Find and release quarantined messages as a user in EOP

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see Quarantine in EOP.

As an ordinary user (not an admin), the default capabilities that are available to you as a recipient of a quarantined message are described in the following table:



Quarantine reason View Release Delete
Anti-spam policies
Bulk Check mark. Check mark. Check mark.
Spam Check mark. Check mark. Check mark.
High confidence spam Check mark. Check mark. Check mark.
Phishing Check mark. Check mark Check mark.
High confidence phishing
Anti-phishing policies
Spoof intelligence protection in EOP Check mark. Check mark. Check mark.
Impersonated user protection in Defender for Office 365 Check mark. Check mark. Check mark.
Impersonated domain protection in Defender for Office 365 Check mark. Check mark. Check mark.
Mailbox intelligence protection in Defender for Office 365 Check mark. Check mark. Check mark.
Anti-malware policies
Email messages with attachments that are quarantined as malware.
Safe Attachments in Defender for Office 365
Safe Attachments policies that quarantine email messages with malicious attachments as malware.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams that quarantines malicious files as malware.
Mail flow rules (transport rules)
Mail flow rules that quarantine email messages.

Quarantine policies define what users are allowed to do to quarantined messages based on the why the message was quarantined in supported features. Default quarantine policies enforce the historical capabilities as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users in supported features. For more information, see Quarantine policies.

You view and manage your quarantined messages in the Microsoft 365 Defender portal or (if an admin has set this up) quarantine notifications from quarantine policies.

What do you need to know before you begin?

View your quarantined messages

Note

Your ability to view quarantined messages is controlled by the quarantine policy that applies to the quarantined message type (which might be the default quarantine policy for the quarantine reason).

  1. In the Microsoft 365 Defender portal, go to Email & collaboration > Review > Quarantine.

  2. On the Quarantine page, you can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

    • Time received*
    • Subject*
    • Sender*
    • Quarantine reason*
    • Release status*
    • Policy type*
    • Expires*
    • Recipient
    • Message ID
    • Policy name
    • Message size
    • Mail direction

    When you're finished, click Apply.

  3. To filter the results, click Filter. The following filters are available in the Filters flyout that appears:

    • Message ID: The globally unique identifier of the message.
    • Sender address
    • Recipient address
    • Subject
    • Time received: Enter a Start time and End time (date).
    • Expires: Filter messages by when they will expire from quarantine:
      • Today
      • Next 2 days
      • Next 7 days
      • Custom: Enter a Start time and End time (date).
    • Quarantine reason:
    • Release status: Any of the following values:
      • Needs review
      • Approved
      • Denied
      • Release requested
      • Released
    • Policy Type: Filter messages by policy type:
      • Anti-malware policy
      • Safe Attachments policy
      • Anti-phishing policy
      • Anti-spam policy

    When you're finished, click Apply. To clear the filters, click Clear filters icon. Clear filters.

  4. Use Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:

    • Message ID
    • Sender email address
    • Recipient email address
    • Subject. Use the entire subject of the message. The search is not case-sensitive.
    • Policy name. Use the entire policy name. The search is not case-sensitive.

    After you've entered the search criteria, press ENTER to filter the results.

After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).

View quarantined message details

When you select quarantined message from the list, the following information is available in the details flyout that appears.

The details flyout of a quarantined message.

When you select an email message in the list, the following message details appear in the Details flyout pane:

  • Message ID: The globally unique identifier for the message.
  • Sender address
  • Received: The date/time when the message was received.
  • Subject
  • Quarantine reason
  • Policy type: The type of policy. For example, Anti-spam policy.
  • Recipient count
  • Recipients: If the message contains multiple recipients, you need to click Preview message or View message header to see the complete list of recipients.
  • Expires: The date/time when the message will be automatically and permanently deleted from quarantine.

To take action on the message, see the next section.

Note

To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout.

The up and down arrows in the details flyout of a quarantined message.

Take action on quarantined email

Note

Your ability to take action on quarantined messages is controlled by the quarantine policy that applies to the quarantined message type (which might be the default quarantine policy for the quarantine reason). This section describes all available actions.

After you select a quarantined message from the list, the following actions are available in the details flyout:

Available actions in the details flyout of a quarantined message.

  • Release email icon. Release email*: Delivers the message to your Inbox.

  • View message headers icon. View message headers: Choose this link to see the message header text. The Message header flyout appears with the following links:

  • Copy message header: Click this link to copy the message header (all header fields) to your clipboard.

  • Microsoft Message Header Analyzer: To analyze the header fields and values in depth, click this link to go to the Message Header Analyzer. Paste the message header into the Insert the message header you would like to analyze section (CTRL+V or right-click and choose Paste), and then click Analyze headers.

The following actions are available after you click More actions icon. More actions:

  • Preview message icon. Preview message: In the flyout that appears, choose one of the following tabs:

    • Source: Shows the HTML version of the message body with all links disabled.
    • Plain text: Shows the message body in plain text.
  • Remove from quarantine icon. Remove from quarantine: After you click Yes in the warning that appears, the message is immediately deleted without being sent to the original recipients.

  • Download email icon. Download email: In the flyout that appears, select I understand the risks from downloading this message, and then click Download to save a local copy of the message in .eml format.

  • Block sender icon. Block sender: Add the sender to the Blocked Senders list in your mailbox. For more information, see Block a mail sender.

* This option is not available for messages that have already been released (the Released status value is Released).

If you don't release or remove the message, it will be deleted after the default quarantine retention period expires (as shown in the Expires column).

Note

On a mobile device, the description text isn't available on the action icons.

Details of a quarantined message with available actions highlighted.

The icons in order and their corresponding descriptions are summarized in the following table:

Icon Description
Release email icon. Release email
View message headers icon. View message headers
Preview message icon. Preview message
Remove from quarantine icon. Remove from quarantine
Block sender icon. Block sender

Take action on multiple quarantined email messages

When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the Bulk actions drop down list appears where you can take the following actions:

Bulk actions drop down list for messages in quarantine.

  • Release email icon. Release messages: Delivers the messages to your Inbox.
  • Remove from quarantine icon. Delete messages: After you click Yes in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.