Manage quarantined messages and files as an administrator - Office 365 (2023)

applies to

• Exchange Online-Schutz
• Microsoft Defender for Office 365 Plan 1 and Plan 2
• Microsoft 365 advocates

In Microsoft 365 organizations with mailboxes in Exchange Online, or in standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, the quarantine contains potentially dangerous or unwanted messages. For more information, seeQuarantined emails in EOP.

Admins can view, share, and delete all types of quarantined messages for all users. Administrators can also report false positives to Microsoft.

By default, only administrators can manage messages quarantined as malware, highly sensitive phishing, or because of mail flow rules (also known as transport rules). But administrators can useQuarantine Policyto define what users can do with quarantined messages, depending on why the message was quarantined (for supported features). For more information, seeQuarantine Policy.

Organization admins with Microsoft Defender for Office 365 can also manage files quarantined bySecure attachments for SharePoint, OneDrive and Microsoft Teams.

You can view and manage quarantined messages in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

Watch this short video to learn how to manage quarantined messages as an administrator.

What do you need to know before you start?

• Go to to open the Microsoft 365 Defender portalhttps://seguridad.microsoft.com. To go straightQuarantinepage, usehttps://security.microsoft.com/quarantine.

• For information about how to connect to Exchange Online PowerShell, seeConnect an Exchange Online PowerShell. For information on connecting to the standalone EOP PowerShell, seeConnect an Exchange Online Protection PowerShell.

• You must be assigned permissions before you can perform the procedures in this article. You have the following possiblities:

  • Microsoft 365 Defender Role-Based Access Control (RBAC):Data Security/Email Quarantine (Manage)(Management via PowerShell). This option currently requires membership in the Microsoft 365 Defender preview program.
  • RBAC online exchange:
    • Edit quarantined messages for all users: Membership in theOrganisationsmanagement,security administrator, ÖQuarantine Managerrole groups.
    • Send quarantined messages to Microsoft: Membership in thesecurity administratorrole group
    • Read access to quarantined messages for all users: Membership in theWorld reader,security reader, ÖManagement of read-only organizationsrole groups.
  • : Membership in theQuarantine ManagerRole group To perform quarantine procedures in Exchange Online PowerShell, you must also be a member of the role groupHygienemanagementRole group in Exchange Online RBAC.
  • Azure AD-RBAC: Membership in theglobal admin,security administrator,World reader, Ösecurity readerroles grants users the required permissionsjPermissions for other features in Microsoft 365.

• Quarantined messages are retained for a set period of time based on the reason they were quarantined. After the retention period expires, messages are automatically deleted and cannot be recovered. For more information, seeQuarantined email messages in EOP and Defender for Office 365.

Use the Microsoft 365 Defender portal to manage quarantined email messages

View quarantined emails

1. On the Microsoft 365 Defender portal athttps://seguridad.microsoft.com, becomesEmail and Collaboration>review>Quarantine. To go straightQuarantinepage, usehttps://security.microsoft.com/quarantine.

2. About himQuarantineside, check that theEmailtab is selected.

3. You can sort the results by clicking an available column heading. Click Customize Columnsto change the columns displayed. Default values ​​are marked with an asterisk (^*):

   • get time^*
   • Theme^*
   • Sender^*
   • quarantine reason^*
   • release status^*
   • policy type^*
   • expires^*
   • Container
   • Message ID
   • insurance name
   • message size
   • Email Address
   • recipient label

   When you're done, clickUse.

4. To filter the results, click Filter. The following filters are available inFilterFlyout that appears:

   • Message ID: The globally unique identifier of the message.

     For example, you usedmessage trackingTo find a message that was sent to a user in your organization and determine that the message was quarantined and undelivered. Be sure to include the full message ID value, which may contain angle brackets (<>). For example:<79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>.

     (Video) Manage the admin quarantine in Microsoft Defender for Office 365

   • Sender

   • recipient address

   • Theme

   • get time:

     • last 24 hours
     • Last 7 days
     • last 14 days
     • last 30 days
     • habit: Enterstart timejend times(Datum).

   • expires: Filter messages based on quarantine expiration date:

     • Hey
     • next 2 days
     • next 7 days
     • habit: Enterstart timejend times(Datum).

   • recipient label

     See Also

     122 Review Request Text Templates to Get Google Reviews

   • quarantine reason:

     • Transportregel(email flow rule)
     • A Granule
     • Spam
     • Data Loss Prevention
     • Malware: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365.policy typethe value indicates which function was used.
     • identity fraud: The verdict of the spam filter wasidentity fraudor anti-phishing quarantined the message (fake customizationsÖProtection against spoofing).
     • High confidence spoofing

   • Container:All usersÖJust me. End users can only manage quarantined messages sent to them.

   • release status: One of the following values:

     • has to be checked
     • Approved
     • denied
     • Release requested
     • Approved
     • prepare for publication
     • Mistake

   • policy type: Filter messages by policy type:

     • Anti-Malware Policy
     • Safe Attachments Policy
     • Anti-Phishing Policy
     • Anti-Spam Policy
     • Transportregel(email flow rule)
     • Data loss prevention rule

   When you're done, clickUse. To clear the filters, click Clear Filters.

5. Use theSeekField and a corresponding value to find specific messages. Wildcards are not supported. You can search for the following values:

   • Email address of the sender
   • Theme. Use the entire subject of the message. The search is not case-sensitive.

   After entering your search criteria, press ENTER to filter the results.

   Use

   IsSeekfield in the mainQuarantineThe page only searches the quarantined items in the current view, not the entire quarantine. To find all quarantined items, useFilterAnd the resultFiltersteering wheel

After you find a specific quarantined message, select the message to view details about it and take action (such as view, share, download, or delete the message).

View quarantined message details

When you select a quarantined message from the list, the following information is available in the details flyout that appears.

• Message ID: The globally unique identifier of the message. Available inMessage IDHeader field in the message header.
• Sender
• Receive: The date/time the message was received.
• Theme
• quarantine reason: Indicates whether a message has been identified asSpam,A Granule,identity fraud, matched a mail flow rule (Transportregel) or has been identified as containingMalware.
• policy type
• insurance name
• Count recipients
• Recipient: If the message contains multiple recipients, you must clickMessage previewÖShow message headerto view the full list of recipients.
• recipient label: For more information, seeUser tags in Microsoft Defender for Office 365.
• expires: The date/time when the message will be automatically and permanently removed from quarantine.
• released to: All email addresses (if any) to which the message was sent.
• Not yet released: All email addresses (if any) to which the message has not yet been sent.

For information on taking action on the report, see the next section.

Take action on quarantined emails

After selecting a quarantined message from the list, the following actions are available in the details flyout:

• The e-mail record^*: In the flyout panel that appears, configure the following options:

  • Add senders to your organization's allow list: Select this option to prevent the sender's messages from being quarantined.

  • Choose one of the following options:

    • Approve all recipients
    • Delivery to specific recipients: Select recipients inRecipientbox that appears

  • Send a copy of this message to other recipients: Select this option and enter the recipients' email addresses in theRecipientbox that appears.

    Use

    To send a copy of the message to other recipients, you must also share the message with at least one of the original recipients (selectApprove all recipientsÖDelivery to specific recipients).

  • Send message to Microsoft to improve detection (false positive)- This option is selected by default and reports the incorrectly quarantined message as a false positive to Microsoft. If the message was quarantined as spam, bulk, phishing, or malware, the message is also reported to Microsoft's spam analysis team. Depending on the results of its analysis, service-wide spam filter rules can be adjusted to let the message through.

  • Allow such messages: This option is deactivated by default (). turn it on () to temporarily prevent messages with URLs, attachments, and other similar properties from being quarantined. If you enable this option, the following options are available:

    • remove afterwards: Choose how long you want to allow such messages. Choose1 TagA30 dia. The default value is 30.
    • optional note: Enter a useful description for the permit.

  When you're done, clickrelease message.

  Notes on sharing messages:

  • You cannot send a message to the same recipient more than once.
  • Only recipients who did not receive the message appear in the list of possible recipients.
  • Only members ofsecurity administratorsThe role group can see and use themSend message to Microsoft to improve detection (false positive)jAllow such messagesoptions

• share email: In the flyout that appears, add one or more recipients who should receive a copy of the message. When you're done, clickshare.

The following actions are available after clicking more actions:

• Show message headers: Select this link to view the message header text. Hemessage headerA flyout with the following links will appear:

  • Copy message header: Click this link to copy the message header (all header fields) to your clipboard.
  • Microsoft Message Header Parser: To analyze the header fields and values ​​in depth, click this link to go to the Message Header Analyzer. Paste the message header into thePaste the header of the message you want to analyzeSection (CTRL+V or right-click and selectTake), and then clickParse headers.

• Message preview: From the floating menu that appears, select one of the following tabs:

  • Fuente: Displays the HTML version of the message body with links disabled.
  • plain text: Displays the text of the message in clear text.

• Remove from quarantine: The message will be deleted and not sent to the original recipients. The way the message is deleted depends on your selection in the floating menu that opens:

  • ChoosePermanently delete the message from quarantineand then clickExtinguish: The message is permanently deleted and cannot be recovered.
  • ClickExtinguishonly: The message is deleted but is potentially recoverable.

• download email: In the drop-down menu that appears, configure the following settings:

  • Reason for file download: Enter descriptive text.
  • Create a passwordjConfirm the password: Enter a password required to open the downloaded message file.

  When you're done, clickDispose, and thenMadeto save a local copy of the message. The .eml message file is stored in a compressed file called Quarantined Messages.zip on yourDownloadsFile. If the zip file already exists, a number is added to the file name (for example, quarantine messages(1).zip).

• Block sender: Add sender to blocked senders list inAreLetter box. For more information, seeBlock an email sender.

• only send: Reports the message to Microsoft for analysis. From the drop-down menu that appears, select the following options:

  (Video) Exchange Online - Release Quarantined Emails Microsoft 365
  • Select the shipping method:Email(Standard),URL, Öarchive.
  • Add network message ID or upload email file: Choose one of the following options:
    • Add the message ID of the email network(by default with the corresponding value in the field)
    • Upload email file (.msg or eml): ClickFile Searchto browse and select the .msg or .eml message file to send.
  • Select a recipient that had a problem: Select one (preferred) or multiple original recipients of the message to analyze the policies applied to them.
  • Select a reason for sending to Microsoft: Choose one of the following options:
    • It shouldn't have been blocked (false positive)(Default): The following options are available:
      • Allow such messages: This option is deactivated by default (). turn it on () to temporarily prevent messages with URLs, attachments, and other similar properties from being quarantined. If you enable this option, the following options are available:
        • remove afterwards: Choose how long you want to allow such messages. Choose1 TagA30 dia. The default value is 30.
        • optional note: Enter a useful description for the permit.
    • Should have been banned (false negative).

  When you're done, clickDelivery.

^*This option is not available for already shared messages (thereleased statethe value isApproved).

If you don't release or delete the message, it will be deleted after the standard quarantine retention period (as defined in theexpiresSplit).

Use

The description text on the promotional icons is not available on a mobile device.

The order of the icons and their corresponding descriptions are summarized in the following table:

Symbol	Description
	The e-mail record
	share email
	Show message headers
	Message preview
	Remove from quarantine
	download email
	Block sender
	only send

Take action on multiple quarantined emails

If you select multiple quarantined messages in the list (up to 100) by clicking the empty checkbox to the left of the first column, you can perform the following actions on the selected messages:

• release: Send messages to all recipients. In the drop-down menu that appears, you can select the following options, which are the same as when filing a single message:

  • Add senders to your organization's allow list
  • Send a copy of this message to other recipients
  • Send message to Microsoft to improve detection (false positive)
  • Allow such messages:
    • remove afterwards:1 TagA30 dia
    • optional note

  When you're done, clickrelease message.

  Use

  Consider the following scenario: john@gmail.com sends a message to Faith@contoso.com and john@subsidiary.contoso.com. Gmail splits this message into two copies, which Microsoft quarantines as phishing. An administrator sends both messages to admin@contoso.com. The first approved message that arrives in the management mailbox is delivered. The second cleared message is identified as a duplicate delivery and is skipped. Messages are identified as duplicates if they have the same message ID and received time.

• Remove from quarantine: Messages are deleted and not sent to the original recipients. The way messages are deleted depends on your selection in the floating menu that opens:

  • ChoosePermanently delete the message from quarantineand then clickExtinguish: Messages are permanently deleted and cannot be recovered.
  • ClickExtinguishonly: Messages are deleted but are potentially recoverable.

• ... Further> Submit for review.

• ... Further> download messages

Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365

In organizations using Defender for Office 365, administrators can manage files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. To turn on protection for these files, seeEnable safe attachments for SharePoint, OneDrive and Microsoft Teams.

View quarantined files

1. On the Microsoft 365 Defender portal athttps://seguridad.microsoft.com, becomesEmail and Collaboration>review>Quarantine. To go straightQuarantinepage, usehttps://security.microsoft.com/quarantine.

2. About himQuarantineside, choose thefileseyelashes (Emailis the default tab).

3. You can sort the results by clicking an available column heading. ClickCustomize Columnsto change the columns displayed. Default columns are marked with an asterisk (^*):

   • user^*
   • Location^*
   • Attachment name^*
   • URL data^*
   • file size
   • release status^*
   • expires^*
   • Discovered by
   • changed through time

   When you're done, clickUseÖCancel.

4. To filter the results, clickFilter. The following filters are available inFilterFlyout that appears:

   • get time:start timejend times(Datum).
   • expires:start timejend times(Datum).
   • quarantine reason: The only available value isMalware.
   • policy type

   When you're done, clickUseÖCancel.

After you find a specific quarantined file, select the file to view details about it and take action (such as view, share, download, or delete the file).

View details of quarantined files

When you select a quarantined file from the list, the following information is available in the details flyout that opens:

• file names
• URL data: URL that defines the location of the file (e.g. in SharePoint Online).
• Malicious content detected inThe date/time the file was quarantined.
• expires: The date when the file will be removed from quarantine.
• Discovered by
• Approved?
• Name of malicious program
• document identification: A unique identifier for the document.
• file size: One kilobyte (KB).
• OrganisationThe unique identification of your organization.
• Last updated
• Adapted from: The user who last modified the file.
• 256-bit secure hash (SHA-256): You can use this hash value to identify the file in other reputation stores or other locations in your environment.

For information on performing actions on the file, see the next section.

Take action on quarantined files

After selecting a quarantined file from the list, the following actions are available in the Details flyout:

• release file^*: Enable or disable the floating panel that appearsReport files to Microsoft for analysisand then clickrelease.
• 
• download file: Select from the drop-down menu that appearsI am aware of the risks of downloading this fileand then clickDisposeto save a local copy of the file.
• Remove from quarantine: After clickingAndin the warning that appears, the file will be deleted immediately.
• Block sender: Add sender to blocked senders list inAreLetter box. For more information, seeBlock an email sender.

^*This option is not available for already published files (thereleased statethe value isApproved).

If you don't share or delete the file, it will be deleted after the standard quarantine retention period (as defined in theexpiresSplit).

Take action on multiple quarantined files

If you select multiple quarantined files in the list (up to 100) by clicking on the blank space to the left of the fileThemecolumn thatmassive actionsA drop-down list will appear, allowing you to perform the following actions:

• release file: Enable or disable the floating panel that appearsReport files to Microsoft for analysisand then clickrelease.
• Remove from quarantine: After clickingAndin the warning that appears, the file will be deleted immediately.
• download file: Select from the drop-down menu that appearsI am aware of the risks of downloading this fileand then clickDisposeto save a local copy of the file.

Use Exchange Online PowerShell or standalone EOP PowerShell to view and manage quarantined messages and files

The cmdlets that you use to view and manage quarantined messages and files are described in the following list:

• Delete quarantined message
• Export quarantine message
• Get-QuarantineMessage
• Preview quarantine message- Note that this cmdlet only applies to messages, not files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
• Release-QuarantineMessage

For more informations

Frequently asked questions about quarantined messages