Understanding Office 365 Quarantine

Microsoft 365 Apps

Microsoft’s Office 365 Quarantine is a new service designed to keep organizations safer by moving all suspicious messages to a secure location. In this guide, we’ll explain how Office 365 Quarantine works and how IT admins can use it to protect users in an organization from malicious files and messages.

What is Office 365 Quarantine?

Office 365 Quarantine helps to safeguard your organization against potentially dangerous or unwanted messages. The reasons for quarantining these messages range from unwanted (spam) messages to potentially dangerous ones like phishing emails, where a bad actor tries to get you to click on a link or reveal certain information. Office 365 Quarantine will prevent your or your users’ quarantined messages from being delivered to your users’ mailboxes by holding them for a certain period of time.

Office 365 Quarantine isn’t a single product, it is made up of several services which mainly sit under Microsoft’s Defender for Office 365 and Exchange Online Protection. The figure below shows a high-level architectural illustration of how Office 365 Quarantine works.

Microsoft Defender for Office 365 and Exchange Online Protection diagram
Figure 1: Microsoft Defender for Office 365 and Exchange Online Protection diagram (Image credit: Microsoft)

Protecting users from potentially dangerous or unwanted messages

Even the best cybersecurity awareness campaigns and end-user training will only go so far. Protecting users and organizations from potentially dangerous and unwanted messages has become an endless battle.

Automated spam filters, which are part of any half-decent email solution will get rid of the majority of unwanted messages without users even realizing it, though they won’t catch everything. However, Office 365 Quarantine can hold potentially dangerous or unwanted messages, and IT admins can also create and apply custom quarantine policies for their organization.

Protecting users from malicious files

Office 365 Quarantine doesn’t just check the content of messages, it also puts attachments through multiple checks and engines to ensure that they are clean. Mail flow rules (also known as transport rules) will search attachments for text matches and keywords that you can specify and allow you to block a message if the attachment can’t be checked or is password protected. There’s a long list of conditions that you can check for.

Another policy type available with Office 365 and Exchange Online Protection is anti-spam, which is separated into inbound and outbound policies, each with their own set of customizable settings. The outbound ones let you control properties like message size, whereas the inbound ones deal with bulk email threshold and spam properties.

The figure below shows settings for an inbound anti-spam policy you can set up with Office 365 Quarantine:

Create a new anti-spam inbound policy
Figure 2: Create a new anti-spam inbound policy (Image Credit: Michael Taschler)

The figure below shows the settings for an outbound anti-spam policy you can also set up with Office 365 Quarantine:

Create a new anti-spam outbound policy
Figure 3: Create a new anti-spam outbound policy (Image Credit: Michael Taschler)

Managing quarantined messages

Microsoft places all quarantined messages in the Microsoft 365 Defender portal. Admins will have access to multiple sections whereas the typical end-user will be restricted to their individual Quarantine page.

Default Office 365 Quarantine policies

Quarantine policies in Exchange Online Protection and Microsoft Defender for Office 365 allow admins to control what users are able to do with quarantined messages, based on why the message was quarantined. These default Office 365 Quarantine policies are meant to cover the basic properties and actions that will affect your users and environments.

Default Office 365 Quarantine policies are always activated, have the lowest (least important) priority, and cannot be deleted. Remember that Safe Attachments and Safe Links policies don’t come with a default policy, but they are covered by basic built-in protection presets.

Custom Office 365 Quarantine policies

The default Office 365 Quarantine policies may be a good first step, but they don’t take into account specific requirements for your organization. This is where custom Office 365 Quarantine policies shine by allowing you to customize your environment according to your needs.

For example, you can redirect messages that contain blocked, monitored, or replaced attachments to a specific shared mailbox, allowing your helpdesk staff to decide how to best deal with them. Custom Office 365 Quarantine policies also allow you to filter messages based on users, groups, and domains. Some of your users will have higher demands (think C-level), and you might be required to let them overrule your recommendations.

Dynamic Delivery is another good example: This feature will deliver the message straight away but temporarily remove questionable attachments until they have passed all checks. If they do, attachments get re-attached to the message. Dynamic Delivery only works with hosted mailboxes, so in a hybrid setup, you might want to create an additional policy just for those users.

Using multiple Office 365 Quarantine policies also allows you to specify the order in which you want them to be applied to your tenant. No two policies can have the same priority and processing stops after the first policy is applied. Make sure you design your Office 365 Quarantine policies with this in mind so you don’t inadvertently create a gap in your security.

How long do emails stay in quarantine?

Default retention periods are either 15 or 30 days, depending on the Office 365 Quarantine policy type (anti-phishing, anti-spam, anti-malware, Safe Attachments, or Safe Links) and how they were created (GUI or PowerShell in the case of anti-spam policies).

Some of the default (built-in) policies let you change retention periods, but others don’t. With custom Office 365 Quarantine policies, you can set the retention period to anywhere between one and 30 days.

Accessing quarantined emails

So you’ve got spammed. Not to worry, this happens to the best of us. All kidding aside, spam is annoying but unfortunately not going away any time soon.

In that situation, your users will have received a message looking very similar to the one below, with a message notifying them of one or more quarantined messages and how they can review them. The spam notification message will list the blocked messages so that your users can block senders, release, or review the messages directly. The quarantine reason is not included, so using the Quarantine page should be part of your user awareness program and training.

Office 365 Quarantine notification email
Figure 4: Quarantine notification email (Image Credit: Michael Taschler)

To see your quarantined messages, open your favorite web browser and navigate to the Quarantine page on the Microsoft 365 Defender portal. After a few moments, the screen will have populated with your quarantined messages. The figure below shows an example of the Office 365 Quarantine page.

Office 365 Quarantine Page
Figure 5: Office 365 Quarantine Page

On the Office 365 Quarantine page, you can filter messages based on message ID, sender address, recipient address, time received, when the quarantined message will expire, quarantine status, release status, and which policy type was triggered to block the message.

Taking action on quarantined emails

In the previous section, you accessed your quarantined emails on Microsoft 365 Defender’s Quarantine page. The following actions are available to you, though bear in mind that these will depend on the policies your organization has set as well as the reason for quarantining the specific messages.

Quarantined messageAvailable action
Release emailDelivers the message to the recipient’s inbox
View message headersDisplay the message header text
Preview messageDisplay an HTML or plain text version of your selected message body
Delete from quarantineImmediately deletes the message
Block senderAdds the sender to the blocked senders list in your mailbox

Looking at the message header allows you to gain more insight into a message since it can often include viral queues for you to determine if this is a legitimate email or not. The released messages will be delivered to your mailbox, typically within a few moments.

A word of warning: deleted messages cannot be recovered, so you should really think twice before clicking that Continue button. You can also select multiple messages by selecting the relevant check box next to them and have the following bulk actions available:

Quarantined messagesAvailable actions
Release emailsDeliver the messages to the recipient’s inbox
Delete from quarantineImmediately delete the messages

How Microsoft 365 Defender can quarantine files

Microsoft 365 Defender’s Safe Attachment feature helps to protect your users and organization from malicious email attachments. Safe Attachments, typically unnoticed by your users, temporarily moves attachments to a virtual environment where they undergo an analysis to determine if any malicious code or content is present.

If the attachment is deemed malicious, then it will be removed from the email and just the body of the email will be delivered. The user will then be notified that an attachment was removed.

Safe Attachment scanning takes place in the same region that holds your data. The default built-in protection settings are a good baseline for many organizations. However, I recommend doing your own research and picking the settings that are most suitable for your tenant.

Enabling Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

Safe Attachments for SharePoint, OneDrive, and Microsoft Teams extends the aforementioned functionality to these three products. Microsoft states that this feature is not enabled by default, but my newly created test tenant (June 2022) had it enabled.

Make sure to check your tenant by navigating to the Microsoft 365 Defender portal:

  • Under Email & collaboration, select Policies and rules.
  • Then under Policies, select Safe Attachments.
  • On the Safe attachments page, click on Global settings to enable or disable this feature.

The image below shows the Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Global Settings fly-out.

Safe Attachments for SharePoint, OneDrive and Microsoft Teams Global Settings fly-out
Figure 6: Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Global Settings fly-out (Image Credit: Michael Taschler)

Taking action on quarantined files

Safe Attachments prevent your users from accessing files once they have been identified as malicious. They will still be shown in your libraries but your users won’t be able to open, move, copy, or share them.

The images below show how blocked files appear on the desktop.

A blocked malicious file in the desktop library
Figure 7: A blocked malicious file in the desktop library (Image Credit: Microsoft)

Below, you can see how blocked files appear in the OneDrive mobile app.

A blocked malicious file on a mobile device
Figure 8: A blocked malicious file on a mobile device (Image Credit: Microsoft)

While your users cannot open a malicious file, they still have the ability to download or delete it. This default setting can and should be changed to only allow admins or security champions to do so.

The image below shows the delete and download options for a blocked file.

Download option for a blocked file on a mobile device
Figure 9: Download option for a blocked file on a mobile device (Image Credit: Microsoft)

Take a look at Microsoft’s Use SharePoint Online PowerShell to prevent users from downloading malicious files support page to learn how to change this default setting.

Conclusion

Office 365 Quarantine is a fully cloud-based email filtering service that can help protect your organization from potentially dangerous or unwanted messages. It will help you keep your users safe from unsafe attachments and malicious links.

With Office 365 Quarantine, you can also take some pressure off your users since they will be able to enjoy another level of protection. Ultimately, this feature can really help to prevent your organization from becoming the next victim of a cyber-attack.

Related Article: