Quarantine
Manage quarantined email messages that have been intercepted by Exchange Online Protection (EOP) and Microsoft Defender for Office 365. Quarantine holds suspicious messages for review before delivery or deletion.
Note: Quarantine policies control what actions users can take on their own quarantined messages. High-confidence phishing is always admin-only.
Quarantine Dashboard
| Metric | Description |
|---|---|
| Total Quarantined | Messages currently in quarantine |
| Spam | Messages quarantined as spam |
| Phishing | Messages quarantined as phishing |
| Malware | Messages quarantined as malware |
| Bulk | Bulk email in quarantine |
| Policy-Based | Messages quarantined by transport rules |
Quarantine Reasons
Spam
Messages identified as spam by content filtering. Users may be able to release these depending on quarantine policy.
High Confidence Spam
Clear spam indicators. Recommended to keep quarantined. Users may release if policy allows.
Phishing
Suspected phishing based on URL or content analysis. Users may release depending on policy.
High Confidence Phishing
Definite phishing attempt. Admin-only release. Users cannot view or release these messages.
Malware
Messages containing malicious attachments or content. Admin-only release. Retained for 15 days.
Safe Attachments
Messages blocked by Microsoft Defender for Office 365 Safe Attachments detonation.
Transport Rule
Messages quarantined by a mail flow rule action.
Managing Quarantine
Admin Actions
- Release — Deliver message to recipient’s mailbox
- Release and report — Deliver and report as false positive to Microsoft
- Preview — View message content without releasing
- Delete — Permanently remove from quarantine
- Download — Export message as .eml file for analysis
User Actions (if allowed by policy)
- Request release — Ask admin to review and release
- Release — Deliver to own mailbox (spam only, if policy allows)
- Block sender — Add sender to personal block list
- Delete — Remove from personal quarantine view
Quarantine Notifications
Configure quarantine notification emails sent to users:
- Frequency — Daily or every 3 days
- Content — List of quarantined messages with subject and sender
- Actions — Quick links to review, release, or block
- Scope — Spam and phishing notifications (not malware)
Retention
- Quarantined messages are retained for 30 days by default
- Malware messages are retained for 15 days
- Messages are automatically deleted after the retention period
- Retention cannot be extended
Best Practices
- Review quarantine daily — Check for false positives that need releasing.
- Configure user notifications — Let users know about quarantined messages.
- Restrict phishing release — Only admins should release phishing messages.
- Report false positives — Submit incorrectly quarantined messages to improve filters.
API Reference
GET /api/exchange/quarantine
List quarantined messages
POST /api/exchange/quarantine/:id/release
Release message from quarantine
DELETE /api/exchange/quarantine/:id
Delete quarantined message
GET /api/exchange/quarantine/summary
Get quarantine statistics