Reviewing Email Quarantined by Exchange Online Protection

Posted on by Tony Redmond

A Daily Task, Sometimes Overlooked

Checking the set of messages Exchange Online Protection (EOP) places in quarantine is not always a high-priority daily activity for most tenant administrators.. Opening the Security and Compliance Center to browse the set of quarantined messages (Figure 1) might be on the list of good things to do, but maybe also one of the tasks which is done when time and other tasks allow.

Viewing quarantined messages in the Security and Compliance Center
Figure 1: Viewing quarantined messages in the Security and Compliance Center

The point to remember is that some messages EOP quarantines are valuable. If you don’t rescue these messages within 15 days (the period set in the default spam filter policy), they disappear and will never be delivered, and that might be a bad thing.

User Notifications

One way to remove the burden on administrators is to configure the spam policy to generate end-user notifications. Users will then receive email according to a schedule set in the policy when spam or phish messages arrive for their account (Figure 2). The idea is that the user will know better than anyone whether a message is good or not. Unfortunately, without training and updates about recent spam techniques, this is not always the case, and some organizations disable the option because of the load it creates for the help desk.

End user notification from EOP about spam and phish messages
Figure 2: End user notification from EOP about spam and phish messages

Reviewing Quarantined Messages

If you examine the details of quarantined messages, you’ll discover why EOP considers them suspect. Each quarantined message is assigned a reason why EOP stopped its delivery to the destination mailbox(es):

  • Bulk: EOP suspects that the message is commercial bulk email.
  • Policy: The message matched the conditions of a transport rule (also known as a mail flow rule).
  • Phish: EOP suspects the message to be a phishing attempt.
  • High Confidence Phish: EOP has extra reasons to suspect the message to be a phishing attempt.
  • Malware: EOP suspects the message to contain malware.
  • Spam: EOP considers the message to be plain old spam. Regretfully, EOP sometimes thinks email from Gumroad.com is spam, which is why some of our subscribers don’t receive receipts or news about book updates.

Many factors combine and contribute to EOP deciding that a message is problematic. The sender or the sender domain could be a known spammer. The content of the message might contain clues (lots of hyperlinks is often deemed suspicious) or an attachment that might redirect the unwitting to a site. EOP uses tons of machine learning, artificial intelligence, and information gathered from around the internet to make the decision to quarantine. Most of the time EOP’s suspicions are well justified and accurate, and sometimes they fail, which is why it’s important for humans to review quarantined email.

Take the message shown in Figure 3. EOP regards the message to be potential phish. The sending domain is eliophot.com, a French marketing company specializing in the hospitality industry. This fact, allied to previewing the message and noting the return address as that of a valid hotel in the South of France, means that it’s likely this message is OK and has been blocked because of the number of hyperlinks in the text.

Examining details of a quarantined message
Figure 3: Examining details of a quarantined message

If we believe everything’s OK with the message, we can release it using the Release message button and EOP will deliver the message to the recipients. If you want to delete the message, click Remove from quarantine.

A More Complex Case

When I scan quarantined messages, my attention is always drawn to those marked as high confidence phish. As the name implies, these are messages that EOP considers to be very suspicious. And sometimes things conspire to throw EOP off the scent. Take the message shown in Figure 4, which is a notification sent from Amazon when someone signs into one of their services, like the Kindle Direct Publishing (KDP) service we use to create the Kindle version of the Office 365 for IT Pros eBook.

Is this Amazon message really high confidence phish?
Figure 4: Is this Amazon message really high confidence phish?

In this case, the message identifier tells us that the email came from Amazon’s Simple Email Service domain, which is what you’d expect. The sender address looks good too, and the preview shows the kind of content of the usual type in notification messages. On the surface, all checks out.

The problems lie in the message header, which contains DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) fails. In other words, EOP has tried to authenticate the source of the message as being valid for the purported sender and failed. You can argue if this should be enough to regard the message as high confidence phish, but remember that EOP considers other factors, such as the “click here” hyperlink in the message body.

The original recipient for this message was my outlook.com address. The message was forwarded from outlook.com to Office 365, and this might have caused the issues with DKIM and SPF. In any case, it’s a good example of why quarantined messages sometimes need careful examination before they can be released for delivery.

PowerShell Support

Exchange Online includes some PowerShell cmdlets to work with quarantined messages. For more information, read this post.

Learn more about EOP and Exchange Online mail flow in Chapter 7 of the Office 365 for IT Pros eBook.

3 Replies to “Reviewing Email Quarantined by Exchange Online Protection”

  1. Pingback: Reviewing Email Quarantined by Exchange Online Protection

  2. It was my daily task on my last job, because too often Office 365 would quarantine legitimate emails (especially when some “companies” use regular gmail as their official email..).

    Reply
  3. Pingback: Analyzing Messages Quarantined by Exchange Online with PowerShell - Office 365 for IT Pros

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.