Generally, quarantine holds potentially dangerous or unwanted messages that were detected by Defender for Office 365.
Admins can view, release, and delete all types of quarantined messages and files for all users.
Admins and also users (depending on the user reported settings for the organization) can report false positives to Microsoft from quarantine.
How to view quarantined email from Microsoft 365 portal
1) From your admin portal login to Email tab on the Quarantine page by accessing to https://security.microsoft.com/quarantine?viewid=Email
2) On the Email tab, you can decrease the vertical spacing in the list by clicking Change list spacing to compact or normal and then selecting Compact list.
3) You can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
- Time received *
- Subject *
- Sender *
- Quarantine reason *
- Release status *
- Policy type *
- Expires *
- Recipient *
- Message ID
- Policy name
- Message size
- Mail direction
- Recipient tag
4) To filter the results, click Filter. The following filters are available in the Filters flyout that opens:
Message ID: The globally unique identifier of the message.
For example, you used message trace to look for a message, and you determine that the message was quarantined instead of delivered. Be sure to include the full message ID value, which might include angle brackets (<>). For example:
<79239079-d95a-483a-aacf-e954f592a0f6@XYZPR00BM0200.domain.com>
.Sender address
Recipient address
Subject
Time received:
- Last 24 hours
- Last 7 days
- Last 14 days
- Last 30 days (default)
- Custom: Enter a Start time and End time (date).
Expires: Filter messages by when they expire from quarantine:
- Today
- Next 2 days
- Next 7 days
- Custom: Enter a Start time and End time (date).
Recipient tag
Quarantine reason:
- Transport rule (mail flow rule)
- Bulk
- Spam
- Data loss prevention
- Malware: Anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365. The Policy Type value indicates which feature was used.
- Phishing: The spam filter verdict was Phishing or anti-phishing protection quarantined the message (spoof settings or impersonation protection).
- High confidence phishing
Recipient: All users or Only me. End users can only manage quarantined messages sent to them.
Release status: Any of the following values:
- Needs review
- Approved
- Denied
- Release requested
- Released
- Preparing to release
- Error
Policy Type: Filter messages by policy type:
- Anti-malware policy
- Safe Attachments policy
- Anti-phishing policy
- Anti-spam policy
- Transport rule (mail flow rule)
- Data loss prevention rule
5) When you're finished on the Filters flyout, click Apply. To clear the filters, click Clear filters.
Use the Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- Sender email address
- Subject. Use the entire subject of the message. The search isn't case-sensitive.
6) After you've entered the search criteria, press the enter ENTER key to filter the results.
After you find a specific quarantined message, select the message to view details about it and to take action on it (for example, view, release, download, or delete the message).