Access Keys:
Skip to content (Access Key - 0)

Identifying Quarantine Messages from Microsoft

Microsoft's email protection policies for High Confidence Phishing, AntiMalware, Safe Attachments, or Spoof can place email messages in the quarantine. A notification email is send to account owners from quarantine@messaging.microsoft.com, giving them the option to review and release messages from the quarantine. The ability to release mail from quarantine exists in the case of a false positive, but it is best practice to only release messages you are 100% sure were quarantined in error. 

Note: Messages identified as High Confidence Phishing cannot be released from quarantine by the end user. Clicking on "Request Release" will create a release request. Due to the high volume of requests, these are released automatically via batch script. Messages that fail DMARC or SPF authentication protocols will not be approved for release.

Reasons an email can end up in the quarantine include:

Spoofed Message - The message was identified as spoofed. It could have failed SPF, i.e., the sending mail server does not have permission to send email from the sender domain. It could have failed DKIM, (cryptographic hash to strongly authenticate sender and prevent modification in transit did not match). It could also fail DMARC, which is a policy published by the sender domain to say what to do with messages that fail alignment (domain names matching up for signer and/or sender and return path). Many domains explicitly ask for quarantine or reject of such messages on their behalf to protect themselves from being impersonated. In the quarantine notification email below, it will show the sender but not indicate if a message was spoofed.

File detonation or File detonation reputation- Microsoft has inspected the attached file and determined that it is malicious

URL detonation, URL detonation reputation, or URL malicious reputation - Microsoft has determined that included links are malicious.

AntiMalware protection - Microsoft has detected a malicious program such as ransomware

Campaign - Messages identified and grouped as part of a malware or phish campaign

Fingerprint matching - The message resembles a previously detected malicious or spam message

General filter or Advanced filter - The general filter is based on analyst input and the advance filter uses machine learning for detections

More details on each quarantine reason can be found here: Understanding detection technology in the email entity page of Microsoft Defender for Office 365

Example of a quarantine message from Microsoft:

Quarantined notifications from Microsoft will always contain the following information:

  • Sender: The email address of the sender of the quarantined message. * Note that this can be spoofed which may be why it is quarantined
  • Subject: The Subject line of the quarantined message.
  • Date: The date/time that the message was quarantined in UTC.

Depending on why the message was quarantined, the following options will be presented:

  • Review message
  • Release
  • Request release
  • Block Sender

Use quarantine notifications to release and report quarantined messages

Reviewing messages in quarantine:

To view messages held in quarantine, visit https://security.microsoft.com/quarantine and log in through Touchstone.

When you first sign in to view the quarantine, you will see a list of messages currently held in your quarantine.

Clicking on one of these messages will open up a panel that allows you to view more details about the quarantined message. Some key features to note include:

  1. View message headers - Message headers contain information on the exact path a message took from the sender to the receiver, including IP addresses, relays, and authentication methods. The headers also contain information on the origin of the message, especially if the sender address is spoofed in the email itself.
  2. Preview message - This will allow you to view a preview of the email in another Window. This may be helpful in determining the content of the message, and if there are any links contained in the message. By mousing over the link, you will be able to view where the link leads and make a determination as to whether you recognize the linked domains or not.
  3. Quarantine Reason - This section will explain, in general terms, why the message ended up in quarantine. Some reasons listed could be the message being identified as spam or phishing, containing malware, or matching a transport rule.

Messages can be released (or release can be requested) from this panel (by clicking the release or request release option), as well as from the list of all quarantined messages (by checking off the messages you want to release and then selecting release or request release from the buttons at the top of the list).

Managing quarantined messages as a user

Note: If the quarantined message was sent to a mailing list rather than an individual user, releasing it from quarantine will release it for all users on the mailing list.

Additional Resources:

Have Questions or Still Need Help?

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

August 16, 2024

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
spam spam Delete
spam-filter spam-filter Delete
spam-filtering spam-filtering Delete
microsoft microsoft Delete
phishing phishing Delete
security security Delete
o365 o365 Delete
c-spam-filtering c-spam-filtering Delete
m365 m365 Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki