How to, Identity, Microsoft, Microsoft 365, Modern Workplace, Security

Working with Email Quarantine

by | Feb 24, 2025

Understanding Email Quarantine from the point of view of an end user.

What is Email Quarantine ?

Email quarantine is like a safety net for your inbox. When you receive an email, it goes through a security check. If the system thinks the email might be suspicious or harmful, it doesn’t go straight to your inbox. Instead, it gets placed in a special holding area called “quarantine.”

The system scans for things like viruses, phishing attempts, or spam. If an email looks risky, it gets held back for further inspection. You can review these quarantined emails and decide if they are safe to open or if they should be deleted.

SPAM emails are not normally sent to quarantine, rather, it’s the more risky ones like Phishing emails or those containing malware (like macro’s, scripts, and other dangerous attachments) that are typically quarantined.

Why it’s important to have Email Quarantine

The email quarantine process helps protect you and your company from potential threats, ensuring that only safe and legitimate emails reach your inbox but remember no system is ever 100% safe, scams and phishing emails will still get through from time to time so you still need your wits about you, remember, think before you click 😊.

Having appropriate anti-phishing, anto-spam and anti-malware policies reduce the rubbinsh in your inbox and improve your overall security posture.

How to work with your Microsoft Email Quarantine

TIP: Receiving Email Quarantine email notifications is an important part of the process but should not take much of your time, we would contend that if you spend more than 30 seconds on a quarantine email then you are doing something wrong so remember:

  • Only Review emails that are likely to be legitimate business emails that have been falsely classified
  • Never Block Senders or delete emails in quarantine
  • Only request release when you are sure the email is legitimate (if in doubt please use Review Message)

Your admin (likely us) will have setup email notifications to inform you that you have emails caught in Quarantine. The default is to have these notifications sent to you within 4 hours of them being quarantined but you don’t have to wait 4 hours if you have bookmarked your Quarantine Page

Please take a few minutes to inspect the email quarantine notifications that you receive, they will all be following a familiar look and feel and should look a bit like the one shown below.

If you notice a change to the format or logo or something doesn’t feel right then be cautious and ask for a second opinion, perhaps from a work colleague or your IT support. If you are asking colleagues then check the layout of their notifications because they will not differ across the organisation, if yours is different to others then it’s likely a fake that slipped through.

TIP: We recommend you bookmark the Quarantine page link: https://security.microsoft.com/quarantine 

Your quarantine page allows you to preview the email message or inspect other emails which may not have been reported to you yet.

You have 3 Options for interacting with the Quarantine email:

  • Review Message: You can easily check/preview a message caught in Quarantine using the Review Message optionto see if it’s worth your time you can consider the subject and the sender address as those will often be a give away OR review the message content which takes just a few seconds.
  • Request Release: You will get to know various senders and subjects and if you are expecting these and for some reason they are quarantined then please use the Request Release. When you Request Release it takes human intervention to release your email, it’s not automatic and it generates a support ticket for your IT admins.
    We all know that emails claiming to bne URGENT are normally scams or deserving of a second look and extra caution but from time to time there will be an email that you need prompt action on so if it’s time sensitive and important you can call us to expedite your release and we will do our best to get to it sooner. The best number to call is the one on our website.
  • Block Sender: Blocking a sender may feel satisfying and on the surface may seem like a good course of action however with many of the scams and spams the email is coming to you from a randomly generated email address.
    The example shown above from sarahwalker7574@gmail.com is a classic example. Sure you can block sarahwalker7574@gmail.com but the same engine that pumped out that junk will send it next time from sarahwalker7577@gmail.com or sarahwalker6888@gmail.com and so on so we recommend you don’t use the block sender option because the quarantined emails age out after 30 days anyway and are permanently destroyed automatically.

What about One Time Passcodes (OTP) ?

The use of OTP codes via email is diminishing in favour of more secure methods but they still happen.

OTP codes are often caught in Quarantine. By their nature they normally have a short validity and you are normally waiting for them to arrive to complete a login to a website or system. Once the system advises that the codes are sent you should take these steps if you have not received the OTP Code email within 3 minutes:

  • Check your inbox
  • Check your junk email folder
  • Check your Email Quarantine via the https://security.microsoft.com/quarantine link mentioned above.
  • If you find the OTP code in your Email Quarantine then preview it to see the code, there’s no need to request it be released.

Can I do anything else to help ?

You sure can, every little bit helps so when you receive an email to your inbox that should not have gone there (perhaps a spam or phishing email slipped through) then you can use the Report Message button on the message toolbar to flag it as Phishing or Junk and if it’s in your junk mail folder you can also flag it as Not Junk

The Report Message Outlook Add-in is a tool that helps you manage suspicious emails directly from your Outlook inbox.

How It Works:

  1. Installation: The add-in can be installed by your IT team or by yourself from the Microsoft AppSource.
  2. Usage: When you receive an email that looks suspicious, you can use the add-in to report it. You’ll see options to report the email as junk, phishing, or not junk.
  3. Submission: Once you report an email, it gets sent to Microsoft for analysis. This helps improve the overall email security by refining the filters that detect spam and phishing attempts.

Benefits:

  • Improved Security: By reporting suspicious emails, you help Microsoft enhance its security measures, making it harder for malicious emails to reach your inbox.
  • User-Friendly: The add-in is easy to use, with simple options to report emails, making it accessible even for those without technical skills.
  • Feedback Loop: Your reports contribute to a feedback loop that helps protect not just you, but all users in your organization by improving the detection of harmful emails.

Using the Report Message Add-in is a proactive way to contribute to your organization’s email security.

Why we don’t whitelist or bypass Quarantine

While whitelisting and bypassing quarantine might seem like convenient solutions, they significantly increase the risk of cyber threats and can compromise the overall security posture of a business. It’s crucial to balance email deliverability with robust security measures to protect against these risks.

Whitelisting Senders ?

Whitelisting senders and sender domains increases security risk to a business:

    1. Bypassing Security Protocols: Whitelisting allows emails from certain senders or domains to bypass spam filters and other security measures. This means that if a whitelisted sender’s account is compromised, malicious emails can easily reach your inbox.
    2. Susceptibility to Spoofing: Attackers can spoof the email addresses of whitelisted senders. If an attacker successfully spoofs a whitelisted address, their malicious email will bypass security filters and land directly in the recipient’s inbox.
    3. Compromised Senders: Even legitimate senders can be compromised. If a whitelisted sender’s system is hacked, they might unknowingly send out malware or phishing emails, which your system will not block due to the whitelist.
    4. Difficulty in Monitoring: The more senders you whitelist, the harder it becomes to monitor and manage these exceptions. This increased complexity can make it difficult to identify and respond to potential threats.
    5. Permanence of Whitelisting: Whitelisting is often seen as a permanent solution, but relationships with senders can change. If not regularly updated, you might be allowing potentially harmful emails from former contacts.

Bypassing Email Quarantine

Bypassing email quarantine poses significant risks:

    1. Exposure to Malicious Content: Quarantine is designed to hold potentially dangerous emails, such as those containing malware or phishing links. Bypassing quarantine means these threats can reach users’ inboxes, increasing the risk of a security breach.
    2. Reduced Effectiveness of Security Measures: Quarantine is a critical part of an organisation’s email security strategy. It allows security teams to review and analyse suspicious emails before they reach end users. Bypassing this step undermines the effectiveness of these security measures.
    3. Increased Risk of Data Breaches: Allowing potentially harmful emails to bypass quarantine can lead to data breaches, as malicious actors gain access to sensitive information.
    4. Compromised User Trust: If users receive harmful emails that should have been quarantined, it can erode trust in the organisation’s ability to protect their data and communications.

FAQ

Over time we will add to this FAQ.

Why do emails from my personal email account get quarantined ?

Added: March 9, 2025

When you send emails from your personal email account to your work email account you should expect the system to intercept them and it’s quite likely it will quarantine them.

The most common reason they get quarantined is that this is seen as an impersonation attempt. In other words the system is protecting your work identity from being impersonated by a third party.

Impersonation is when the sender of an email message looks similar to a real or expected sender’s email address. Attackers often use impersonated sender email addresses in phishing or other types of attacks to gain the trust of the recipient.

Here’s an example:

  1. Brian Citizen works for Southwind, his email is brianc@southwind.com and Brian also has a gmail account called brian.citizen23@gmail.com
  2. Brian sends an email to work from his home email with some info he may require the next day.
  3. When Brian gets to work his email from his home email account is not there but it shows in his Email Quarantine so he has to request it be released.
  4. In this case the spam and phishing filters have compared Brian’s personal identity to his work identity and deemed it to be an impersonation attempt and quarantined the email to protect Brian’s work identity from abuse or missuse. The system uses many metrics to compare and identify impersonation attempts including but not limited to Display names, first names, last names, email aliases.

How could Brian have handled this differently to avoid the frustration ?

Brian could have simply opened his Gmail at work directly on the Gmail webmail page then he could have downloaded the attachments and copied the content for use when he needed it. The same would work for other personal email providers, they almost all have webmail.

You can read more about Impersonation insight in Defender for Office 365 here: Impersonation insight – Microsoft Defender for Office 365 | Microsoft Learn