring
API Documentation
Managed Services
Email Spoofing Protection
Brand Protection
Anti Phishing
DMARC for Office365
DMARC for Google Mail GSuite
DMARC for Zimbra
Free DMARC Training

Try Us

Contact Us
Free Trial
Book Demo
Partnership
Pricing
FAQ
Support
Blog
Events
Feature Request
Change Log
System Status

  • Français
  • Dansk
  • Nederlands
  • Deutsch
  • Русский
  • Polski
  • Español
  • Italiano
  • 日本語
  • 中文 (简体)
  • Português
  • Norsk
  • Svenska
  • 한국어
© PowerDMARC is a registered trademark.
  • Twitter
  • Youtube
  • LinkedIn
  • Facebook
  • Instagram
  • Contact us
  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Security Policy
  • Compliance
  • GDPR Notice
  • Sitemap
What is a Cybersecurity Audit and Why do you need it?What is a Cybersecurity AuditWhat is GPS Spoofing A Complete GuideWhat is GPS Spoofing – A Complete Guide 
Scroll to top