Reviewing Quarantined Emails

This guide explains how the email quarantine system works and how to review emails that have been quarantined.

It is likely that some emails will be caught in quarantine when they should not have been. These are known as false positives. For this reason, you are able to release emails from quarantine yourself after reviewing them.

This system replaces the Junk folder in Outlook for most emails, so please make sure to check your email quarantine. You will get an email each morning to notify you of quarantined emails, but you can also check manually below.

To skip straight to how to review your email quarantine, click the View your quarantined messages header below.

Every morning between 05:00 and 06:00, you will have a message that looks something like this with the subject:

Spam Notification: # New Messages

Quarantine Categories

Within this email you will see a summary of emails that have been quarantined, along with options for those messages. Emails will fall into a couple of categories:

Prevented phish messages

These are emails that have been quarantined as they appear to be impersonating a sender, but are not actually from that sender. Some examples below:

  • Someone has changed the sender name to pretend to be from someone you know or a member of staff, but the email is not actually from them.

  • The subject may contain the name of a well known company or brand, but has not actually come from them.

Some emails may be marked as Phishing emails because they contain your name in the subject. While this shouldn’t happen, you may occasionally get system emails blocked by quarantine.

Prevented spam messages

These are the more typically known type of spam, mostly consisting of sales emails, newsletters and the well known “You’ve won a million dollars!” type of email. Chances are you will not want any of these, but some emails you have signed up for may end up in this category.

Options for quarantined messages

At the bottom of each email in the quarantine you will have 3 options:

Block Sender

Does exactly what it says, future emails from this sender will be blocked and will not even go into quarantine. This can be undone from your quarantine settings. More info below.

Release

This will immediately release the email from quarantine into your inbox.

Review

This will load up your email quarantine in your web browser.

Preview a message

After clicking review, you can select a message and then click the Preview button at the top of the page to view the email before you release it

Submit incorrectly quarantined emails for review

If a legitimate email has been quarantined, when releasing make sure to select the two items highlighted below:

  1. Submit the message to Microsoft to improve detection (false positive)

  2. Allow emails with similar attributes (URL, sender, etc.)


View your quarantined messages

  1. To go directly to the Quarantine page without using the link in the email, use https://security.microsoft.com/quarantine.

  2. On the Quarantine page, you can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

    • Time received*

      Subject*

      Sender*

      Quarantine reason*

      Release status*

      Policy type*

      Expires*

      Recipient

      Message ID

      Policy name

      Message size

      Mail direction

    When you're finished, click Apply.

  3. To filter the results, click Filter. The following filters are available in the Filters flyout that appears:

    • Message ID: The globally unique identifier of the message.

      Sender address

      Recipient address

      Subject

      Time received: Enter a Start time and End time (date).

    • Expires: Filter messages by when they will expire from quarantine:

      • Today

        Next 2 days

        Next 7 days

        Custom: Enter a Start time and End time (date).

    • Quarantine reason:

    • Release status: Any of the following values:

      • Needs review

        Approved

        Denied

        Release requested

        Released

    • Policy Type: Filter messages by policy type:

      • Anti-malware policy

        Safe Attachments policy

        Anti-phishing policy

        Anti-spam policy

    When you're finished, click Apply. To clear the filters, click  Clear filters.

  4. Use Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:

    • Message ID

    • Sender email address

    • Recipient email address

    • Subject. Use the entire subject of the message. The search is not case-sensitive.

    • Policy name. Use the entire policy name. The search is not case-sensitive.

    After you've entered the search criteria, press ENTER to filter the results.

After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).

View quarantined message details

When you select quarantined message from the list, the following information is available in the details flyout that appears.

When you select an email message in the list, the following message details appear in the Details flyout pane:

  • Message ID: The globally unique identifier for the message.

    Sender address

    Received: The date/time when the message was received.

    Subject

    Quarantine reason

    Policy type: The type of policy. For example, Anti-spam policy.

    Recipient count

    Recipients: If the message contains multiple recipients, you need to click Preview message or View message header to see the complete list of recipients.

    Expires: The date/time when the message will be automatically and permanently deleted from quarantine.

To take action on the message, see the next section.

Take action on quarantined email

After you select a quarantined message from the list, the following actions are available in the details flyout:

 

  • Release email*: Delivers the message to your Inbox.

  • View message headers: Choose this link to see the message header text. The Message header flyout appears with the following links:

  • Copy message header: Click this link to copy the message header (all header fields) to your clipboard.

  • Microsoft Message Header Analyzer: To analysethe header fields and values in depth, click this link to go to the Message Header Analyzer. Paste the message header into the Insert the message header you would like to analysesection (CTRL+V or right-click and choose Paste), and then click analyseheaders.

The following actions are available after you click More actions:

  • Preview message: In the flyout that appears, choose one of the following tabs:

    • Source: Shows the HTML version of the message body with all links disabled.

      Plain text: Shows the message body in plain text.

  • Remove from quarantine: After you click Yes in the warning that appears, the message is immediately deleted without being sent to the original recipients.

  • Download email: In the flyout that appears, select I understand the risks from downloading this message, and then click Download to save a local copy of the message in .eml format.

  • Block sender: Add the sender to the Blocked Senders list in your mailbox. For more information, see Block a mail sender.

* This option is not available for messages that have already been released (the Released status value is Released)

If you don't release or remove the message, it will be deleted after the default quarantine retention period expires (as shown in the Expires column).

The icons in order and their corresponding descriptions are summarized in the following table:

Description

Icon

Description

Icon

Release email

View message headers

Preview message

Remove from quarantine

Block sender

Take action on multiple quarantined email messages

When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the Bulk actions drop down list appears where you can take the following actions:

  • Release messages: Delivers the messages to your Inbox.

  • Delete messages: After you click Yes in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.

 

Safe Senders

You can configure Outlook to automatically add people you email to your safe senders list. This way they will not be caught up with unknown senders in the quarantine.

To add people to your Safe Senders List, do the following:

  1. On the Home tab, click Junk, and then click Junk E-mail Options.

  2. On the Safe Senders tab, check the Automatically add people I e-mail to the Safe Senders List box.

Blocked Senders

Please note that any blocked senders you have configured will also be sent to quarantine under the spam category.

If you want to remove someone from the blocked senders list, follow the instructions below here: Email - Outlook (office.com)

  1. Select the address or domain you want to unblock, and select delete

  2.