Exchange Online Protection Quarantine (Part 1)

If you would like to read the other parts in this article series please go to:

• Exchange Online Protection Quarantine (Part 2)
• Exchange Online Protection Quarantine (Part 3)
• Exchange Online Protection Quarantine (Part 4)

Introduction

A decade ago, Bill Gates predicted a spam-free world by 2006. Although we are seeing a small decline in spam, this is unfortunately far from coming true… Exchange Online Protection (EOP) does a great job, in my opinion, at filtering out obvious spam. According to the latest figures from Microsoft, ten million spam messages are blocked every single minute on average by EOP, 10 million! That is an impressive number. However, every day attackers around the world come up with new techniques to fool spam detection engines. Threats take different forms, such as an unidentified spam campaign, unknown malware or a completely new virus. This means that a small percentage (around 3%) of email that is likely to be spam still comes through and are sent to users’ Junk E-mail folder. Users obviously do not want spam in their inboxes, but they often have to review this folder to make sure no good messages (false positives) are mixed in with the bad.

EOP provides two main methods of handling spam detected by its content filters. Administrators can configure it so that spam is sent to the Junk E-mail folder in Outlook and Outlook Web App (OWA), which is the default option, or to direct it into a web-based quarantine.

Sending spam to the Junk folder is the most common choice as that is what users have been using for many years. But from experience I also noticed that this is the case as not everyone is aware of the quarantine feature. On the other hand, some customers have non-Exchange email systems that do not support the Junk E-mail folder approach, have a 3rd party filtering system that sends spam reports to users, or simply prefer the spam quarantine.

Since EOP was launched it has supported spam quarantine, but initially administrators were the only ones who had access to this quarantine, through the Exchange Admin Center, and only they were able to release spam messages… But for some time now administrators can configure EOP to give users self-service management of spam-quarantined messages. So let us have a look at how this works and how we can configure it.

Enabling Quarantine

As I already mentioned, the standard method of dealing with spam messages in EOP is to place them in users’ Junk E-mail folders. This behavior can be changed so that all spam messages are placed under quarantine. Users then get notified when an email is quarantined and have the option to release it if they want to.

First, we need to change the standard setting for spam delivery. To do this, we navigate to the Exchange Online Admin Center, then click in protection and then content filter. Here we can see what the spam detection response is and if user spam notifications are enabled or not:

Figure 1

To change this behavior, double click on the Default content filter policy, or the policy you wish to update. Remember that you can create additional policies and apply them to different users, groups or entire domains.

In the edit anti-spam policy window, click on spam and bulk email actions:

Figure 2

We can see that by default all spam is being placed in the Junk folder. We can change the setting by clicking the dropdown box and choosing a new option, Quarantine message in this case:

Figure 3

You will notice that we can have a separate setting for high confidence spam. When an email goes through spam filtering it is assigned a spam score, which is mapped to an individual Spam Confidence Level (SCL) rating and stamped in an X-header. EOP takes actions depending on the spam confidence interpretation of the SCL rating. The different SCL ratings and how these are interpreted by the filters are as follows:

• -1: not spam coming from a safe sender, safe recipient or safe listed IP address (trusted partner). The message is delivered to the recipients’ inbox;
• 0 or 1: Not spam because the message was scanned and determined to be clean. The message is delivered to the recipients’ inbox;
• 5 or 6: spam. The message is considered suspected spam and delivered to the recipients’ Junk E-mail folder or quarantined;
• 9: high confidence spam. The message is considered certain spam and delivered to the recipients’ Junk E-mail folder or quarantined;

It might seem weird that SCL ratings of 2, 3, 4, 7, and 8 are not used by EOP. One of the reasons why some SCL ratings are not used by the service is so that administrators can use them by setting the SCL rating for messages that match specific conditions by using Transport rules.

Another thing you might notice is that quarantined spam can only be kept for a maximum of 15 days:

Figure 4

To be honest, I find 15 days too low and I am hoping this will be increased to at least 30 days. After all, it is not that uncommon for employees to go on a 3 week holiday for example…

Please note that spam-quarantined messages are kept in the quarantine for 15 days by default, while quarantined messages that matched a transport rule are kept in the quarantine for 7 days. After this period of time the messages are deleted and are not retrievable. While the retention period for spam-quarantined messages can be lowered via the Retain spam for (days) setting above, the retention period for quarantined messages that matched a transport rule is not configurable.

Important:
Also, please note that messages quarantined by transport rules are only visible in the administrator’s quarantine. End users will not see these messages even if they were addressed to them! The end user quarantine is for spam only.

Now that we have our Quarantine enabled, let us see how we can use it both from an administrator and end user perspective.

Finding Quarantined Messages as an Administrator

Now that Quarantine is being used, let us have a look at how we, as an administrator, can find, release and report quarantined messages. These messages were sent to the quarantine either because they were identified as spam or they matched a transport rule.

To access the Quarantine, navigate to the Exchange Online Admin Center, then click in protection and then quarantine:

Figure 5

By default, a maximum of 500 quarantined messages can be displayed and there is no “next page” button… These are sorted from newest to oldest based on the RECEIVED field. SENDER, SUBJECT, and EXPIRES values are also listed for each message (we can sort on any of these fields by clicking their headers).

We can view a list of all quarantined messages, or we can search for specific messages by specifying filter criteria (this is also useful in cases where we have more than 500 messages). After searching for and locating a specific quarantined message, we can check further details about the message as we will shortly see. We can also release the message and report it to the Microsoft Spam Analysis Team as a false positive (not junk).

One thing I personally find lacking in this pane is the ability to add a TO or RECIPIENT column to the Quarantine. As it stands, the only way to check all spam messages a particular user received, is by using the advance search as we will see next.

Filtering and Locating Quarantined Messages

As already mentioned, we can filter quarantined items based on several different conditions using advanced search. We can use these conditions separately or in combination with one another. The search will provide a list of messages that meet all your filter criteria.

1. In the EAC, navigate to protection > quarantine and then click advanced search:

Figure 6

2. In the advanced search window, select any combination of the following conditions (note that wildcards are not supported):

• • Message ID – we can use this parameter to perform a targeted search for a specific message. For example, if a specific message is sent by, or intended for, a user in the organization, but it never reaches its destination, we can search for the message using the message trace feature. If we discover the message was sent to the quarantine, we can then easily find it in the quarantine by specifying its full Message ID (including the angle brackets <>);
  • Sender email address – specify the email address of the person who sent the message;
  • Recipient email address – specify the email address of the intended recipient of the message;
  • Subject – specify the subject line text of the message (note that only messages with the exact subject we specify will be listed);
  • Received – we can select that the message was received by the quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or we can select a custom time interval during which the message was received by the quarantine;
  • Expires – we can select that the message will be deleted from the quarantine within the next 24 hours (Today), within the next 48 hours (Next 2 days), within the next week (Next 7 days), or we can select a custom time interval during which the message will be deleted from the quarantine.
  • Type – we can specify whether to search for quarantined messages that have been identified as Spam, or whether to search for messages that matched a Transport rule.

3. Click OK to start running the advanced search;
4. To clear your search criteria and view all messages in the quarantine, clear all the check boxes in the advanced search window and then click OK.

After searching for messages, the results that match your specified criteria will display in the user interface.

Conclusion

In the first part of this article series, we had a look at the Quarantine feature of Exchange Online Protection. We saw what it is, how to enable it and how administrators can search for and find quarantined emails. In the next part, we will look at how administrators can release quarantined emails and report them as false positives if necessary.

If you would like to read the other parts in this article series please go to:

• Exchange Online Protection Quarantine (Part 2)
• Exchange Online Protection Quarantine (Part 3)
• Exchange Online Protection Quarantine (Part 4)