Audit Quarantined Messages in Exchange Online

Microsoft quarantines emails with suspicious links and malicious attachments to isolate potential threats. However, important emails can sometimes be quarantined, disrupting vital communications and exposing your organization to risks. By auditing these quarantined emails, admins can quickly resolve false positives, spam, phishing attempts, and more. So, learn how to review quarantined emails in Exchange Online to keep your Microsoft 365 environment safe and secure.

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

Security Reader

Most Privilege

Global Admin

Option 1 Using Microsoft 365 Defender Portal

Login to the Microsoft 365 Defender portal.
Navigate to Email & collaboration»Review»Quarantine.
Here, you will get the list of all emails that are quarantined.

Option 2 Using Windows PowerShell

Connect to the Exchange Online PowerShell using the below cmdlet.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the following cmdlet with the appropriate start date, end date, and file path.

Windows PowerShell

 Get-QuarantineMessage -StartReceivedDate MM/DD/YYYY -EndReceivedDate MM/DD/YYYY | Select ReceivedTime,SenderAddress,RecipientAddress,Subject,MessageID,RecipientCount,QuarantineTypes | Export-Csv -Path "<OutputFilePath>" -NoTypeInformation -Append –Force

The above cmdlet retrieves the quarantined emails in Exchange Online and saves the output as a CSV file.

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Login to the AdminDroid Office 365 reporter.
Navigate to All Mails report through Audit»Email»Email Activities.
Apply the filter Quarantined in the Status field to list the quarantined emails in Exchange Online.

This report provides a detailed analysis of quarantined emails in Microsoft 365 Defender, including key properties like event time, sender, recipient, subject, etc. It helps admins to identify harmful emails and ensure legitimate emails aren't mistakenly quarantined.

Use AdminDroid's built-in charts to find quarantined mail counts by sender address. This helps identify frequent senders so you can take appropriate actions, such as blocking them.

Explore a full range of reporting options

Proactively Monitor Quarantined Emails in Exchange Online!

Keep track of every quarantined email in Outlook with AdminDroid email monitoring tool to ensure compromised messages are isolated and legitimate ones remain accessible.

Witness the report in action using the

Live Demo

Important Tips

Enable email authentication (SPF, DKIM, DMARC) in Exchange Online to verify sender identities, reduce spoofing & phishing risks, and improve overall email security.

Implement quarantine policies to allow users to manage their quarantined emails. This reduces the workload for admins, enabling them to focus on priority tasks.

Utilize the "Admin action - File type block" filter on the Quarantine page to identify and review the messages quarantined due to their file type.

Exchange OnlineEnsure Effective Email Management by Monitoring Quarantined Messages

Showing 1 of 6

How to find quarantine policy details in Microsoft 365? How to release a quarantined message in Exchange Online? How to get quarantined messages report for a specific recipient in Microsoft 365? How to block a sender of the quarantined message in Exchange Online? How to manage quarantined emails in Microsoft 365? What conditions trigger email quarantine in Exchange Online?

How to find quarantine policy details in Microsoft 365?

A quarantine policy in Microsoft 365 outlines how quarantined messages are managed, detailing the permissions for both end users and admins. Regularly reviewing these policies and their details ensures that only authorized users can release, download, or remove quarantined messages, maintaining strong email security and compliance.

Steps to find quarantine policy details in the Microsoft 365 Defender portal

Login to the Microsoft 365 Defender portal.
Navigate to Email & collaboration»Policies & rules»Threat policies.
Under the Rules category, select Quarantine policies.
Here, you can view all the quarantine policies in your organization.
Upon selecting a quarantine policy, you can find details like the policy name, user message access permissions (like releasing, deleting, and previewing messages), whether quarantine notifications are enabled or disabled, etc.

Note that there are some default policies, namely:

AdminOnlyAccessPolicy
DefaultFullAccessPolicy
DefaultFullAccessWithNotificationPolicy

These policies cannot be edited. You can review these default policies to see if the standard settings are in place. However, to adjust settings like quarantine duration or notification options, you must create or configure custom quarantine policies.

Although the native method lists all quarantine policies, retrieving them can be time-consuming and tedious. PowerShell offers a more efficient solution for finding quarantine policy details, providing faster execution and greater customization.

View Quarantine Policies Using PowerShell

Run the following cmdlet in Exchange Online PowerShell to view quarantine policies using PowerShell.

Connect-ExchangeOnline
Get-QuarantinePolicy | Select Name,QuarantinePolicyType,ESNEnabled,QuarantineRetentionDays,OrganizationID | Format-Table

The above cmdlet retrieves all the quarantine policies and their details in your Microsoft 365 environment.

To view details of a specific quarantine policy, use the following cmdlet and replace <PolicyName> with the name of the policy you want to examine.

Get-QuarantinePolicy -Identity "<PolicyName>"

How to release a quarantined message in Exchange Online?

Quarantined emails in Exchange Online are flagged and isolated due to potential security threats like spam, malware, phishing attempts, or policy violations. While this feature is crucial for protecting the organization from cyber threats, sometimes legitimate emails get mistakenly quarantined. Releasing these messages ensures that important communications aren't missed, and that workflow remains uninterrupted.

Before releasing a quarantined email, it is crucial to review the following details to ensure it is safe.

Verify why the email was quarantined from the quarantine reason column.
Check the intended recipients of the quarantined message.
Examine the subject, sender, and any attachments in the email.

Steps to Release a Quarantined Message in the Microsoft 365 Defender Portal

Login to the Microsoft 365 Defender.
Navigate to Email & Collaboration»Review»Quarantine.
From the list of quarantined messages, click on the message you want to release.
Click on Release email and a flyout pane will appear with the following options.
- Release to all recipients.
- Release to one or more of the original recipients of the email.
- Send a copy of this mail to other recipients.
- Submit the message to Microsoft to improve detection (false positive).
Select the appropriate option based on your organization's needs and click Release message to confirm your action.

Releasing quarantined messages in the Microsoft 365 Defender portal involves navigating through multiple tabs and sections, which can be time-consuming. Using PowerShell, admins can release these emails more efficiently.

Steps to Release a Quarantined Message using Windows PowerShell

To release a quarantined message to all recipients, use the following cmdlet. Also, ensure to replace <Identity> with the identity of the message you want to release.

Connect-ExchangeOnline
Release-QuarantineMessage -Identity "<Identity>" -ReleaseToAll

You can also release the quarantined message to a specific recipient using the following cmdlet.

Release-QuarantineMessage –Identity "<Identity>" -User "<UserPrincipalName>"

Replace <Identity> with the identity of the message and replace <UserPrincipalName> with the UPN of the intended recipient.

Bulk Release Quarantined Messages in Microsoft 365

Bulk release can be considered for emails from a trusted sender. If emails from a trusted sender are quarantined, you can verify the sender's details and then release all emails from that sender in bulk using this option.

Navigate to the quarantine page in Microsoft 365 Defender portal.
Select all the emails you want to release.
Click on Release at the top banner to open a flyout pane with the following options.
- Send a copy of this mail to other recipients.
- Submit the message to Microsoft to improve detection (false positive).
Select the appropriate option and click Release message to release multiple emails at the same time.

After the quarantined messages are released, they will be delivered to the intended recipient's mailbox.

Important Points:

Messages that have already been released cannot be released again.
The status of the released messages will show as "Released" on the quarantine page.
If not manually released or removed, messages are automatically deleted from quarantine after 30-day default retention period.

How to get quarantined messages report for a specific recipient in Microsoft 365?

An admin should monitor the quarantined messages report for a specific recipient, such as an executive or high-profile employee, to protect against targeted phishing attacks. Executives are often prime targets for spear-phishing and other sophisticated attacks. By closely monitoring their quarantined messages, admins can quickly address potential threats. This helps fine-tune email filters, reduce false positives, and ensure high-priority users receive all legitimate communications promptly.

To get a quarantined messages report for a specific recipient in Microsoft 365, you can use the Microsoft 365 Defender portal or PowerShell.

Using Microsoft 365 Defender

Open the Quarantine page in the Microsoft 365 Defender portal.
Click on the "Filter" option and enter the UPN of the desired recipient in the Recipient address tab.
Then, click "Apply" to view the quarantined messages received by the specified recipient in Microsoft 365.

quarantine-report-for-specific-recipient-microsoft-defender

Using Exchange Online PowerShell

Execute the following cmdlet to get a quarantined messages report for specific users in Windows PowerShell.

Connect-ExchangeOnline
Get-QuarantineMessage | Where-Object {$_.RecipientAddress -eq "<UserMailAddress>"}

Replace "<UserMailAddress>" with the email address of the user for whom you need the quarantined message report.

quarantine-report-specific-recipient-powershell-output

How to block a sender of the quarantined message in Exchange Online?

As an admin, you may need to block senders who consistently send spam, malware, or phishing emails to your organization users. This helps to protect your organization from potential security breaches and reduce the load on your email filtering systems.

To block the sender of quarantined message, follow the steps below.

Login to the Microsoft 365 Defender portal.
Navigate to Email & Collaboration»Review»Quarantine.
Select the quarantined message from the sender you need to block.
Click on the "More" dropdown and select "Block sender".
In the flyout pane, click Block to block the sender.

block-quarantine-sender-microsoft-defender

Once you block a sender, their future messages will go to the Junk Email folder. This ensures that their emails do not reach users' inboxes, maintaining the security and integrity of your email system.

How to manage quarantined emails in Microsoft 365?

Managing quarantined emails in Microsoft 365 involves several actions such as releasing emails, deleting messages, previewing messages, viewing message headers, and blocking a sender.

Admins need to understand these operations as they are crucial in maintaining email security and effective management of quarantined messages. We will dive deep into each of these actions in the following sections.

Delete a Quarantined Email

Deleting quarantined emails in Microsoft 365 is a crucial task for admins, not only to eliminate potentially harmful content and maintain security but also to manage storage space effectively. By removing suspicious emails, you prevent the risk of malicious content being inadvertently released. Additionally, you can free up storage space consumed by these quarantined messages.

On the Microsoft 365 Defender quarantine page, click on the message you want to delete.
Click on the "More" (ellipses) dropdown and select Delete from quarantine.
A flyout pane will appear with the "Permanently delete the message from quarantine" option.
- Please note that this option permanently deletes your message to free up storage space, making it unrecoverable.
- If not selected, the quarantined message is removed from the quarantine page but can still be retrieved within the 30-day default retention period.
Finally, click “Delete” to confirm the action.

You can also delete a quarantined message via PowerShell using the 'Delete-QuarantineMessage' cmdlet.

Preview a Quarantined Message

Examining the body of a quarantined email without releasing it to the intended recipient is a crucial step. This helps admins in determining whether the email poses a security threat or if it has been mistakenly flagged. By previewing the message, admins can make informed decisions about whether to release, delete, or investigate the email further, thereby protecting the organization from potential cyber security threats.

In the Microsoft 365 Defender portal, go to the quarantine page and select the message you want to preview.
Click on "Preview message", and a flyout pane will appear where you can preview the content of the quarantined mail.

To preview a quarantined message via PowerShell, you can use the 'Preview-QuarantineMessage' cmdlet.

View the Message Header of a Quarantined Email

Inspecting the message header of a quarantined email allows admins to inspect details about the email's routing and origin. It helps to analyze the email source, understand its path through servers, and identify security issues or reasons for quarantine. By examining the message header, admins can assess the email's legitimacy and take appropriate action to protect the organization's email environment.

Navigate to the quarantine page in the Microsoft 365 Defender portal and select the message for which you want to view the header.
Click on the "More" (ellipses) dropdown and select "View message headers".
A flyout pane will appear where you can view the message header of the quarantined mail and infer key details such as the email's source, path, authentication results, quarantine reasons, and more.

While Microsoft 365 admin portals lack dedicated reports to audit quarantine activities, AdminDroid offers a robust solution!

With AdminDroid's quarantined mails report, you can effortlessly monitor and manage quarantine email activities, ensuring enhanced security and control.
This report provides details on actions performed, who executed them, when they were done, the result status, etc.

quarantine-activities-report-admin-droid

Pro Tip: Use the easy filter operation to audit specific activities, such as when a user releases a quarantined message, to track and analyze these actions effectively.

What conditions trigger email quarantine in Exchange Online?

Understanding the conditions that trigger email quarantine in Exchange Online is crucial for admins to effectively manage and secure their organization's email communications. By being aware of these triggers, admins can fine-tune their email filtering policies. This helps reduce false positives, ensuring legitimate emails are delivered and potential security threats are addressed promptly.

Conditions that trigger email quarantine in Exchange Online are,

Spam Detection: Messages flagged as spam based on content analysis, spam signatures, and sender reputation are quarantined. Admins should regularly monitor spam detection reports in Microsoft 365 to refine anti-spam policies and ensure legitimate messages are not mistakenly flagged.
Phishing Attempts: Emails designed to deceive users into disclosing sensitive information are quarantined as phishing threats. To prevent phishing attacks in Microsoft 365, admins should review these emails, adjust anti-phishing policies, and educate users on recognizing phishing attempts.
Malicious Attachments & Links: Messages containing malicious attachments, or suspicious links are quarantined. Admins can analyze these quarantined emails to update anti-malware policies, enhance safe attachment rules, and refine safe link protections in the organization.
Transport Rules: Emails that violate transport rules set by the organization are quarantined. Admins should regularly review and adjust mail flow rules to ensure they effectively block malicious emails without disrupting legitimate communication.
Spoofing Attempts: Emails that appear legitimate but originate from suspicious IP addresses or domains are quarantined to prevent spoofing attacks. Admins should review these emails to update blocklists and enhance sender reputation databases to protect users from potential threats.
Violations of Content Policies: Messages containing inappropriate language or content that violates organizational policies are quarantined. Admins should review these emails to refine content filtering rules and maintain compliance with internal policies.
Mass Emailing: Messages that are sent in large volumes within a short period are quarantined as potential bulk spam. Admins should review these emails to identify compromised accounts and take appropriate action, as they may be flagged as suspicious or spam.

By understanding these various conditions that trigger email quarantine in Exchange Online, admins can effectively manage and secure their organization's email communications. Admins should utilize Exchange Online Protection (EOP) and Advanced Threat Protection (ATP) features to fine-tune email filtering policies, reduce false positives, and quickly address potential security threats.

AdminDroid Exchange Online ReporterAudit Quarantined Emails in Exchange Online to Identify and Mitigate Security Threats!

AdminDroid's Exchange Online auditing tool provides comprehensive details into quarantined emails, making it simple to monitor and audit all quarantined items. This powerful tracking capability is crucial for admins to enforce organizational policies, identify potential threats, and ensure compliance.

A Quick Summary

Stay Ahead of Quarantined Mails with AdminDroid Alerting

Set up real-time alerts with AdminDroid for instant notifications on quarantined mail releases, blocks, deletions, and more, boosting your email security and control.

Ensure Effective Email Quarantine with Transport Rules

Monitor and analyze the transport rules configured to quarantine email messages to ensure they effectively filter out threats while minimizing false positives.

Minimize Quarantined Emails with Effective Phishing Analysis

Prevent phishing attacks in Microsoft 365 to enhance security and reduce the number of emails quarantined due to phishing threats.

Dashboard Insights on Quarantined Spam, Malware & Phishing Emails

With AdminDroid’s email dashboard, gain comprehensive insights into emails quarantined due to spam, malware, and phishing attacks within your organization to enhance threat detection and response.

Achieve Compliance with Quarantined Email Insights

Effortlessly monitor and manage quarantined emails in accordance with ISO compliance standards using AdminDroid’s dedicated reports.

Flexible Reporting for Quarantined Emails Report

Export quarantined mails report in various formats like PDF, CSV, HTML, XLS, XLSX and even computer-friendly RAW format to integrate with other tools.

In conclusion, AdminDroid offers a complete solution for managing Exchange Online quarantined emails. With its advanced filtering options, customizable settings, and intuitive visualizations, AdminDroid Exchange Online management tool empowers admins to efficiently audit and manage email quarantines.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps While Monitoring Quarantined Mails in Microsoft 365

The following are the possible errors and troubleshooting hints while exporting quarantined messages in Exchange Online.

Error: Get-QuarantineMessage : The term 'Get-QuarantineMessage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error occurs when you execute the 'Get-QuarantineMessage' cmdlet without connecting to the required modules or lacking the necessary admin permissions.

Troubleshooting hint :First connect to Exchange Online PowerShell module before running the 'Get-QuarantineMessage' command.

Connect-ExchangeOnline

Ensure that you have the necessary administrative permissions to view quarantined messages (Global Admin or Security Reader).

Error: Write-ErrorMessage : Cannot process argument transformation on parameter 'EndReceivedDate'. Cannot convert value"15/07/2024" to type "System.Nullable'1[System.DateTime]".

This error occurs when you enter the date in the incorrect format.

Troubleshooting hint :Enter the date in the MM/DD/YYYY format while executing 'Get-QuarantineMessage' cmdlet in Exchange Online PowerShell.

Error: 'No data available' message displayed on the Quarantine page in Microsoft Defender portal.

This error occurs when you don't have any quarantined messages in your organization or you do not have the necessary permission to view quarantined messages in the Microsoft 365 Defender portal.

Troubleshooting hint :Ensure that you have the necessary administrative permissions such as Global admin or Security reader to view quarantined messages.

Error: Write-ErrorMessage : |Microsoft.Exchange.Management.Tasks.ValidationException|The identity 'ID=e5b0d9e5-2400-45d8-76ec-08dca22df94b' is not valid. Please input a valid message identity.

This error occurs when you run the 'Release-QuarantineMessage' cmdlet in Exchange Online PowerShell without valid identity.

Troubleshooting hint :Use the following cmdlet to retrieve valid identities for quarantined messages.

Get-QuarantineMessage | Select ReceivedTime,SenderAddress,Subject,Direction,Identity | Format-Table

This cmdlet lists the received time, subject, direction, and identity of quarantined messages within the specified date range. Verify and use the valid identity of quarantined message.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Review Quarantined Mails in Exchange Online