Quarantined messages FAQ

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

This article provides frequently asked questions and answers about quarantined email messages for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.

Note

In Microsoft 365 operated by 21Vianet, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC).

For questions and answers about anti-spam protection, see Anti-spam protection FAQ.

For questions and answers about anti-malware protection, see Anti-malware protection FAQ.

For questions and answers about anti-spoofing protection, see Anti-spoofing protection FAQ.

How do I manage messages that were quarantined for malware?

By default, only admins can manage messages that were quarantined for malware. For more information, see Manage quarantined messages and files as an admin.

But, admins can create and apply quarantine policies to anti-malware policies that define more capabilities for users. For more information, see Create quarantine policies.

Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware or high-confidence phishing messages.

How do I quarantine spam?

By default, messages that are classified as spam or bulk are delivered and moved to the Junk Email folder by the following anti-spam policies:

  • The default anti-spam policy.
  • Custom anti-spam policies.
  • The Standard preset security policy.

Admins can configure the default anti-spam or custom policies to quarantine spam or bulk email messages instead. For more information, see Configure anti-spam policies in EOP.

The Strict preset security policy quarantines messages that are classified as spam or bulk.

For more information, see the following articles:

How do I give users access to the quarantine?

A user must have a valid account to access their own messages in quarantine. Standalone EOP requires that users are represented as mail users in EOP (manually created or created via directory synchronization). For more information about managing users in standalone EOP environments, see Manage mail users in standalone EOP.

Quarantine policies determine whether users can access their quarantined messages, and what they're allowed to do to them. For more information, see Anatomy of a quarantine policy.

If the quarantine policy requires users to request the release of messages or requires admins to release messages, an admin must approve the release request or release the message before the message is available to users.

What messages can end users access in quarantine?

Quarantine policies define whether users can access quarantined messages based on why the message was quarantined.

For the default access to quarantined messages, see the table in Find and release quarantined messages as a user in EOP

Users can't release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware or high-confidence phishing messages.

How can I prevent users from accessing quarantined messages?

The default quarantine policy named AdminOnlyAccessPolicy prevents any user interaction with their quarantined messages. By default, this quarantine policy is used for messages that were quarantined as malware or high confidence phishing. In custom policies or the default policy for protection features that support quarantining messages, admins can specify the AdminOnlyAccessPolicy as the quarantine policy to use.

How do I find out why a message was quarantined?

The Quarantine reason column that's available on the Email tab of the Quarantine page in the Defender portal at https://security.microsoft.com/quarantine?viewid=Email. Common reasons are Transport rule, Bulk, Spam, Malware, Phishing, High confidence phishing, or Admin action - File type block. For more information, see View quarantined email.

Messages are missing from quarantine. What happened to them?

Before you open a support ticket about this, see Find who deleted a quarantined message.

Quarantined messages also expire and are eventually removed from quarantine, depending on why the message was quarantined. For more information, see Quarantine retention.

The common attachments filter in anti-malware policies identifies message attachments with the specified file extensions (using true type matching were possible). The default action for these detections in the default anti-malware policy and in the Standard and strict preset security policies is to reject the message in a non-delivery report (also known as an NDR or bounce message). If the released message contains one of the specified file attachment types, it's possible that the message was returned to the sender in an NDR.

When a message expires from quarantine, you can't recover it.

A message was released from quarantine, but the original recipient can't find it. How can I determine what happened to the message?

  • Third party anti-virus solutions, security services, or outbound connectors can cause the following issues for messages that are released from quarantine:

    • The message is quarantined after being released.
    • Content is removed from the released message before it reaches the recipient's Inbox.
    • The released message never arrives in the recipient's Inbox.

    Verify that you aren't using third party filtering before you open a support ticket about these issues.

  • Inbox rules (created by users in Outlook or by admins using the *-InboxRule cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.

Admins can use message trace to determine if a released message was delivered to the recipient's Inbox.

Messages are released unexpectedly from Quarantine. Why is this happening?

Third party anti-virus solutions or security services can randomly select action buttons in quarantine notifications.

Verify that you aren't using third party filtering before you open a support ticket about this issue.

Can I release or report more than one quarantined message at a time?

In the Microsoft Defender portal, you can select and release up to 100 messages at a time.

Admins can use the Get-QuarantineMessage and Release-QuarantineMessage cmdlets in Exchange Online PowerShell or standalone EOP PowerShell to find and release quarantined messages in bulk, and to report false positives in bulk.

Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain?

Wildcards aren't supported in the Microsoft Defender portal. For example, when searching for a sender, you need to specify the full email address. But, you can use wildcards in Exchange Online PowerShell or standalone EOP PowerShell.

For example, copy the following PowerShell code into NotePad and save the file as .ps1 in a location that's easy for you to find (for example, C:\Data\QuarantineRelease.ps1).

Then, after you connect to Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command to run the script:

& C:\Data\QuarantineRelease.ps1

The script does the following actions:

  • Find unreleased messages that were quarantined as spam from all senders in the fabrikam domain. The maximum number of results is 50,000 (50 pages of 1000 results).
  • Save the results to a CSV file.
  • Release the matching quarantined messages to all original recipients.
$Page = 1
$List = $null

Do
{
Write-Host "Getting Page " $Page

$List = (Get-QuarantineMessage -Type Spam -PageSize 1000 -Page $Page | where {$_.Released -like "False" -and $_.SenderAddress -like "*fabrikam.com"})
Write-Host "                     " $List.count " rows in this page match"
Write-Host "                                                             Exporting list to appended CSV for logging"
$List | Export-Csv -Path "C:\Data\Quarantined Message Matches.csv" -Append -NoTypeInformation

Write-Host "Releasing page " $Page
$List | foreach {Release-QuarantineMessage -Identity $_.Identity -ReleaseToAll}

$Page = $Page + 1

} Until ($Page -eq 50)

After you release a message, you can't release it again.

How do I notify end users about their quarantined messages? How frequently are quarantine notifications sent?

If quarantine notifications are enabled in the associated quarantine policy, you can configure quarantine notifications to be sent every four hours, daily, or weekly. For more information, see Customize all quarantine notifications.

Tip

The fastest, most frequent notification schedule that's available is every four hours.

If you select every four hours, and a message is quarantined just after the last notification generation, the recipient will receive the quarantine notification slightly more than four hours later.

Why aren't users receiving notifications about their quarantined messages?

If the quarantine policy that's defined for the supported quarantine action doesn't have notifications turned on, the quarantine notifications aren't sent.

For more information, see the last table in Anatomy of a quarantine policy and the individual feature tables in Recommended settings for EOP and Microsoft Defender for Office 365 to see which default quarantine policies have quarantine notifications turned on.

Also, the protection policies in preset security policies are always applied before custom protection policies. A user who's defined in the Standard or Strict preset security policy will never get a customized protection policy where the quarantine policy is customized to turn on quarantine notifications. For more information, see Policy settings in preset security policies

How do I customize quarantine notifications to add a custom logo?

What permissions are required for admins to download or release messages from quarantine?

See the permissions entry here.

Tip

The ability to manage quarantined messages using Exchange Online permissions ended in February 2023 per MC447339.

Guest admins from other organizations can't manage quarantined messages. The admin needs to be in the same organization as the recipients.

I created a custom quarantine notification for a specific language, but users aren't seeing it. What's going on?

A custom quarantine notification for a different language is shown to users only when their account/mailbox language matches the language in the custom quarantine notification.

I can't preview a quarantined Microsoft Teams message. What's going on?

If a user deletes the message from the Teams client, the message is gone, so Preview isn't available in quarantine for the deleted message.