Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
In all organizations with cloud mailboxes, quarantine is available to hold potentially dangerous or unwanted messages.
Note
In Microsoft 365 operated by 21Vianet in China, quarantine isn't currently available in the Microsoft Defender portal. Quarantine is available only in the classic Exchange admin center (classic EAC).
Whether a detected message is quarantined by default depends on the following factors:
- The protection feature that detected the message. For example, the following detections are always quarantined:
- Malware detections by anti-malware policies*.
- Malware or phishing detections by Safe Attachments policies, including Built-in protection for Safe Attachments*.
- High confidence phishing detections by anti-spam policies.
- Whether you're using the Standard and/or Strict preset security policies. The Strict profile quarantines more types of detections than the Standard profile.
* Malware filtering is skipped on SecOps mailboxes that are identified in the advanced delivery policy. For more information, see Configure the advanced delivery policy for non-Microsoft phishing simulations and email delivery to SecOps mailboxes.
The default actions for email protection features in Microsoft 365, including preset security policies, are described in the feature tables in Recommended email and collaboration threat policy settings for cloud organizations.
For anti-spam and anti-phishing protection, admins can also modify the default threat policy or create custom threat policies to quarantine messages instead of delivering them to the Junk Email folder. For instructions, see the following articles:
- Configure anti-spam policies
- Configure anti-phishing policies if you don't have Microsoft Defender for Office 365
- Configure anti-phishing policies in Microsoft Defender for Office 365
Threat policies for supported features have one or more quarantine policies assigned to them (each action within the threat policy has an associated quarantine policy assignment).
Tip
All actions taken by admins or users on quarantined messages are audited. For more information about audited quarantine events, see Quarantine schema in the Office 365 Management API.
Quarantine policies
Quarantine policies define what users are able to do or not do to quarantined messages, and whether users receive quarantine notifications for those messages. For more information, see Anatomy of a quarantine policy.
Tip
You can create customized quarantine notifications for different languages. You can also use a custom logo in quarantine notifications.
The default quarantine policies assigned to protection feature verdicts enforce the historical capabilities that users get for their quarantined messages (messages where they're a recipient). For more information, see the table in Find and release quarantined messages as a user. For example, only admins can work with messages that were quarantined as malware or high confidence phishing. By default, users can work with their messages that were quarantined as spam, bulk, phishing, spoof, user impersonation, domain impersonation, or mailbox intelligence.
Admins can create and apply custom quarantine policies that define less restrictive or more restrictive capabilities for users, and also turn on quarantine notifications. For more information, see Create quarantine policies.
Both users and admins can work with quarantined messages:
Admins can work with all types of quarantined messages for all users, including messages that were quarantined as malware, high confidence phishing, or as a result of mail flow rules (also known as transport rules). For more information, see Manage quarantined messages and files as an admin.
Tip
For the permissions required to download and release any messages from quarantine, see the permissions entry here.
Users can work with their quarantined messages based on the protection feature that quarantined the message, and the setting in corresponding quarantine policy. For more information, see Find and release quarantined messages as a user.
Note
Users can't release their own quarantined messages in the following scenarios, regardless of how the quarantine policy is configured:
- Messages quarantined as malware by anti-malware policies.
- Messages quarantined as malware or phishing by Safe Attachments policies.
- Messages quarantined as high confidence phishing by anti-spam policies.
If the policy is configured for users to release these quarantined messages, users are instead allowed to request the release of these quarantined messages.
Admins can report false positives to Microsoft from quarantine. For more information, see Take action on quarantined email and Take action on quarantined files.
Users can also report false positives to Microsoft from quarantine, depending on the value of the Reporting from quarantine setting in user reported settings.
Quarantine retention
How long quarantined messages or files are held in quarantine before they expire depends why the message or file was quarantined. Features and their corresponding retention periods are described in the following table:
| Quarantine reason | Default retention period | Customizable? | Comments |
|---|---|---|---|
| Messages quarantined by anti-spam policies as spam, high confidence spam, phishing, high confidence phishing, or bulk. | 15 days
30 days
|
Yes* | You can configure the value from 1 to 30 days in the default anti-spam policy and in custom anti-spam policies. For more information, see the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) setting in Configure anti-spam policies. *You can't change the value in the Standard or Strict preset security policies. |
Messages quarantined by anti-phishing policies:
|
15 days or 30 days | Yes* | This retention period is also controlled by the Retain spam in quarantine for this many days (QuarantineRetentionPeriod) setting in anti-spam policies. The retention period is the value from the first matching anti-spam policy that the recipient is defined in. |
| Messages quarantined by anti-malware policies (malware messages). | 30 days | No | If you turn on the common attachments filter in anti-malware policies (in the default policy or in custom policies), file attachments in email messages to the affected recipients are treated as malware based solely on the file extension using true type matching. A predefined list of mostly executable file types is used by default, but you can customize the list. For more information, see Common attachments filter in anti-malware policies. |
| Messages quarantined by mail flow rules where the action is Deliver the message to the hosted quarantine (Quarantine). | 30 days | No | |
| Messages quarantined by Safe Attachments policies in Defender for Office 365 (malware or phishing messages). | 30 days | No | |
| Files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams (malware files). | 30 days | No | Files quarantined in SharePoint or OneDrive are removed from quarantine after 30 days, but the blocked files remain in SharePoint or OneDrive in the blocked state. |
| Messages in chats and channels quarantined by zero-hour auto protection (ZAP) for Microsoft Teams in Defender for Office 365 | 30 days | No |
When messages expire from quarantine after the retention period, the messages are permanently deleted and can't be recovered.
For more information about quarantine, see Quarantine FAQ.