Quarantined messages FAQ

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

This topic provides frequently asked questions and answers about quarantined email messages for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.

For questions and answers about anti-spam protection, see Anti-spam protection FAQ.

For questions and answers about anti-malware protection, see Anti-malware protection FAQ.

For questions and answers about anti-spoofing protection, see Anti-spoofing protection FAQ.

How do I manage messages that were quarantined for malware?

By default, only admins can manage messages that were quarantined for malware. For more information, see Manage quarantined messages and files as an admin.

But, admins can create and apply quarantine policies to anti-malware policies that define more capabilities for users. For more information, see Quarantine policies.

How do I quarantine spam?

By default, messages that are classified as spam or bulk email by spam filtering are delivered to the user's mailbox, and are moved to the Junk Email folder. But you can configure anti-spam policies to quarantine spam or bulk email messages instead. For more information, see Configure anti-spam policies in EOP.

How do I give users access to the quarantine?

A user must have a valid account to access their own messages in quarantine. Standalone EOP requires that users are represented as mail users in EOP (manually created or created via directory synchronization). For more information about managing users in standalone EOP environments, see Manage mail users in standalone EOP.

What messages can end users access in quarantine?

Quarantine policies define whether users can access quarantined messages based on why the message was quarantined (for supported features). For more information, see Quarantine policies.

By default, users can access the following types of quarantined messages where they're a recipient:

  • Anti-spam policies: Spam, bulk email, and phishing messages (not high confidence phishing messages).
  • Anti-phishing policies: Spoofed senders, user impersonation protection (Defender for Office 365), domain impersonation protection (Defender for Office 365), and mailbox intelligence protection (Defender for Office 365).

For more information, see Find and release quarantined messages as a user.

By default, end users can't access the following types of quarantined messages where they are a recipient:

  • Anti-spam policies: High confidence phishing.
  • Anti-malware policies
  • Safe Attachments (Defender for Office 365): Email messages from Safe Attachments policies and files from Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
  • Mail flow rules (transport rules): Messages that were quarantined because of the Deliver the message to the hosted quarantine action in mail flow rules.

For more information, see Manage quarantined messages and files as an admin.

How long are messages kept in the quarantine?

You configure how long spam, phishing, and bulk email messages are kept in the quarantine by using anti-spam policies. The default is 30 days, which is also the maximum. For more information, see Configure anti-spam policies in EOP

For messages that were quarantined by the mail flow rule action Deliver the message to the hosted quarantine, the messages are kept in quarantine for 30 days. You can't configure this duration.

After the time period expires, the messages are deleted and are not recoverable.

Can I release or report more than one quarantined message at a time?

In the Microsoft 365 Defender portal, you can select and release up to 100 messages at a time.

Admins can use the the Get-QuarantineMessage and Release-QuarantineMessage cmdlets in Exchange Online PowerShell or standalone EOP PowerShell to find and release quarantined messages in bulk, and to report false positives in bulk.

Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain?

Wildcards aren't supported in the Microsoft 365 Defender portal. For example, when searching for a sender, you need to specify the full email address. But, you can use wildcards in Exchange Online PowerShell or standalone EOP PowerShell.

For example, copy the following PowerShell code into NotePad and save the file as .ps1 in a location that's easy for you to find (for example, C:\Data\QuarantineRelease.ps1).

Then, after you connect to Exchange Online PowerShell or Exchange Online Protection PowerShell, run the following command to run the script:

& C:\Data\QuarantineRelease.ps1

The script does the following actions:

  • Find unreleased messages that were quarantined as spam from all senders in the fabrikam domain. The maximum number of results is 50,000 (50 pages of 1000 results).
  • Save the results to a CSV file.
  • Release the matching quarantined messages to all original recipients.
$Page = 1
$List = $null

Do
{
Write-Host "Getting Page " $Page

$List = (Get-QuarantineMessage -Type Spam -PageSize 1000 -Page $Page | where {$_.Released -like "False" -and $_.SenderAddress -like "*fabrikam.com"})
Write-Host "                     " $List.count " rows in this page match"
Write-Host "                                                             Exporting list to appended CSV for logging"
$List | Export-Csv -Path "C:\Data\Quarantined Message Matches.csv" -Append -NoTypeInformation

Write-Host "Releasing page " $Page
$List | foreach {Release-QuarantineMessage -Identity $_.Identity -ReleaseToAll}

$Page = $Page + 1

} Until ($Page -eq 50)

After you release a message, you can't release it again.