After enabling new Microsoft 365 Security features, people may begin seeing messages about items in quarantine. If unexpected, these messages may look suspicious. Rest assured, these are legitimate and helpful. Instead of being delivered to your inbox's "Junk Email" folder, these are now being held outside of the mailbox for review.
While many items are automatically deleted or blocked by our firewall and Exchange servers, some messages can't be easily judged. Instead of placing these in a community quarantine, each mailbox now has its own quarantine. This allows each recipient to review, delete or release these items once received instead of contacting the Helpdesk to search for it.
These screenshots are meant to guide people through this process with confidence.
What to expect in the Message
Below is a screenshot of a legitimate notification email when an item has been placed in quarantine.
- The subject will identify it universally: Microsoft 365 security: You have messages in quarantine.
- It will be from a trusted sender: [email protected].
- There should be only one person or shared inbox in the To field.
- Since the message is from Microsoft's system instead of our own, it will be marked as an External Email.
- There will be a short description of why the message was sent.
Note: This screenshot is not downloading pictures from external senders, so there is no logo or image that appears, only a red X and outline of where a picture would be. - There is a link in this paragraph to the quarantine page, the destination should be https://security.microsoft.com/quarantine.
- Instead of showing the name listed by the sender, this message shows the email address of the sender; this helps to more easily identify the true sender.
- The subject line of the original message will also appear.
- The date and time the message was sent appears in Central time, the first half of the message shows this as Coordinated Universal Time (UTC).
- It is recommended to use the Review Message button to decide the best course of action; the first portion of this destination should also be https://security.microsoft.com/quarantine followed by extra information to identify the exact message being reviewed.
-
Release will open a web browser and attempt to send the item to the original recipient's inbox, though future messages from the sender may still be placed in quarantine.
Note: Release marks the message as SAFE. Only use this when the message is expected. -
Block Sender will add the sender to the recipient's list of Blocked Senders.
Note: This action (further defined in this article) does little more than preventing a message from being delivered to the mailbox. The fact that it is in Quarantine means that the sender has already been blocked in this way. The action does little more than to train Microsoft's AI to prevent similar messages from being delivered to other users' inboxes.
Actions taken with items in quarantine will help this tool learn which senders are more or less desirable and use that information to improve its ability to handle incoming messages accordingly.
Reviewing Messages in Quarantine
The landing page for https://security.microsoft.com/quarantine should look similar to this screenshot, though it should contain a different list of messages. If prompted to log in, please use the Concordia University, Nebraska email address and password.
- There should be a "waffle" icon next to the words "Microsoft 365 Defender," this icon allows you to visit other Microsoft 365 web applications.
- You are here. This page lands on the Review page in the Email & collaboration section in case curiosity lands someone on a different page.
- The quarantine is able to hold both Email messages and Teams messages, though it is less likely to see a Teams message in quarantine.
- There are some options available when selecting one or more messages, which will be explored more in the next screenshot.
- This is the list of messages including a selection checkbox and some basic information about the quarantined message.
- Learn more presents a list of articles written by Microsoft explaining these features in detail.
Quarantined Message Actions
When clicking on the date stamp for a message, something similar to the screenshot below will appear on the left side of the web page. This view uses more than an icon for the actions and better illustrates what can be done with the message.
- More options menu: Shows options not visible from the default view.
- Release email: This option marks the message as safe and desired, placing it in the recipient's inbox.
- View message headers: For advanced users, header information provides information such as the IP address for the original sender.
- Preview message: If uncertain whether to release an item, the contents of the message can be viewed to determine whether it is expected or desirable.
- Delete from quarantine: When the message is identified as undesirable, it can be deleted from the system right away, otherwise it will be removed after 30 days.
-
Block sender: adds the sender to the recipient's list of Blocked Senders.
Note: This action (further defined in this article) does little more than preventing a message from being delivered to the mailbox. The fact that it is in Quarantine means that the sender has already been blocked in this way. The action does little more than to train Microsoft's AI to prevent similar messages from being delivered to other users' inboxes.
Final Notes: An item in quarantine has already been identified as suspicious. It does not need to be reported to the Helpdesk as a Phishing attempt. Blocking the sender and deleting the message will help the system better protect against future attempts.