Find and release quarantined messages as an administrator

As an admin, you can view, release, and report on quarantined messages in Office 365. You can set up policies so that Office 365 filters messages and sends them to quarantine for several reasons: Because they were identified as spam, bulk, or phishing mail, or because they matched a transport rule.

By default, phishing messages are sent to quarantine. Other filtered messages are sent to users' Junk Email folder unless you set up a policy to send them to quarantine.

Note: We’re rolling out Quarantine for the Security & Compliance Center, so you might not see it yet. If that's the case, use Quarantine in the Exchange Admin Center instead. See Quarantine content on Technet

View your organization's quarantined messages

  1. Sign in to Office 365 and go to the Security and Compliance Center.

  2. On the left, under Search & Investigation, choose Quarantine.

By default, messages are sorted from newest to oldest on the Received field. Sender, Subject, and Type values are also listed for each message. You can sort on a field by clicking a header; click a column header a second time to reverse the sort order.

You can view a list of all quarantined messages, or you can search for specific messages by filtering. You can only do bulk operations on up to 500 items, so filtering can also help reduce your result set if you have more than that. You can create a quick filter of messages by quarantine type or transport rule by choosing an option in the Filters drop-down list. Or use Advanced Search for more filtering options (see the next section in this article).

After you find a specific quarantined message, double-click the message to view details about it, and take actions, like releasing the message to someone's inbox.

Or select one or more messages, and then choose an action from the Actions drop-down list.

Note: You must have admin permissions in Office 365 to work with messages that are quarantined for other users.

Use advanced search to filter and find quarantined messages

There are often a lot of quarantined messages. To find specific messages, you can filter quarantined items based on various conditions (separately or used together) by using advanced search.

  1. On the Quarantined emails page, choose Advanced Search.

  2. Choose any combination of conditions by selecting the check boxes next to them (note that you can't use wildcards at this time). There are several conditions you can choose, including the following:

    • Message ID Use this to select a specific message when you know the message ID.

      For example, if a specific message is sent by, or intended for, a user in your organization, but it never reached its destination, you can search for the message by using a message trace (see Run a Message trace and View Results). If you discover that the message was sent to the quarantine, perhaps because it matched a rule or was identified as spam, you can then easily find this message in the quarantine by specifying its Message ID. Be sure to include the full Message ID string. This might include angle brackets (<>).

    • Received You can select messages that were sent to quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or you can select a custom time interval.

    • Expires You can select messages that will be deleted from quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or you can select a custom time interval.

      Important: By default, spam, bulk, and phishing quarantined messages are kept in quarantine for 15 days. Quarantined messages that matched a transport rule are kept in quarantine for 7 days (you can't customize this). When Office 365 deletes the messages from quarantine, you can't get them back. If you like, you can change the retention period for quarantined messages by using the Retain spam for (days) setting in your content filter policies.

    • Type Choose this condition to search for quarantined messages that have been identified as Spam, Bulk, or Phish, or for messages that matched a Transport rule.

  3. Choose Search to start the search. (To see all the messages in quarantine again, just clear the check boxes in the Advanced search window.)

View details for a specific message

When you double-click a message, you'll see a summary of the message properties in a pane on the right side of the page.

  • Message ID The unique identifier for the message.

  • Sender Address Who sent the message.

  • Received The intended recipient of the message.

  • Subject The text of the Subject line for the message.

  • Type Shows if a message has been identified as Spam, Bulk, or Phish, or matched a Transport rule.

  • Expires The date when the message will be deleted from quarantine.

  • Released to All email addresses (if any) to which the message has been released.

  • Not yet released to All email addresses (if any) to which the message has not been released. You can choose Release to if you want to release the message (more about releasing messages in the next section).

You can also get even more details about the message by choosing one of the following options:

  • Preview message Lets you see raw or HTML versions of the message body text. In the HTML view, links are disabled.

  • View message header Choose this link to see the message header text. To analyze the header in depth, copy the message header text to your clipboard, and then choose Microsoft Message Header Analyzer to go to the Remote Connectivity Analyzer (right-click and choose Open in a new tab if you don't want to leave Office 365 to complete this task). Paste the message header onto the page in the Message Header Analyzer section, and choose Analyze headers.

Release messages from quarantine

After you select a message or group of messages and double-click to open the Message Details pane, you'll see two main options for releasing messages from quarantine.

  1. Release Release a quarantined message (or set of messages) without allowing all future messages from the sender.

  2. Release and add to allow list Release a quarantined message (or set of messages) and allow future messages from the sender.

Then, for each of these, you can also choose one or more of the following:

  1. Release the message to all recipients, or only release the message to specific people whom you choose from the list of all recipients.

  2. Report the mail to Microsoft as a false positive.

When you're releasing messages, be aware of the following:

  • A message cannot be released more than once to the same recipient.

  • When you're releasing a message to more than one recipient, only recipients who have not previously received the message will appear in the list of potential recipients.

  • After you release a message, choose Refresh to refresh your data, and then double-click the message. You should see that the message has been released to the intended recipients.

  • When you choose to report false positives, if the message or messages you release were quarantined as spam, bulk, or phish, the message will also be reported to the Microsoft Spam Analysis Team. The team will evaluate and analyze the message, and, depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×