Exchange Online Protection Quarantine (Part 3)

If you would like to read the other parts in this article series please go to:

Finding and Releasing Quarantined Messages as an End User

It is now time to look at the Quarantine from an end user perspective. To start with, let us see how users can manage their own spam-quarantined messages using the spam quarantine user interface. In the next article we will see how users can manage their own spam-quarantined messages via end-user spam notifications instead.

Important:
Messages that match a transport rule (explained in a previous article) cannot be sent to the end user spam quarantine. As such, these messages can only be retrieved by an administrator.

Exchange Online Protection (EOP) and Exchange Online users can access and manage their own spam-quarantined messages via the web using the spam quarantine page in the Exchange Admin Center (EAC) by going to https://admin.protection.outlook.com/quarantine. In order to access the spam quarantine page, users must have a valid Office 365 user ID and password. EOP customers protecting on-premises mailboxes must be valid email users created via directory synchronization or through the EAC.

Image
Figure 1

As we can see, the interface is identical to the one administrators have access to. Obviously the difference is that users will only be able to see their own spam messages. Remember that a maximum of 500 messages can be displayed in the spam quarantine.

Users can also search their spam quarantine for a particular message, using criteria such as received date and subject in order to narrow down the list of messages shown:

Image
Figure 2

The following are the available conditions for end users (wildcards are not supported):

  • Sender email address – specifies the email address of the person who sent the message;
  • Subject – specifies the subject line text of the message;
  • Received – we can select that the message was received by the quarantine within the past 24 hours (Today), within the past 48 hours (Last 2 days), within the past week (Last 7 days), or we can select a custom time interval during which the message was received by the quarantine;
  • Expires – we can select that the message will be deleted from the quarantine within the next 24 hours (Today), within the next 48 hours (Next 2 days), within the next week (Next 7 days), or we can select a custom time interval during which the message will be deleted from the quarantine.

After searching for messages, the results that match the specified criteria will be displayed in the user interface.

The only differences from this search to the one administrators can run, is that end users cannot search from Message ID, Recipient (would not make sense), or Type.

Everything else is pretty much the same as from an administrator perspective.

Users can double click a message to see further details:

Image
Figure 3

From this window, users can release the message to their inbox by clicking on Release… When a message is released, the service re-scans the released message for malware but skips spam filtering:

Image
Figure 4

Users can optionally report the message as “not junk” (known as a false positive message) by clicking on Release message and report it as a false positive… The message is then released and a copy is sent to the Microsoft Spam Analysis team, who will evaluate and analyze the message. Depending on the results of the analysis, the service-wide spam content filter rules may be adjusted to allow the message through.

Image
Figure 5

Users can also view the SMTP header portion of the message details by clicking the View Message Header…:

Image
Figure 6

Image
Figure 7

Alternatively, users can simply select a message they want to release, click on the Release Message icon and choose if they wish to simply release it or release it and report is as a false positive (not junk):

Image
Figure 8

After a message gets released, it will still show in the quarantine page, which in my opinion might cause some confusion for users… Once more, unfortunately the easiest way to check if a message has already been released is to double click it and check the Released to: field (which will be blank if it has not been released) or to check if one or more of the release links are greyed out:

Image
Figure 9

It would be a great addition if Microsoft gave users the option to release and delete a message from the quarantine or an easier way to see from the main screen which messages have already been released…

End-User Spam Notifications

An alternative to use the web interface, is to configure end-user spam notifications. Enabling end-user spam notification messages lets end users self-manage their own spam-quarantined messages directly from their email client. These spam notifications contain a list of all spam-quarantined messages that the end user has received during a time period configured by the administrator. The language in which the notification message is written can also be configured.

After receiving a notification message, end users can click to release the spam email to their inbox, or report the spam email as Not Junk, in which case it will be sent to the Microsoft Spam Analysis Team.

In order to enable end-user spam notifications through the Exchange Admin Center (EAC), follow these steps:

  1. In the EAC, navigate to Protection > Content filter;
  2. Select the content filter policy for which you want to enable end-user spam notifications;
  3. In the right pane, where the summary information about your policy appears, click the Configure End-user spam notifications link:

Image
Figure 10

  1. In the next dialog box, we can configure the following options:

Image
Figure 11

a)      Enable end-user spam notifications enables end-user spam notifications for this policy;

b)      Send end-user spam notifications every (days) sets how often to send end-user spam notifications. The default is 3 days but we can specify a value between 1 and 15 days. If we specify 7 days, for example, the notification will include a list of all messages intended for that user within the past 7 days that were sent to the spam quarantine instead. In my case I prefer 1 day so that users are notified as soon as possible regarding spam (in case of any false positive);

c)       Notification language sets the language in which to write end-user spam notifications for this policy.

  1. Click save to apply the changes.

Please have in mind that end-user spam notifications will only be sent for content filter policies that are enabled and that they are only sent once per day. The delivery time of the notification cannot be guaranteed and is not configurable…

If we want to test end-user spam notifications by sending them to a limited set of users before fully implementing them, we can create a custom content filter policy that enables end-user spam notifications for the domains in which the users reside. Then, in the EAC, under Mail flow > rules, create a transport rule to block messages from [email protected] (the email address used to send notifications) with exceptions for the users who we want to receive the notifications:

Image
Figure 12

Using Spam Notifications

After enabling end-user spam notifications, users will receive a notification message that lists messages intended for their mailbox that were identified as spam and quarantined instead. This message includes the number of spam-quarantined messages listed as well as and the date and time in Universal Coordinated Time (UTC) of the last message in the list. From this list, users can view the following information about each message: sender, subject, date and size.

Users can then perform the following actions on each message (only once per message):

  • Release to Inbox: sends the message to their inbox;
  • Report as Not Junk: sends a copy of the message to Microsoft for analysis.

Image
Figure 13

Note that, similarly to the Quarantine feature, messages that are quarantined due to a transport rule match are not included in end user spam quarantined messages. Only spam-quarantined messages are listed.

Image
Figure 14

From the spam notification email, if we click on Release to Inbox, a new window opens informing the user that the emails has been released from quarantine:

Image
Figure 15

If the user tries to release the same message again, he/she is informed that it has already been released:

Image
Figure 16

Clicking on Report as Not Junk produces a similar result but with a different message:

Image
Figure 17

Trying to report the same message again is also not allowed:

Image
Figure 18

If a user tries to use the spam notification email to release an email after it has expired and been deleted from the quarantine, users will receive the following error message (which could be a bit more descriptive to be honest):

Image
Figure 19

Another improvement I would make is in regards to the second option in the spam notification email which, in my opinion, should be to both release and report a message instead of just reporting it. This would make it consistent with the options in the Quarantine (portal) and avoid the need for clicking twice when users want to both release an email and report is as a false positive…

You will also note that the Office 365 logo is not in its best resolution (none of the pictures above have been resized) for whatever reason…

Conclusion

In this part of this article series, we looked at quarantined messages from the perspective of an end user. We saw how users can manage their own spam-quarantined messages using the spam quarantine user interface and via end-user spam notifications instead.

In the next and final part we will look at how to manage quarantined messages through PowerShell.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top