Exchange Online Protection Quarantine (Part 2)

If you would like to read the other parts in this article series please go to:

Releasing Quarantined Messages as an Administrator

Now that we have found the message(s) we are interested in, we can do several things like checking further details about the message (like recipient(s), the spam confidence level, etc.) and eventually decide if we want to release it or not from the quarantine.

View Quarantined Message Details

After locating a specific quarantined message in the EAC, we can view certain details about it. In the EAC, select a specific message, and a summary of the properties of that message appears in the details pane on the right hand side of the screen:

Image
Figure 1

The information under message status includes:

  • Type which specifies whether the message has been identified as Spam or matched a Transport rule;
  • Expires which is the date when the message will be permanently deleted from the quarantine.

Under message details we have:

  • Sender – the email address of the person who sent the message;
  • Subject – the subject line text of the message;
  • Received – the date on which the message was received by the quarantine;
  • Size – the size of the message in kilobytes (KB) or, if the message size is greater than 999KB, in megabytes (MB);
  • View message header – is a useful link that opens the message header dialog box, which lets us view the entire message header:

Image
Figure 2

We can copy the message header text to the clipboard and paste it into the Message Header Analyzer tool of the Remote Connectivity Analyzer. Alternatively, we can click on the Microsoft Message Header Analyzer link which will take us directly to the Message Header Analyzer (but unfortunately without automatically copying the header text).

Since we are talking about the Message Header Analyzer tool, let us have a quick look at the header using this tool. Here, we can look at the X-Microsoft-Antispam header to check for Bulk Complaint Level (BCL) or Phishing Confidence Level (PCL), or at the X-Forefront-Antispam-Report header which is the one we are more interested in:

Image
Figure 3

As you can see, this message header has several fields (most beyond the scope of this article), so we will just be looking at a small subset of these:

  • CIP is the connecting IP address, and the one we may want to specify when creating an IP Allow list or an IP Block list in the connection filter. In this case, looking up the 209.85.213.171 IP we can determine it is a Google’s IP address in America;
  • CTRY, the country from which the message connected to the service, is US which confirms our previous statement. Please note that this is determined by the connecting IP address, which may not be the same as the originating sending IP address;
  • SFV:SPM means the message was marked as spam by the content filter. If it had been marked as spam by a transport rule prior to being processed by the content filter, SFV:SKS would be present instead;
  • SCL, as already discussed, is the Spam Confidence Level. In this case it is 5, which is why the message was quarantined;
  • If SFV:BLK was present it would mean that filtering was skipped and the message was blocked because it was sent from an address on an individual’s blocked sender list. This is not present, so it is not the case here;
  • LANG specifies the language in which the message was written, pt for Portuguese in this case.

If we double-click a quarantined message, the Quarantined Message window opens:

Image
Figure 4

From this window we can see certain information about the message and perform certain actions, such as:

  • Message ID is the Internet Message ID (also known as the Client ID) found in the header of the message;
  • Released to lists all email addresses to whom the message has been released to so far, if any;
  • Not yet released to lists all email addresses to whom the message has not been released to, if any;
  • Released to… allows us to release the message to the user’s Inbox folder. Clicking on this link opens the Release Message window:

Image
Figure 5

In this new window we have two options to release the message:

  • Release message to all recipients: when we select this option, we need to be aware that a message cannot be released more than once to the same recipient. If a recipient has previously received the message, it will not be released again to that recipient;
  • Release message to specified recipients: this option allows us to select the user or users to whom the message can be released to. Because a message can only be released once to each user, only users to whom it can be released appear in this list (multi-selection is supported).

Note that unfortunately we cannot release a message to an administrator for review, for example, unless he/she was one of the intended recipients…

  • Release message and report it as a false positive… is pretty much self-explanatory. When we click on this link a new window opens asking for confirmation to release the email and report it to Microsoft as a false positive:

Image
Figure 6

This is not the only way of releasing or reporting a quarantined message. After locating a quarantined message in the main Quarantine window, we can perform the following actions by clicking the Release Message icon:

Image
Figure 7

  • Release message without reporting it as a false positive… When we choose this option, we can specify to send the message to all recipients who have not yet received it, or only to specific recipients;
  • Release message and report it as a false positive… When we choose this option, the message will be released to all recipients who have not yet received it. It will also be reported to the Microsoft Spam Analysis Team, who will evaluate and analyze the message.

Important:
When a message is released, the service will re-scan the released message for malware but will skip spam filtering and transport rule processing.

Both these options will take us to the same screens we just looked at above.

If we now click the Refresh icon on the main window to refresh its data and then double-click the message we have just released, we should see that it has been released to the intended recipient(s):

Image
Figure 8

In this window we can see that the message has already been release to at least one recipient. Before, the same recipient was listed under the Not yet released to: field.

Another big improvement that I think could be done, and that would be helpful in my opinion, would be the ability to see from the main window which messages have already been released. Or at least mention on the right pane when selecting a message if it has already been released or not. It is annoying being forced to open a message just to check if it has already been released (PowerShell makes this easier as we will see in the last article of this series)…

Conclusion

So far in this article series we explored the Quarantine feature in Exchange Online Protection and how administrators can search and release quarantined messages. In the next article, we will start looking at the quarantine from the perspective of an end user.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top