Quick Guide: Email Quarantine Operations

Periodically, you may receive a message about quarantined email from Microsoft. Having an email in your inbox being moved to quarantine is a result of email protection settings applied to all Ithaca College email accounts. This article outlines some key information about the quarantine process. Note: you should proceed with caution when releasing messages into your inbox.

Audience

This article is intended for all staff, faculty, and students who use Ithaca College email.

Platform

Microsoft Office 365

Contents

• Notifications
• Taking action on quarantined messages
  • Release message
  • Block sender
  • Review message
  • Take no action
• Frequently asked questions (FAQ)

Notifications

The most visible effect of the email quarantine system is the notifications that get sent to a user’s inbox when a message is moved there. Quarantine digest alert message will come from: "quarantine@messaging.microsoft.com" with the subject line “Microsoft 365 security: You have messages in quarantine” and visibly resemble the example provided below:

Note: phishing attempts that use a similar visual style of the Microsoft quarantine notification email have been observed, so be sure to verify the legitimacy of the sender as noted above.

Taking action on quarantined emails

From the quarantine email notification message itself or the Microsoft quarantine control panel https://security.microsoft.com/quarantine (login with IC credentials required) it is possible to perform one or more actions on quarantined messages

Release message

Because emails sent to quarantine are believed by Microsoft to be malicious or spam, it is strongly advised that you ONLY release the quarantined email to your inbox folder if you:

• recognize the sender by their email address
• are expecting a message from the sender
• review the message first (see review message below)

If you are not sure about the safety or authenticity of a quarantined message after reviewing it, reach out to the information security team by emailing infosec@ithaca.edu.

Block sender

This action adds the sender of the message to the Blocked Senders list for the user's mailbox. Messages from email addresses or domain names in the Blocked Senders List are always treated as junk and moved to the Junk Email folder, regardless of the content of the message.

Review message

This action launches the Microsoft quarantine control panel. https://security.microsoft.com/quarantine (login with IC credentials required) From this webpage, you can:

• Preview a copy of the message in your web browser.
• Review specific details about the message, including header information. (may be requested by an IT team member for troubleshooting)
• Release a message into your inbox, block the sender or delete the message from your quarantine folder.
• See a general reason why a particular message ended up in quarantine.

Take no action

If you choose to not take any actions on emails inside your quarantine folder, they will be deleted 15 days from the time you received the notification in your inbox.

Frequently asked questions (FAQ)

What can I do about a legitimate email going into quarantine?

• Send the message to your inbox via the release message button in the quarantine notification button once you have verified its safety.
• Specifically flag the email as legitimate- to do so, open the Microsoft quarantine control panel https://security.microsoft.com/quarantine (login with IC credentials required) This step takes more time than quickly releasing the message, but is more influential in the decision making process undertaken by the quarantine tool.
  • Click the email in question
  • Click the “Release email” button in the right-side panel
  • Click the checkbox marked “Report message as having no threats”
• It is generally recommended to place legitimate senders in their Safe Senders List- however, even with this step being taken, messages may still be placed in quarantine if they are deemed dangerous.
• If a legitimate sender gets continually placed in your quarantine box, open a support ticket with the Email & Identity team. Please note that some factors, such as external sender compliance with email delivery best practices are beyond our team’s control and cannot be changed.

Why was a particular message quarantined?

• To view a reason why a message was quarantined, follow the steps above under Review message. Common reasons are:
  • Transport rule (mail flow rule)
  • Bulk or Spam classification
  • Data loss prevention policy
  • Malware (The Policy Type value indicates which feature was used)
  • Phishing or High confidence phishing (The spam filter verdict was Phishing or anti-phishing protection quarantined the message)
  • Admin action - File type block (Messages blocked as malware by the common attachments filter in the Ithaca College anti-malware policy)

Why did a quarantined message disappear before/after review?

• Quarantined messages expire in 15 days if no action is taken on them.
• A quarantined message may be deleted from the quarantine box globally by a member of the security team if a true information security threat was detected. (or released if not detected)
• A message that violates the common attachment type filter in the Ithaca College anti-malware policy may cause the message to be bounced back to the sender.
• Outlook inbox rules or third party filtering may disrupt messages that have been released from quarantine before they enter the inbox

Can I release more than one message at a time?

• Yes, by launching the Microsoft quarantine control panel https://security.microsoft.com/quarantine (login with IC credentials required) you can select and mass release a page of messages at a time.