Understanding Office 365 Quarantine
Microsoft’s Office 365 Quarantine is a new service designed to keep organizations safer by moving all suspicious messages to a secure location. In this guide, we’ll explain how Office 365 Quarantine works and how IT admins can use it to protect users in an organization from malicious files and messages.
Table of Contents
- What is Office 365 Quarantine?
- Managing quarantined messages
- How Microsoft 365 Defender can quarantine files
What is Office 365 Quarantine?
Office 365 Quarantine helps to safeguard your organization against potentially dangerous or unwanted messages. The reasons for quarantining these messages range from unwanted (spam) messages to potentially dangerous ones like phishing emails, where a bad actor tries to get you to click on a link or reveal certain information. Office 365 Quarantine will prevent your or your users’ quarantined messages from being delivered to your users’ mailboxes by holding them for a certain period of time.
Office 365 Quarantine isn’t a single product, it is made up of several services which mainly sit under Microsoft’s Defender for Office 365 and Exchange Online Protection. The figure below shows a high-level architectural illustration of how Office 365 Quarantine works.
Protecting users from potentially dangerous or unwanted messages
Even the best cybersecurity awareness campaigns and end-user training will only go so far. Protecting users and organizations from potentially dangerous and unwanted messages has become an endless battle.
Automated spam filters, which are part of any half-decent email solution will get rid of the majority of unwanted messages without users even realizing it, though they won’t catch everything. However, Office 365 Quarantine can hold potentially dangerous or unwanted messages, and IT admins can also create and apply custom quarantine policies for their organization.
Protecting users from malicious files
Office 365 Quarantine doesn’t just check the content of messages, it also puts attachments through multiple checks and engines to ensure that they are clean. Mail flow rules (also known as transport rules) will search attachments for text matches and keywords that you can specify and allow you to block a message if the attachment can’t be checked or is password protected. There’s a long list of conditions that you can check for.
Another policy type available with Office 365 and Exchange Online Protection is anti-spam, which is separated into inbound and outbound policies, each with their own set of customizable settings. The outbound ones let you control properties like message size, whereas the inbound ones deal with bulk email threshold and spam properties.
The figure below shows settings for an inbound anti-spam policy you can set up with Office 365 Quarantine:
The figure below shows the settings for an outbound anti-spam policy you can also set up with Office 365 Quarantine:
Managing quarantined messages
Microsoft places all quarantined messages in the Microsoft 365 Defender portal. Admins will have access to multiple sections whereas the typical end-user will be restricted to their individual Quarantine page.
Default Office 365 Quarantine policies
Quarantine policies in Exchange Online Protection and Microsoft Defender for Office 365 allow admins to control what users are able to do with quarantined messages, based on why the message was quarantined. These default Office 365 Quarantine policies are meant to cover the basic properties and actions that will affect your users and environments.
Default Office 365 Quarantine policies are always activated, have the lowest (least important) priority, and cannot be deleted. Remember that Safe Attachments and Safe Links policies don’t come with a default policy, but they are covered by basic built-in protection presets.
Custom Office 365 Quarantine policies
The default Office 365 Quarantine policies may be a good first step, but they don’t take into account specific requirements for your organization. This is where custom Office 365 Quarantine policies shine by allowing you to customize your environment according to your needs.
For example, you can redirect messages that contain blocked, monitored, or replaced attachments to a specific shared mailbox, allowing your helpdesk staff to decide how to best deal with them. Custom Office 365 Quarantine policies also allow you to filter messages based on users, groups, and domains. Some of your users will have higher demands (think C-level), and you might be required to let them overrule your recommendations.
Dynamic Delivery is another good example: This feature will deliver the message straight away but temporarily remove questionable attachments until they have passed all checks. If they do, attachments get re-attached to the message. Dynamic Delivery only works with hosted mailboxes, so in a hybrid setup, you might want to create an additional policy just for those users.
Using multiple Office 365 Quarantine policies also allows you to specify the order in which you want them to be applied to your tenant. No two policies can have the same priority and processing stops after the first policy is applied. Make sure you design your Office 365 Quarantine policies with this in mind so you don’t inadvertently create a gap in your security.
How long do emails stay in quarantine?
Default retention periods are either 15 or 30 days, depending on the Office 365 Quarantine policy type (anti-phishing, anti-spam, anti-malware, Safe Attachments, or Safe Links) and how they were created (GUI or PowerShell in the case of anti-spam policies).
Some of the default (built-in) policies let you change retention periods, but others don’t. With custom Office 365 Quarantine policies, you can set the retention period to anywhere between one and 30 days.
Accessing quarantined emails
So you’ve got spammed. Not to worry, this happens to the best of us. All kidding aside, spam is annoying but unfortunately not going away any time soon.
In that situation, your users will have received a message looking very similar to the one below, with a message notifying them of one or more quarantined messages and how they can review them. The spam notification message will list the blocked messages so that your users can block senders, release, or review the messages directly. The quarantine reason is not included, so using the Quarantine page should be part of your user awareness program and training.
To see your quarantined messages, open your favorite web browser and navigate to the Quarantine page on the Microsoft 365 Defender portal. After a few moments, the screen will have populated with your quarantined messages. The figure below shows an example of the Office 365 Quarantine page.
On the Office 365 Quarantine page, you can filter messages based on message ID, sender address, recipient address, time received, when the quarantined message will expire, quarantine status, release status, and which policy type was triggered to block the message.
Taking action on quarantined emails
In the previous section, you accessed your quarantined emails on Microsoft 365 Defender’s Quarantine page. The following actions are available to you, though bear in mind that these will depend on the policies your organization has set as well as the reason for quarantining the specific messages.
|Quarantined message||Available action|
|Release email||Delivers the message to the recipient’s inbox|
|View message headers||Display the message header text|
|Preview message||Display an HTML or plain text version of your selected message body|
|Delete from quarantine||Immediately deletes the message|
|Block sender||Adds the sender to the blocked senders list in your mailbox|
Looking at the message header allows you to gain more insight into a message since it can often include viral queues for you to determine if this is a legitimate email or not. The released messages will be delivered to your mailbox, typically within a few moments.
A word of warning: deleted messages cannot be recovered, so you should really think twice before clicking that Continue button. You can also select multiple messages by selecting the relevant check box next to them and have the following bulk actions available:
|Quarantined messages||Available actions|
|Release emails||Deliver the messages to the recipient’s inbox|
|Delete from quarantine||Immediately delete the messages|
How Microsoft 365 Defender can quarantine files
Microsoft 365 Defender’s Safe Attachment feature helps to protect your users and organization from malicious email attachments. Safe Attachments, typically unnoticed by your users, temporarily moves attachments to a virtual environment where they undergo an analysis to determine if any malicious code or content is present.
If the attachment is deemed malicious, then it will be removed from the email and just the body of the email will be delivered. The user will then be notified that an attachment was removed.
Safe Attachment scanning takes place in the same region that holds your data. The default built-in protection settings are a good baseline for many organizations. However, I recommend doing your own research and picking the settings that are most suitable for your tenant.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams extends the aforementioned functionality to these three products. Microsoft states that this feature is not enabled by default, but my newly created test tenant (June 2022) had it enabled.
Make sure to check your tenant by navigating to the Microsoft 365 Defender portal:
- Under Email & collaboration, select Policies and rules.
- Then under Policies, select Safe Attachments.
- On the Safe attachments page, click on Global settings to enable or disable this feature.
The image below shows the Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Global Settings fly-out.
Taking action on quarantined files
Safe Attachments prevent your users from accessing files once they have been identified as malicious. They will still be shown in your libraries but your users won’t be able to open, move, copy, or share them.
The images below show how blocked files appear on the desktop.
Below, you can see how blocked files appear in the OneDrive mobile app.
While your users cannot open a malicious file, they still have the ability to download or delete it. This default setting can and should be changed to only allow admins or security champions to do so.
The image below shows the delete and download options for a blocked file.
Take a look at Microsoft’s Use SharePoint Online PowerShell to prevent users from downloading malicious files support page to learn how to change this default setting.
Office 365 Quarantine is a fully cloud-based email filtering service that can help protect your organization from potentially dangerous or unwanted messages. It will help you keep your users safe from unsafe attachments and malicious links.
With Office 365 Quarantine, you can also take some pressure off your users since they will be able to enjoy another level of protection. Ultimately, this feature can really help to prevent your organization from becoming the next victim of a cyber-attack.
More in Microsoft 365
M365 Changelog: (Updated) Microsoft Teams - Automatically end stale Teams meetings
Nov 24, 2022 | Rabia Noureen
M365 Changelog: (Updated) Stream on SharePoint: Inline playback of videos in Hero web part
Nov 23, 2022 | Rabia Noureen
M365 Changelog: Introducing OneNote viewer in Teams mobile apps
Nov 22, 2022 | Rabia Noureen
Microsoft's New One Outlook Email Client Now Supports Multiple Accounts
Nov 17, 2022 | Rabia Noureen
Microsoft Teams Now Lets Users Play Minesweeper and Solitaire During Virtual Meetings
Nov 16, 2022 | Rabia Noureen
New Microsoft 365 App Starts Rolling Out on the Web
Nov 16, 2022 | Rabia Noureen
Most popular on petri