Manage quarantined messages as an administrator in Office 365

As an admin, you can view, release, delete, and report false positive quarantined messages in Office 365. You can set up policies so that Office 365 filters messages and sends them to quarantine for several reasons: Because they were identified as spam, bulk, or phishing mail, or because they matched a mail flow rule.

By default, Office 365 sends phishing messages and messages containing malware directly to quarantine. Other filtered messages are sent to users' Junk Email folder unless you set up a policy to send them to quarantine.

View your organization's quarantined messages

  1. Sign in to Office 365 and go to the Security and Compliance Center.

  2. On the left, under Threat Management, choose Quarantine.

By default, messages are sorted from newest to oldest based on the Date the message was received. Sender, Subject, and Quarantine reason values are also listed for each message. You can sort on a field by clicking a header; click a column header a second time to reverse the sort order.

You can view a list of all quarantined messages, or you can search for specific messages by filtering. You can only do bulk operations on up to 100 items, so filtering can also help reduce your result set if you have more than that. You can quickly filter messages for a single quarantine reason by choosing an option from the drop-down list. Options include:

  • Mail quarantined because it contains malware

  • Mail identified as spam

  • Mail quarantined because it matched a policy set by a mail flow rule (also called transport rule)

  • Mail identified as bulk mail

  • Mail identified as phishing mail

In addition, as an admin, you can choose to filter all messages for your organization or only messages sent to you.

You can also use Search for more filtering options (see the next section in this article).

After you find a specific quarantined message, double-click the message to view details about it, and take actions, like releasing the message to someone's inbox.

Note: You must have admin permissions in Office 365 to work with quarantined messages that were sent to other users.

Use search to filter and find quarantined messages

There are often a lot of quarantined messages. To find specific messages, you can filter quarantined items based on various conditions (separately or used together) by using search.

  1. On the Quarantine page, choose Search.

  2. Choose any combination of conditions by selecting the check boxes next to them (you can't use wildcards at this time). There are several conditions you can choose, including the following:

    • Message ID Use this to select a specific message when you know the message ID.

      For example, if a specific message is sent by, or intended for, a user in your organization, but it never reached its destination, you can search for the message by using a message trace (see Run a Message trace and View Results). If you discover that the message was sent to quarantine, perhaps because it matched a mail flow rule or was identified as spam, you can then easily find this message in quarantine by specifying its Message ID. Be sure to include the full Message ID string. This might include angle brackets (<>), for example:

      <79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.contoso.com>

    • Sender email address Choose to filter by a single sender email address.

    • Recipient email address Choose to filter by a single recipient email address.

    • Subject Enter the subject of an email address you want to find.

    • Received You can select messages that were sent to quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or you can select a custom time interval.

    • Expires You can select messages that will be deleted from quarantine within the next 24 hours (Today), within the next 48 hours (Last 2 days), within the next week (Last 7 days), or you can select a custom time interval.

      Important: By default, spam, bulk, malware, and phishing messages are kept in quarantine for 15 days. A quarantined message that matches a mail flow rule is kept in quarantine for 7 days (you can't customize this). When Office 365 deletes a message from quarantine, you can't get it back. If you like, you can change the retention period for quarantined messages by using the Retain spam for (days) setting in your content filter policies.

    • Type Choose this condition to search for quarantined messages that have been identified as Spam, Bulk, as phishing mail (Phish), for messages that matched a mail flow or Transport rule, or that contain Malware.

  3. Choose Search to start the search. To see all the messages in quarantine again, choose Clear search.

View details for a specific message

When you double-click a quarantined message, you'll see a summary of the message properties in a pane on the right side of the page.

  • Message ID The unique identifier for the message.

  • Sender Address Who sent the message.

  • Received The date the message was received.

  • Subject The text of the Subject line for the message.

  • Type Shows if a message has been identified as Spam, Bulk, Phish, matched a Transport rule, or identified as containing Malware.

  • Expires The date when the message will be deleted from quarantine.

  • Released to All email addresses (if any) to which the message has been released.

  • Not yet released to All email addresses (if any) to which the message has not been released. You can choose Release or Release & report if you want to release the message (more about releasing messages in the next section).

You can also get even more details about the message by choosing one of the following options:

  • View message header Choose this link to see the message header text. To analyze the header in depth, copy the message header text to your clipboard, and then choose Microsoft Message Header Analyzer to go to the Remote Connectivity Analyzer (right-click and choose Open in a new tab if you don't want to leave Office 365 to complete this task).Paste the message header onto the page in the Message Header Analyzer section, and choose Analyze headers.

  • Preview message Lets you see raw or HTML versions of the message body text. In the HTML view, links are disabled.

Managing messages in quarantine

After you select a message or group of messages you have several options for managing messages in quarantine.

  • Do nothing. If you choose to do nothing, the message will be deleted by Office 365 automatically upon expiration. By default, spam, bulk, malware, and phishing messages are kept in quarantine for 15 days. A quarantined message that matches a mail flow rule is kept in quarantine for 7 days (you can't customize this). When Office 365 deletes a message from quarantine, you can't get it back. If you like, you can change the retention period for quarantined messages by using the Retain spam for (days) setting in your content filter policies.

  • Delete If you want, you can immediately delete a quarantined message (or set of messages) instead of waiting for the expiration date set by the service. To do this, select the message or messages and choose Delete.

  • Release Release a quarantined message (or set of messages) to all recipients, or only release the message to specific people whom you choose from the list of all recipients.

  • Release and report Release a quarantined message (or set of messages) and report the mail to Microsoft as a false positive.

When you're releasing messages, be aware of the following:

  • A message cannot be released more than once to the same recipient.

  • When you're releasing a message to more than one recipient, only recipients who have not previously received the message will appear in the list of potential recipients.

  • After you release a message, choose Refresh to refresh your data, and then double-click the message. You should see that the message has been released to the intended recipients.

  • When you choose to report false positives, if the message or messages you release were quarantined as spam, bulk, phishing, or as containing malware, the message will also be reported to the Microsoft Spam Analysis Team. The team will evaluate and analyze the message, and, depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×