Manage quarantined messages and files as an admin in EOP

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see Quarantined email messages in EOP.

Admins can view, release, and delete all types of quarantined messages for all users. Admins can also report false positives to Microsoft.

By default, only admins can manage messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). But admins can use quarantine policies to define what users are allowed to do to quarantined messages based on why the message was quarantined (for supported features). For more information, see Quarantine policies.

Admins in organizations with Microsoft Defender for Office 365 can also manage files that were quarantined by quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

You view and manage quarantined messages in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know before you begin?

  • To open the Microsoft 365 Defender portal, go to https://security.microsoft.com. To open the Quarantine page directly, use https://security.microsoft.com/quarantine.

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.

  • You need to be assigned permissions in Exchange Online before you can do the procedures in this article:

    • To take action on quarantined messages for all users, you need to be a member of the Organization Management, Security Administrator, or Quarantine Administrator* role groups.
    • For read-only access to quarantined messages for all users, you need to be a member of the Global Reader or Security Reader role groups.

    For more information, see Permissions in Exchange Online.

    Notes:

    • Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.
    • The View-Only Organization Management role group in Exchange Online also gives read-only access to the feature.
    • * Members of the Quarantine Administrator role group in Email & collaboration roles in the Microsoft 365 Defender portal also need to be members of the Hygiene Management role group in Exchange Online to do quarantine procedures in Exchange Online PowerShell.
  • Quarantined messages are retained for a default period of time before they're automatically deleted:

    • 30 days for messages quarantined by anti-spam policies (spam, phishing, and bulk email). This is the default and maximum value. To configure (lower) this value, see Configure anti-spam policies.
    • 15 days for messages that contain malware.
    • 15 days for files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Defender for Office 365.

    When a message expires from quarantine, you can't recover it.

Use the Microsoft 365 Defender portal to manage quarantined email messages

View quarantined email

  1. In the Microsoft 365 Defender portal, go to Email & collaboration > Review > Quarantine.

  2. On the Quarantine page, verify that the Email tab is selected.

  3. You can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

    • Time received*
    • Subject*
    • Sender*
    • Quarantine reason*
    • Release status*
    • Policy type*
    • Expires*
    • Recipient
    • Message ID
    • Policy name
    • Message size
    • Mail direction
    • Recipient tag

    When you're finished, click Apply.

  4. To filter the results, click Filter. The following filters are available in the Filters flyout that appears:

    • Message ID: The globally unique identifier of the message.

      For example, you used message trace to look for a message that was sent to a user in your organization, and you determine that the message was quarantined instead of delivered. Be sure to include the full message ID value, which might include angle brackets (<>). For example: <79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>.

    • Sender address

    • Recipient address

    • Subject

    • Time received: Enter a Start time and End time (date).

    • Expires: Filter messages by when they will expire from quarantine:

      • Today
      • Next 2 days
      • Next 7 days
      • Custom: Enter a Start time and End time (date).
    • Recipient tag

    • Quarantine reason:

      • Transport rule (mail flow rule)
      • Bulk
      • Spam
      • Malware: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The Policy Type value indicates which feature was used.
      • Phishing: The spam filter verdict was Phishing or anti-phishing protection quarantined the message (spoof settings or [impersonation protection](set-up-anti-phishing-policies.
      • High confidence phishing
    • Recipient: All users or Only me. End users can only manage quarantined messages sent to them.

    • Release status: Any of the following values:

      • Needs review
      • Approved
      • Denied
      • Release requested
      • Released
    • Policy Type: Filter messages by policy type:

      • Anti-malware policy
      • Safe Attachments policy
      • Anti-phishing policy
      • Anti-spam policy
      • Transport rule (mail flow rule)

    When you're finished, click Apply. To clear the filters, click Clear filters icon. Clear filters.

  5. Use the Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:

    • Sender email address
    • Subject. Use the entire subject of the message. The search is not case-sensitive.

    After you've entered the search criteria, press ENTER to filter the results.

After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).

View quarantined message details

When you select quarantined message from the list, the following information is available in the details flyout that appears.

The details flyout of a quarantined message.

  • Message ID: The globally unique identifier for the message. Available in the Message-ID header field in the message header.
  • Sender address
  • Received: The date/time when the message was received.
  • Subject
  • Quarantine reason: Shows if a message has been identified as Spam, Bulk, Phish, matched a mail flow rule (Transport rule), or was identified as containing Malware.
  • Policy type
  • Policy name
  • Recipient count
  • Recipients: If the message contains multiple recipients, you need to click Preview message or View message header to see the complete list of recipients.
  • Recipient tag: For more information, see User tags in Microsoft Defender for Office 365.
  • Expires: The date/time when the message will be automatically and permanently deleted from quarantine.
  • Released to: All email addresses (if any) to which the message has been released.
  • Not yet released to: All email addresses (if any) to which the message has not yet been released.

To take action on the message, see the next section.

Note

To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout.

The up and down arrows in the details flyout of a quarantined message.

Take action on quarantined email

After you select a quarantined message from the list, the following actions are available in the details flyout:

Available actions in the details flyout of a quarantined message.

  • Release email icon. Release email*: In the flyout pane that appears, configure the following options:

    • Add sender to your organization's allow list: Select this option to prevent messages from the sender from being quarantined.

    • Choose one of the following options:

      • Release to all recipients
      • Release to specific recipients: Select the recipients in the Recipients box that appears
    • Send a copy of this message to other recipients: Select this option an enter the recipient email addresses in the Recipients box that appears.

      Note

      To send a copy of the message to other recipients, you must also release the message at least one of the original recipients (select Release to all recipients or Release to specific recipients).

    • Submit the message to Microsoft to improve detection (false positive): This option is selected by default, and reports the erroneously quarantined message to Microsoft as a false positive. If the message was quarantined as spam, bulk, phishing, or containing malware, the message is also reported to the Microsoft Spam Analysis Team. Depending on the results of their analysis, the service-wide spam filter rules might be adjusted to allow the message through.

    • Allow messages like this: This option is turned off by default (Toggle off.). Turn it on (Toggle on) to temporarily prevent messages with similar URLs, attachments, and other properties from being quarantined. When you turn this option on, the following options are available:

      • Remove after: Select how long you want to allow messages like this. Select 1 day to 30 days. The default is 30.
      • Optional note: Enter a useful description for the allow.

    When you're finished, click Release message.

    Notes about releasing messages:

    • You can't release a message to the same recipient more than once.
    • Only recipients who haven't received the message will appear in the list of potential recipients.
  • Share email icon. Share email: In the flyout that appears, add one or more recipients to receive a copy of the message. When you're finished, click Share.

The following actions are available after you click More actions icon. More actions:

  • View message headers icon. View message headers: Choose this link to see the message header text. The Message header flyout appears with the following links:

    • Copy message header: Click this link to copy the message header (all header fields) to your clipboard.
    • Microsoft Message Header Analyzer: To analyze the header fields and values in depth, click this link to go to the Message Header Analyzer. Paste the message header into the Insert the message header you would like to analyze section (CTRL+V or right-click and choose Paste), and then click Analyze headers.
  • Preview message icon. Preview message: In the flyout that appears, choose one of the following tabs:

    • Source: Shows the HTML version of the message body with all links disabled.
    • Plain text: Shows the message body in plain text.
  • Delete from quarantine icon. Delete from quarantine: After you click Yes in the warning that appears, the message is immediately deleted without being sent to the original recipients.

  • Download email icon. Download email: In the flyout that appears, select I understand the risks from downloading this message, and then click Download to save a local copy of the message in .eml format.

  • Block sender icon. Block sender: Add the sender to the Blocked Senders list in your mailbox. For more information, see Block a mail sender.

  • Submit only icon. Submit only: Reports the message to Microsoft for analysis. In the flyout that appears, choose the following options:

    • Select the submission type: Email (default), URL, or File.
    • Add the network message ID or upload the email file: Select one of the following options:
      • Add the email network message ID (default, with the corresponding value in the box)
      • Upload the email file (.msg or eml): Click Browse files to find and select the .msg or .eml message file to submit.
    • Choose a recipient who had an issue: Select one (preferred) or more original recipients of the message to analyze the policies that were applied to them.
    • Select a reason for submitting to Microsoft: Choose one of the following options:
      • Should not have been blocked (false positive) (default): The following options are available:
        • Allow messages like this: This option is turned off by default (Toggle off.). Turn it on (Toggle on) to temporarily prevent messages with similar URLs, attachments, and other properties from being quarantined. When you turn this option on, the following options are available:
          • Remove after: Select how long you want to allow messages like this. Select 1 day to 30 days. The default is 30.
          • Optional note: Enter a useful description for the allow.
      • Should have been blocked (false negative).

    When you're finished, click Submit.

* This option is not available for messages that have already been released (the Released status value is Released).

If you don't release or remove the message, it will be deleted after the default quarantine retention period expires (as shown in the Expires column).

Note

On a mobile device, the description text isn't available on the action icons.

Details of a quarantined message with available actions highlighted.

The icons in order and their corresponding descriptions are summarized in the following table:

Icon Description
Release email icon. Release email
Share email icon. Share email
View message headers icon. View message headers
Preview message icon. Preview message
Delete from quarantine icon. Delete from quarantine
Download email icon. Download email
Block sender icon. Block sender
Submit only icon. Submit only

Take action on multiple quarantined email messages

When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the Bulk actions drop down list appears where you can take the following actions:

Bulk actions drop down list for messages in quarantine.

  • Release email icon. Release messages: Releases messages to all recipients. In the flyout that appears, you can choose the following options, which are the same as when you release a single message:

    • Add sender to your organization's allow list
    • Send a copy of this message to other recipients
    • Submit the message to Microsoft to improve detection (false positive)
    • Allow messages like this:
      • Remove after: 1 day to 30 days
      • Optional note

    When you're finished, click Release message.

    Note

    Consider the following scenario: john@gmail.com sends a message to faith@contoso.com and john@subsidiary.contoso.com. Gmail bifurcates this message into two copies that are both routed to quarantine as phishing in Microsoft. An admin releases both of these messages to admin@contoso.com. The first released message that reaches the admin mailbox is delivered. The second released message is identified as duplicate delivery and is skipped. Message are identified as duplicates if they have the same message ID and received time.

  • Delete from quarantine icon. Delete messages: After you click Yes in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.

  • Download email icon. Download messages

  • Submit only icon. Submit only

Use the Microsoft 365 Defender portal to manage quarantined files in Defender for Office 365

Note

The procedures for quarantined files in this section are available only to Microsoft Defender for Office 365 Plan 1 or Plan 2 subscribers.

In organizations with Defender for Office 365, admins can manage files that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. To enable protection for these files, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

View quarantined files

  1. In the Microsoft 365 Defender portal, go to Email & collaboration > Review > Quarantine.

  2. On the Quarantine page, select the Files tab (Email is the default tab).

  3. You can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default columns are marked with an asterisk (*):

    • User*
    • Location*
    • Attachment filename*
    • File URL*
    • File Size
    • Release status*
    • Expires*
    • Detected by
    • Modified by time

    When you're finished, click Apply or Cancel.

  4. To filter the results, click Filter. The following filters are available in the Filters flyout that appears:

    • Time received: Start time and End time (date).
    • Expires: Start time and End time (date).
    • Quarantine reason: The only available value is Malware.
    • Policy type

    When you're finished, click Apply or Cancel.

After you find a specific quarantined file, select the file to view details about it, and to take action on it (for example, view, release, download, or delete the file).

View quarantined file details

When you select a quarantined file from the list, the following information is available in the details flyout that opens:

The details flyout of a quarantined file.

  • File Name
  • File URL: URL that defines the location of the file (for example, in SharePoint Online).
  • Malicious content detected on The date/time the file was quarantined.
  • Expires: The date when the file will be deleted from quarantine.
  • Detected by
  • Released?
  • Malware Name
  • Document ID: A unique identifier for the document.
  • File Size: In kilobytes (KB).
  • Organization Your organization's unique ID.
  • Last modified
  • Modified By: The user who last modified the file.
  • Secure Hash Algorithm 256-bit (SHA-256) value: You can use this hash value to identify the file in other reputation stores or in other locations in your environment.

To take action on the file, see the next section.

Note

To remain in the details flyout, but change the quarantined file that you're looking at, use the up and down arrows at the top of the flyout.

The up and down arrows in the details flyout of a quarantined file.

Take action on quarantined files

After you select a quarantined file from the list, the following actions are available in the details flyout:

Available actions in the details flyout of a quarantined file.

  • Release file icon. Release file*: In the flyout pane that appears, turn on or turn off Report files to Microsoft for analysis, and then click Release.
  • Release file icon.
  • Download file icon. Download file: In the flyout that appears, select I understand the risks from downloading this file, and then click Download to save a local copy of the file.
  • Delete from quarantine icon. Delete from quarantine: After you click Yes in the warning that appears, the file is immediately deleted.
  • Block sender icon. Block sender: Add the sender to the Blocked Senders list in your mailbox. For more information, see Block a mail sender.

* This option is not available for files that have already been released (the Released status value is Released).

If you don't release or remove the file, it will be deleted after the default quarantine retention period expires (as shown in the Expires column).

Take action on multiple quarantined files

When you select multiple quarantined files in the list (up to 100) by clicking in the blank area to the left of the Subject column, the Bulk actions drop down list appears where you can take the following actions:

Bulk actions drop down list for files in quarantine.

  • Release file icon. Release file: In the flyout pane that appears, turn on or turn off Report files to Microsoft for analysis, and then click Release.
  • Delete from quarantine icon. Delete from quarantine: After you click Yes in the warning that appears, the file is immediately deleted.
  • Download file icon. Download file: In the flyout that appears, select I understand the risks from downloading this file, and then click Download to save a local copy of the file.

Use Exchange Online PowerShell or standalone EOP PowerShell to view and manage quarantined messages and files

The cmdlets that you use to view and manage messages and files in quarantine are described in the following list:

For more information

Quarantined messages FAQ