How to use the Office 365 Spam and Phishing Quarantine Tool

Email though Office 365 has built in quarantine tools to help prevent spam and phishing emails from appearing in your inbox. As with any email filter it’s important to understand how to review these emails and mark any false positives as safe. Office 365 makes this easy with their email protection dashboard as part of Microsoft 365 Compliance and Protection. In this article, we will go over how to access this dashboard, how to review your quarantined emails, and how to mark an email as safe.

Accessing quarantined emails

If Microsoft’s quarantine tool flags an email, you will receive an email alert. It is important to note that this will come from quarantine@messaging.microsoft.com, as often phishing emails will disguise themselves as a quarantine message. This email will provide a few details about the quarantined message including sender email, subject and date. It will also provide you with three options to take, block sender, release, or review.

Block sender is used when you agree that the message is spam or phishing. This prevents you from receiving further mail from this sender.

Release is used for false positives, when an email from a known sender that you were expecting gets quarantine. This will send the email to your inbox so you can proceed as normal.

Review allows you to further evaluate the email before making your decision. Emails will only be available for review within 30 days* of receipt. Clicking on the review button will bring you to the Office 365 quarantine site.

Office 365 threat management dashboard

Quarantine email review is located under threat management in the Office 365 Security and Compliance section of Office.com. The easiest way to get to this site is by clicking the link located in your quarantine notice email. However, if you cannot find a recent email and want to view any quarantined items from the last 30 days you can go directly to https://protection.office.com/quarantine

Here you will see a list of quarantined emails. There are options to search and filter to find a particular email. You can search by message ID, sender email address, recipient email address, subject or policy name.

When you click on the filter button, you have the option to view only emails that fall into a specified expiration time, date received, reason for quarantine and policy type.

Additionally, you have the option to edit the columns that appear. The default is to show you time received, sender email, subject, reason for quarantine, if the message was released to your inbox, policy type, and when it will expire and no longer be actionable. Additional column options are the recipient’s email, message ID, policy name, email size, and direction (such as inbound or outbound).  

Releasing and modifying your quarantined emails

Unfortunately, email filtering won’t always get things right, so it’s important to understand how to review quarantined emails and allow them to pass through the filter.

Click on an email in your list to view more details and open the actions menu.

If you already know you want the message released to your inbox, you can click release message in blue. You can also click on the check box of multiple emails to release more than one at a time.

The message will not release right away. You will have to review the information provided and then confirm by clicking release at the bottom. Then the full message will be sent to your inbox.

Reviewing quarantined emails

For the average user, choosing preview message will give you more insight as to the content of the email. Unless you know a lot about the mechanics of email, ignore the view message header button, as this can be a confusing view.

The message preview will look similar to how the message would have arrived in your inbox.

The source tab at the top will show the email with pictures and links. You can hover your mouse over a link to view its destination. The link will not function in this view for your protection.

You may also choose to look at the email in plain text by selecting that tab at the top. This removes all formatting which for some emails may make it simpler, but for others will display the html code used to create the formatting, essentially displaying the email in another language.

If you believe the email was correctly filtered, you have a few options. From the details screen you can remove from quarantine, deleting the email, or block the sending preventing them from sending you email in the future.

From the quarantine list, you can check off multiple emails and choose to bulk delete them.

Lastly, you have the option to do nothing. This will keep the email in quarantine until 30 days* after their sent date. They will then be deleted.

Additional email filtering techniques

Microsoft quarantine is one of the first lines of defense against spam and phishing. However, there are other ways to assist in the prevention and reduced impact of spam and phishing emails. Third-party anti-phishing applications such as Inky and Ironscales, but one tried and true method is making sure you are trained on how to spot malicious emails. Practicing spotting phishing can help and general security awareness will make you less likely to fall for an email scam.

*30 days is the default expiration for quarantined emails. Your administrator can change the expiration date, so always trust the date detailed in your quarantine notice and list.

Valiant Technology is the award-winning managed service provider to innovative industries in New York.

Continue reading

Subscribe to Valiant's Monthly Email Digest

Valiant's monthly email digest is filled with original content written by our staff, tech news, and business insights.

Schedule a Meeting

Our sales team is here to answer questions and explore the benefits of Valiant Managed service for your business.