M365 Changelog: (Updated) Microsoft Defender for Office 365 – Filter Update for Quarantine Portal

MC528356 – Updated May 4, 2023: Microsoft has updated the rollout timeline below. Thank you for your patience.

In the Microsoft 365 Defender portal, the Admin / SecOps can review quarantined messages on the Email & Collaboration > Review > Quarantine page. On this quarantine page, all the quarantined email messages are listed. These messages can be quarantined if the messages are classified as malicious or spam or other admin actions. Admins/ SecOps can view messages which are quarantined due to a specific policy anti-malware, Safe Attachments, anti-spam, etc.) with a specific reason for quarantining. These reasons are Phish, Malware, Spam etc.

This message is associated with Microsoft 365 Roadmap ID 117520

When this will happen:

Standard Release: Microsoft will begin rollout in early June (previously mid-May) and expects to complete rollout by mid-July (previously late June).

GCC, GCC-H, DoD: Microsoft will begin rollout in mid-July (previously mid-June) and expects to complete rollout by late-August (previously late July).

How this will affect your organization:

In the anti-malware policy, along with quarantining messages with attachments that are malicious (malware or phish), the common attachment filter settings can be configured to quarantine messages which contain attachments with specific file extensions. All of these email messages with specific file extensions are shown as Malware for the filter Quarantine reason. As a result, it’s not easy to identify messages that were quarantined due to attachments being malicious or simply matching the file type.

With this change, we’re adding a new filter known as Admin Action – File type block to the Quarantine reason filter. Applying this filter will show the email messages that were quarantined by the common attachment filter. This change will be visible on the Quarantine page and also in the respective Get-QuarantineMessage cmdlet (parameter QuarantineTypes to include AdminActionFileTypeBlock).

View image in new tab

With the addition of this filter, it should make it easy for the Admin / SecOps to filter and review the messages which are blocked purely due to file type block.

What you need to do to prepare:

There is no action required on your end at this time. For more information, please visit this documentation.