Manage quarantined letters and files every bit an admin in EOP

  • Commodity
  • 15 minutes to read

Applies to

  • Exchange Online Protection
  • Microsoft Defender for Office 365 programme 1 and plan 2
  • Microsoft 365 Defender

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more than information, see Quarantined electronic mail letters in EOP.

Admins can view, release, and delete all types of quarantined messages for all users. Admins can also report false positives to Microsoft.

By default, only admins can manage letters that were quarantined equally malware, high confidence phishing, or every bit a result of mail flow rules (also known as transport rules). Just admins can use quarantine policies to define what users are allowed to do to quarantined messages based on why the bulletin was quarantined (for supported features). For more information, see Quarantine policies.

Admins in organizations with Microsoft Defender for Role 365 can also manage files that were quarantined past Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

You view and manage quarantined messages in the Microsoft 365 Defender portal or in PowerShell (Substitution Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you lot need to know earlier you begin?

  • To open the Microsoft 365 Defender portal, go to https://security.microsoft.com. To get directly to the Quarantine page, apply https://security.microsoft.com/quarantine.

  • To connect to Substitution Online PowerShell, meet Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, run into Connect to Exchange Online Protection PowerShell.

  • You need to be assigned permissions in Substitution Online earlier you lot can exercise the procedures in this article:

    • To accept activeness on quarantined messages for all users, you demand to be a member of the Organization Management, Security Administrator, or Quarantine Administrator * office groups. To submit messages to Microsoft, you need to be a member of the Security Administrator role grouping.
    • For read-just access to quarantined letters for all users, you need to be a member of the Global Reader or Security Reader part groups.

    For more information, see Permissions in Exchange Online.

    Notes:

    • Adding users to the corresponding Azure Agile Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.
    • The View-Only Organization Direction role group in Exchange Online as well gives read-only access to the feature.
    • * Members of the Quarantine Administrator office grouping in Email & collaboration roles in the Microsoft 365 Defender portal besides need to be members of the Hygiene Management role group in Commutation Online to do quarantine procedures in Exchange Online PowerShell.

  • Quarantined messages are retained for a default menses of fourth dimension based on why they were quarantined. After the retention period expires, the messages are automatically deleted and are not recoverable. For more information, encounter Quarantined email messages in EOP and Defender for Office 365.

Use the Microsoft 365 Defender portal to manage quarantined electronic mail messages

View quarantined electronic mail

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Electronic mail & collaboration > Review > Quarantine. To go direct to the Quarantine page, apply https://security.microsoft.com/quarantine.

  2. On the Quarantine folio, verify that the Electronic mail tab is selected.

  3. You lot can sort the results by clicking on an available cavalcade header. Click Customize columns to modify the columns that are shown. The default values are marked with an asterisk (*):

    • Fourth dimension received *
    • Discipline *
    • Sender *
    • Quarantine reason *
    • Release condition *
    • Policy blazon *
    • Expires *
    • Recipient
    • Message ID
    • Policy proper name
    • Message size
    • Mail direction
    • Recipient tag

    When y'all're finished, click Apply.

  4. To filter the results, click Filter. The post-obit filters are available in the Filters flyout that appears:

    • Message ID: The globally unique identifier of the message.

      For case, you used message trace to look for a message that was sent to a user in your organization, and you determine that the message was quarantined instead of delivered. Be sure to include the total message ID value, which might include angle brackets (<>). For instance: <79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>.

    • Sender accost

    • Recipient accost

    • Subject

    • Time received: Enter a First time and End time (date).

    • Expires: Filter letters by when they volition expire from quarantine:

      • Today
      • Adjacent two days
      • Next 7 days
      • Custom: Enter a First fourth dimension and Cease time (date).

    • Recipient tag

    • Quarantine reason:

      • Transport rule (mail service flow rule)
      • Bulk
      • Spam
      • Malware: Anti-malware policies in EOP or Prophylactic Attachments policies in Defender for Office 365. The Policy Type value indicates which feature was used.
      • Phishing: The spam filter verdict was Phishing or anti-phishing protection quarantined the message (spoof settings or [impersonation protection](set-upward-anti-phishing-policies.
      • High confidence phishing

    • Recipient: All users or Simply me. End users tin can but manage quarantined messages sent to them.

    • Release status: Whatsoever of the following values:

      • Needs review
      • Approved
      • Denied
      • Release requested
      • Released

    • Policy Type: Filter messages by policy type:

      • Anti-malware policy
      • Safe Attachments policy
      • Anti-phishing policy
      • Anti-spam policy
      • Send rule (postal service period rule)

    When you're finished, click Use. To clear the filters, click Clear filters icon. Clear filters.

  5. Utilise the Search box and a corresponding value to find specific letters. Wildcards aren't supported. You can search by the post-obit values:

    • Sender email address
    • Subject. Use the unabridged subject of the message. The search is non case-sensitive.

    After you've entered the search criteria, press ENTER to filter the results.

Later you find a specific quarantined message, select the bulletin to view details about it, and to take action on it (for case, view, release, download, or delete the message).

View quarantined bulletin details

When you select quarantined message from the listing, the following information is available in the details flyout that appears.

The details flyout of a quarantined message

  • Message ID: The globally unique identifier for the message. Bachelor in the Message-ID header field in the message header.
  • Sender accost
  • Received: The engagement/time when the message was received.
  • Discipline
  • Quarantine reason: Shows if a message has been identified equally Spam, Bulk, Phish, matched a mail service catamenia rule (Transport rule), or was identified as containing Malware.
  • Policy type
  • Policy name
  • Recipient count
  • Recipients: If the message contains multiple recipients, you need to click Preview message or View bulletin header to see the complete list of recipients.
  • Recipient tag: For more information, see User tags in Microsoft Defender for Office 365.
  • Expires: The date/fourth dimension when the bulletin will exist automatically and permanently deleted from quarantine.
  • Released to: All e-mail addresses (if any) to which the message has been released.
  • Not yet released to: All email addresses (if whatsoever) to which the message has not yet been released.

To take action on the message, see the side by side section.

Note

To remain in the details flyout, but change the quarantined message that you're looking at, use the upwardly and down arrows at the top of the flyout.

The up and down arrows in the details flyout of a quarantined message

Take action on quarantined electronic mail

Afterward you select a quarantined message from the list, the post-obit deportment are available in the details flyout:

The Available actions in the details flyout of a quarantined message

  • Release email icon. Release email *: In the flyout pane that appears, configure the post-obit options:

    • Add sender to your organization's allow list: Select this option to prevent messages from the sender from being quarantined.

    • Choose ane of the following options:

      • Release to all recipients
      • Release to specific recipients: Select the recipients in the Recipients box that appears

    • Send a copy of this message to other recipients: Select this option and enter the recipient email addresses in the Recipients box that appears.

      Notation

      To send a re-create of the bulletin to other recipients, you must likewise release the message at to the lowest degree one of the original recipients (select Release to all recipients or Release to specific recipients).

    • Submit the message to Microsoft to improve detection (imitation positive): This option is selected by default, and reports the erroneously quarantined bulletin to Microsoft equally a false positive. If the message was quarantined as spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Assay Squad. Depending on the results of their assay, the service-wide spam filter rules might be adjusted to permit the message through.

    • Permit messages like this: This pick is turned off past default (Toggle off.). Plow it on (Toggle on) to temporarily prevent messages with similar URLs, attachments, and other properties from beingness quarantined. When you lot turn this selection on, the following options are bachelor:

      • Remove after: Select how long y'all want to permit letters similar this. Select one day to 30 days. The default is 30.
      • Optional note: Enter a useful description for the allow.

    When you're finished, click Release message.

    Notes about releasing messages:

    • You can't release a message to the same recipient more once.
    • Only recipients who haven't received the message will appear in the list of potential recipients.
    • But members of the Security Administrators function group tin can see and use the Submit the message to Microsoft to improve detection (false positive) and Allow messages like this options.

  • Share email icon. Share email: In the flyout that appears, add ane or more recipients to receive a copy of the message. When y'all're finished, click Share.

The following actions are available after y'all click More actions icon. More than actions:

  • View message headers icon. View bulletin headers: Choose this link to encounter the message header text. The Bulletin header flyout appears with the post-obit links:

    • Copy message header: Click this link to copy the bulletin header (all header fields) to your clipboard.
    • Microsoft Message Header Analyzer: To clarify the header fields and values in depth, click this link to become to the Message Header Analyzer. Paste the message header into the Insert the message header you lot would like to analyze department (CTRL+5 or correct-click and choose Paste), and and so click Analyze headers.

  • Preview message icon. Preview message: In the flyout that appears, choose i of the post-obit tabs:

    • Source: Shows the HTML version of the message torso with all links disabled.
    • Plain text: Shows the message body in plain text.

  • Delete from quarantine icon. Delete from quarantine: After you click Yes in the warning that appears, the message is immediately deleted without existence sent to the original recipients.

  • Download email icon. Download email: In the flyout that appears, select I understand the risks from downloading this bulletin, and and then click Download to salve a local copy of the message in .eml format.

  • Block sender icon. Block sender: Add together the sender to the Blocked Senders list in your mailbox. For more data, see Cake a mail sender.

  • Submit only icon. Submit only: Reports the bulletin to Microsoft for analysis. In the flyout that appears, choose the following options:

    • Select the submission type: Email (default), URL, or File.
    • Add the network bulletin ID or upload the email file: Select one of the following options:
      • Add the e-mail network bulletin ID (default, with the respective value in the box)
      • Upload the e-mail file (.msg or eml): Click Scan files to find and select the .msg or .eml message file to submit.
    • Cull a recipient who had an issue: Select i (preferred) or more than original recipients of the message to analyze the policies that were practical to them.
    • Select a reason for submitting to Microsoft: Choose one of the following options:
      • Should not have been blocked (simulated positive) (default): The following options are bachelor:
      • Should have been blocked (imitation negative).

    When you're finished, click Submit.

* This pick is non available for letters that have already been released (the Released status value is Released).

If y'all don't release or remove the message, information technology volition be deleted later on the default quarantine retention period expires (as shown in the Expires column).

Take action on multiple quarantined email letters

When yous select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the outset column, the Bulk actions drib downward listing appears where you lot tin have the following actions:

The Bulk actions drop-down list for messages in quarantine

  • Release email icon. Release messages: Releases messages to all recipients. In the flyout that appears, you tin can choose the post-obit options, which are the same as when you release a single message:

    • Add together sender to your system's let listing
    • Send a re-create of this message to other recipients
    • Submit the message to Microsoft to improve detection (false positive)
    • Allow messages like this:
      • Remove after: 1 day to thirty days
      • Optional note

    When you're finished, click Release message.

    Note

    Consider the post-obit scenario: john@gmail.com sends a message to faith@contoso.com and john@subsidiary.contoso.com. Gmail bifurcates this message into two copies that are both routed to quarantine every bit phishing in Microsoft. An admin releases both of these messages to admin@contoso.com. The first released message that reaches the admin mailbox is delivered. The 2nd released message is identified as duplicate commitment and is skipped. Message are identified every bit duplicates if they take the same message ID and received fourth dimension.

  • Delete from quarantine icon. Delete messages: Later on yous click Aye in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.

  • Download email icon. Download messages

  • Submit only icon. Submit but

Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365

Note

The procedures for quarantined files in this section are available only to Microsoft Defender for Office 365 Program 1 or Program two subscribers.

In organizations with Defender for Office 365, admins tin can manage files that were quarantined by Condom Attachments for SharePoint, OneDrive, and Microsoft Teams. To enable protection for these files, see Plough on Rubber Attachments for SharePoint, OneDrive, and Microsoft Teams.

View quarantined files

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to E-mail & collaboration > Review > Quarantine. To become directly to the Quarantine page, use https://security.microsoft.com/quarantine.

  2. On the Quarantine page, select the Files tab (Email is the default tab).

  3. Y'all can sort the results past clicking on an available cavalcade header. Click Customize columns to change the columns that are shown. The default columns are marked with an asterisk (*):

    • User *
    • Location *
    • Attachment filename *
    • File URL *
    • File Size
    • Release condition *
    • Expires *
    • Detected past
    • Modified past time

    When you're finished, click Apply or Cancel.

  4. To filter the results, click Filter. The following filters are available in the Filters flyout that appears:

    • Time received: Kickoff time and Finish time (appointment).
    • Expires: Start time and Terminate time (appointment).
    • Quarantine reason: The just available value is Malware.
    • Policy type

    When you lot're finished, click Apply or Cancel.

After you detect a specific quarantined file, select the file to view details virtually it, and to take action on it (for example, view, release, download, or delete the file).

View quarantined file details

When you select a quarantined file from the list, the post-obit data is available in the details flyout that opens:

The details flyout of a quarantined file

  • File Name
  • File URL: URL that defines the location of the file (for example, in SharePoint Online).
  • Malicious content detected on The date/time the file was quarantined.
  • Expires: The engagement when the file will be deleted from quarantine.
  • Detected past
  • Released?
  • Malware Name
  • Document ID: A unique identifier for the document.
  • File Size: In kilobytes (KB).
  • Organization Your organisation'southward unique ID.
  • Last modified
  • Modified By: The user who last modified the file.
  • Secure Hash Algorithm 256-scrap (SHA-256) value: You can employ this hash value to identify the file in other reputation stores or in other locations in your environment.

To accept activity on the file, run into the next section.

Note

To remain in the details flyout, but modify the quarantined file that yous're looking at, use the upwardly and down arrows at the peak of the flyout.

The up and down arrows in the details flyout of quarantined files

Take action on quarantined files

After y'all select a quarantined file from the list, the following actions are available in the details flyout:

The actions in the details flyout of a quarantined file

* This pick is not bachelor for files that have already been released (the Released status value is Released).

If you lot don't release or remove the file, information technology will be deleted subsequently the default quarantine memory period expires (equally shown in the Expires column).

Take action on multiple quarantined files

When you lot select multiple quarantined files in the list (up to 100) by clicking in the bare expanse to the left of the Subject column, the Bulk deportment drop down list appears where you can take the following deportment:

The Bulk actions drop down list for files in quarantine

Apply Commutation Online PowerShell or standalone EOP PowerShell to view and manage quarantined messages and files

The cmdlets that you use to view and manage messages and files in quarantine are described in the following list:

  • Delete-QuarantineMessage
  • Export-QuarantineMessage
  • Go-QuarantineMessage
  • Preview-QuarantineMessage: Note that this cmdlet is only for messages, non quarantined files from Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
  • Release-QuarantineMessage

For more than information

Quarantined messages FAQ