Επεξεργασία

Κοινή χρήση μέσω


Manage quarantined messages and files as a user

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see Quarantine in EOP.

As an ordinary user (not an admin), the default capabilities that are available to you as a recipient of a quarantined message are described in the following table:

Quarantine reason View Release Delete
Anti-spam policies
   Bulk
   Spam
   High confidence spam
   Phishing
   High confidence phishing
Anti-phishing policies
   Spoof intelligence protection in EOP
   Impersonated user protection in Defender for Office 365
   Impersonated domain protection in Defender for Office 365
   Mailbox intelligence impersonation protection in Defender for Office 365
Anti-malware policies
   Email messages with attachments that are quarantined as malware.
Safe Attachments in Defender for Office 365
   Safe Attachments policies that quarantine email messages with malicious attachments as malware.
   Safe Attachments for SharePoint, OneDrive, and Microsoft Teams that quarantines malicious files as malware.
Mail flow rules (transport rules)
   Mail flow rules that quarantine email messages (directly, not by marking them as spam).

In supported protection features, quarantine policies define what users are allowed to do to quarantined messages based on why the message was quarantined. Default quarantine policies enforce the historical capabilities for messages as described in the previous table. Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users. For more information, see Anatomy of a quarantine policy.

You view and manage your quarantined messages in the Microsoft Defender portal or (if an admin has set this up) quarantine notifications from quarantine policies.

What do you need to know before you begin?

Manage quarantined messages in EOP

View your quarantined messages

Note

Your ability to view quarantined messages is controlled by the quarantine policy that applies to the reason why the message was quarantined (which might be the default quarantine policy as described in Recommended settings for EOP and Microsoft Defender for Office 365 security).

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Quarantine > Email tab. Or, to go directly to the Email tab on the Quarantine page, use https://security.microsoft.com/quarantine?viewid=Email.

On the Email tab, you can decrease the vertical spacing in the list by clicking Change list spacing to compact or normal and then selecting Compact list.

You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

  • Time received*

  • Subject*

  • Sender*

  • Quarantine reason* (see the possible values in the Filter description.)

  • Release status* (see the possible values in the Filter description.)

  • Policy type* (see the possible values in the Filter description.)

  • Expires*

  • Recipient*

  • Sender address override reason*: One of the following values:

    • None
    • Message sender is blocked by recipient settings
    • Message sender is blocked by administrator settings

    Tip

    If a sender is blocked and Don't show blocked senders is selected (default), messages from those senders are shown on the Quarantine page and are included in quarantine notifications when the Sender address override reason value is None. This behavior occurs because the messages were blocked due to reasons other than sender address overrides.

  • Released by*

  • Message ID

  • Policy name

  • Message size

  • Mail direction

To filter the entries, select Filter. The following filters are available in the Filters flyout that opens:

  • Message ID: The globally unique identifier of the message.

  • Sender address

  • Recipient address

  • Subject

  • Time received: Select one of the following values:

    • Last 24 hours
    • Last 7 days (default)
    • Last 14 days
    • Last 30 days (default)
    • Custom: Enter a Start time and End time (date).
  • Expires: Filter messages by when they expire from quarantine. Select one of the following values:

    • Today
    • Next 2 days
    • Next 7 days
    • Custom: Enter a Start time and End time (date).
  • Quarantine reason: Select one or more of the following values:

    • Transport rule (mail flow rule)
    • Bulk
    • Spam
    • Malware: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The Policy Type value indicates which feature was used.
    • Phishing: The spam filter verdict was Phishing or anti-phishing protection quarantined the message (spoof settings or impersonation protection).
    • High confidence phishing
  • Blocked sender: One of the following values:

    • Don't show blocked senders (default)
    • Show all senders

    Tip

    If a sender is blocked and Don't show blocked senders is selected, messages from those senders are shown on the Quarantine page and are included in quarantine notifications when the Sender address override reason value is None. This behavior occurs because the messages were blocked due to reasons other than sender address overrides.

  • Release status: Any of the following values:

    • Needs review
    • Approved
    • Denied
    • Release requested
    • Released
  • Policy Type: Filter messages by what type of protection policy quarantined the message. Select one or more of the following values:

    • Anti-malware policy
    • Safe Attachments policy
    • Anti-phishing policy
    • Anti-spam policy
    • Transport rule (mail flow rule)

    The Policy type and Quarantine reason values are interrelated. For example, Bulk is always associated with an Anti-spam policy, never with an Anti-malware policy.

When you're finished on the Filters flyout, select Apply. To clear the filters, select Clear filters.

Tip

Filters are cached. The filters from the last sessions are selected by default the next time you open the Quarantine page. This behavior helps with triage operations.

Use the Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:

  • Sender email address
  • Subject. Use the entire subject of the message. The search isn't case-sensitive.

After you've entered the search criteria, press the enter ENTER key to filter the results.

Note

The Search box searches for quarantined items in the current view, not all quarantined items. To search all quarantined items, use Filter and the resulting Filters flyout.

After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).

Tip

On mobile devices, the previously described controls are available under More.

Selecting a quarantined message and then selecting More on a mobile device.

View quarantined message details

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Quarantine > Email tab. Or, to go directly to the Email tab on the Quarantine page, use https://security.microsoft.com/quarantine?viewid=Email.

  2. On the Email tab, select the quarantined message by clicking anywhere in the row other than the check box.

In the details flyout that opens, the following information is available:

  • Quarantine details section:
    • Received: The date/time when the message was received.
    • Expires: The date/time when the message is automatically and permanently deleted from quarantine.
    • Subject
    • Quarantine reason: Shows if a message has been identified as Spam, Bulk, Phish, matched a mail flow rule (Transport rule), or was identified as containing Malware.
    • Policy type
    • Recipient count
    • Recipients: If the message contains multiple recipients, you might need to select > Preview message or > View message header to see the complete list of recipients.
    • Sender override reason
    • Released by:
      • If the user released their message, the user's email address is shown.
      • If the message was released by an admin, the value Admin is shown.
      • if the release is carried out by the system, the value System is shown
      • if the release is not carried out by user, Admin, or system, it defaults to Admin.
  • Email details section:
    • Sender address
    • Time received
    • Network message ID
    • Recipients

The details flyout of a quarantined message

To take action on the message, see the next section.

Tip

To see details about other quarantined messages without leaving the details flyout, use Previous item and Next item at the top of the flyout.

Take action on quarantined email

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Quarantine > Email tab. Or, to go directly to the Email tab on the Quarantine page, use https://security.microsoft.com/quarantine?viewid=Email.

  2. On the Email tab, select the quarantined email message by using either of the following methods:

    • Select the message from the list by selecting the check box next to the first column. The available actions are no longer grayed out.

      Available actions after you select a quarantined message on the Email tab of the Quarantine page.

    • Select the message from the list by clicking anywhere in the row other than the check box. The available actions are in the details flyout that opens.

      The available actions in the details flyout of a quarantined message

    Using either method to select the message, some actions are available under More or More options.

After you select the quarantined message, the available actions are described in the following subsections.

Tip

On mobile devices, the action experience is slightly different:

  • When you select the message by selecting the check box, all actions are under More:

    Selecting a quarantined message and then selecting More on a mobile device.

  • When you select the message by clicking anywhere in the row other than the check box, most options are available under More in the details flyout:

    The details of a quarantined message with available actions shown.

Release quarantined email

Note

Your ability to release quarantined messages is controlled by the quarantine policy for the protection feature that quarantined the message (which might be a default quarantine policy as described in Recommended settings for EOP and Microsoft Defender for Office 365 security).

A quarantine policy can allow you to release a message or request the release of a message, but both options aren't available for the same message. A quarantine policy can also prevent you from releasing or requesting the release of quarantined messages.

This action isn't available for email messages that have already been released (the Release status value is Released).

If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.

After you select the message, use either of the following methods to release it (deliver it to your mailbox):

  • On the Email tab: Select Release.
  • In the details flyout of the selected message: Select Release email.

In the Release message to your Inbox flyout that opens, select Report message as having no threats as appropriate, and then select Release message.

When you're finished on the Release message to your Inbox flyout, select Release message.

In the Messages released to your Inbox flyout that opens, select Done.

Back on the Email tab, the Release status value of the message is Released.

The message is delivered to your Inbox (or some other folder, depending on any Inbox rules in your mailbox).

Request the release of quarantined email

Note

Your ability to request the release of quarantined messages is controlled by the quarantine policy for the protection feature that quarantined the message.

A quarantine policy can allow you to release a message or request the release of a message, but both options aren't available for the same message. A quarantine policy can also prevent you from releasing or requesting the release of quarantined messages.

This action isn't available for email messages where you already requested release (the Release status value is Released requested).

If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.

After you select the message, use either of the following methods to request its release:

  • On the Email tab: Select Request release.
  • In the details flyout of the selected message: Select More options > Request release.

In the Request release flyout that opens, review the information, select Request release. In the Release requested flyout that opens, select Done.

Back on the Quarantine page, the Release status value of the message is Release requested. An admin will review your request and approve it or deny it.

Delete email from quarantine

When you delete an email message from quarantine, the message is removed and isn't sent to the original recipients.

If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.

After you select the message, use either of the following methods to remove it:

  • On the Email tab: Select Delete messages.
  • In the details flyout of the selected message: Select More options > Delete from quarantine.

In the Delete (n) messages from quarantine flyout that opens, use one of the following methods to delete the message:

  • Select Permanently delete the message from quarantine and then select Delete: The message is permanently deleted and isn't recoverable.
  • Select Delete only: The message is deleted, but is potentially recoverable.

After you select Delete on the Delete (n) messages from quarantine flyout, you return to the Email tab where the message is no longer listed.

Tip

Admins can find out who deleted a quarantined message by searching the admin audit log. For instructions, see Find who deleted a quarantined message.

Preview email from quarantine

After you select the message, use either of the following methods to preview it:

  • On the Email tab: Select Preview message.
  • In the details flyout of the selected message: Select More options > Preview message.

In the flyout that opens, choose one of the following tabs:

  • Source: Shows the HTML version of the message body with all links disabled.
  • Plain text: Shows the message body in plain text.

View email message headers

After you select the message, use either of the following methods to view the message headers:

  • On the Email tab: Select More > View message headers.
  • In the details flyout of the selected message: Select More options > View message headers.

In the Message header flyout that opens, the message header (all header fields) is shown.

Use Copy message header to copy the message header to the clipboard.

Select the Microsoft Message Header Analyzer link to analyze the header fields and values in depth. Paste the message header into the Insert the message header you would like to analyze section (CTRL+V or right-click and choose Paste), and then select Analyze headers.

Allow email senders from quarantine

Tip

If the sender is already in your Junk email filter lists, Allow sender isn't available.

The Allow sender action adds the message sender to the Safe Senders list in your mailbox. For more information about allowing senders, see Add recipients of my email messages to the Safe Senders List.

After you select the message, use either of the following methods to add the message sender to the Safe Senders list in your mailbox:

  • On the Email tab: Select More > Allow sender.
  • In the details flyout of the selected message: Select More options > Allow sender.

The flyout that opens indicates when the sender was successfully added to your Safe Senders list. Select Done.

Block email senders from quarantine

Tip

Block sender is available only if an admin created a custom quarantine policy with the Block sender permission enabled, and assigned that quarantine policy to the protection feature policy that quarantined the message.

If the sender is already in your Safe Senders list, Block sender isn't available. Remove sender from user block list is available instead.

The Block sender action adds the message sender to the Blocked Senders list in your mailbox. For more information about blocking senders, see Block a mail sender.

After you select the message, use either of the following methods to add the message sender to the Blocked Senders list in your mailbox:

  • On the Email tab: Select More > Block sender.
  • In the details flyout of the selected message: Select More options > Block sender.

In the Block sender flyout that opens, review the information about the sender, and then select Block.

Tip

The organization can still receive mail from the blocked sender. Messages from the sender are delivered to your Junk Email folder or to quarantine. To delete messages from the sender upon arrival, an admin can use mail flow rules (also known as transport rules) to Block the message.

Remove senders from your Blocked Senders list from quarantine

The Remove sender from user block list is available only if the sender of the quarantined message is already in your Block Senders list.

After you select the message, use either of the following methods to remove the sender from your Block Senders list:

  • On the Email tab: Select More > Remove sender from user block list.
  • In the details flyout of the selected message: Select More options > Remove sender from user block list.

The flyout that opens indicates when the sender was successfully removed from your Blocked Senders list. Select Done.

Take action on multiple quarantined email messages

When you select multiple quarantined messages on the Email tab by selecting the check boxes next to the first column, the following bulk actions are available on the Email tab (depending on the Release status values of the messages that you selected):

Manage quarantined messages in Microsoft Teams

When a potentially malicious chat message is detected in Microsoft Teams, zero-hour auto purge (ZAP) removes the message and quarantines it. Users can now view and manage these quarantined Teams messages in the Microsoft Defender portal. Quarantine notifications aren't supported for quarantined Teams messages.

View your quarantined messages in Microsoft Teams

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Quarantine > Teams messages tab. Or, to go directly to the Teams messages tab on the Quarantine page, use https://security.microsoft.com/quarantine?viewid=Teams.

You can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default columns are:

  • Teams message text: Contains the subject for the teams message.
  • Date quarantined: Showed when the message was quarantined.
  • Status: Shows whether the message is already reviewed and released or needs review.
  • Sender: The person who sent the message that was quarantined.
  • Quarantine reason: Available options are High confidence phish and Malware.
  • Expires: Indicates the time after which the message is removed from quarantine. By default, this value is 30 days.

To filter the entries, select Filter. The following filters are available in the Filters flyout that opens:

  • Sender address
  • Time received:
    • Last 24 hours
    • Last 7 days
    • Last 14 days
    • Last 30 days (default)
    • Custom: Enter a Start time and End time (date).
  • Expires in:
    • Custom (default): Enter a Start time and End time (date).
    • Today
    • Next 2 days
    • Next 7 days
  • Quarantine reason: Available values are Malware and High confidence phishing.
  • Status: Select Needs review and Released.

When you're finished in the Filters flyout, select Apply. To clear the filters, select Clear filters.

Use the Search box and a corresponding value to find specific Teams messages. Wildcards aren't supported.

After you find a specific quarantined Teams message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).

View quarantined message details in Microsoft Teams

On the Teams messages tab, select the quarantined message by clicking anywhere in the row other than the check box.

In the details flyout that opens, the following information is available:

  • Quarantine details section: Includes quarantine reason, expiry date, quarantine policy type, and other information.
    • Expires
    • Time received
    • Quarantine reason
    • Release status
    • Policy type
  • Message details section: Includes date and time of the message sent, the sender address, Teams message ID, and the list of recipients.
    • Sender address
    • Time received
    • Recipients
    • Teams message ID

To take action on the message, see the next section.

Take action on quarantined messages in Microsoft Teams

On the Teams messages tab, select the quarantined message by selecting the check box next to the first column. The following options are available:

  • Request release: You can request to release the message from quarantine. Your organization's admin needs to approve the release.
  • Delete: You can request to delete the message from the list of quarantined messages.
  • Preview message: You can view the details of the message you selected.

If you don't release or remove a message, it's automatically deleted from quarantine after the date shown in the Expires column.