Analyzing Quarantined Messages with PowerShell

Exchange Online Protection Puts Problem Messages into Quarantine

In a previous post, we cover the basics of reviewing email quarantined by Exchange Online Protection using the Security and Compliance Center. As discussed there, it’s important to review quarantined email to understand if any messages which shouldn’t be blocked are trapped there waiting for release. No one wants to have an important message expire in the quarantine (after 15 days by default) and not get to its intended recipient.

The problem is the time needed to review quarantined messages for a busy tenant. Scrolling up and down a large list to decide whether to release messages can consume hours, especially if you don’t allow users to release quarantined email.

PowerShell Can Help

Exchange Online includes several cmdlets to work with quarantined messages. It might be easier to run a daily job to grab details of what’s waiting in the quarantine, do some basic analysis, and create a CSV file of the messages that can be reviewed. Any messages that shouldn’t be released can be removed from the file, and the remainder released for delivery.

Scripting Quarantine Analysis

I created a script (downloadable from GitHub) to illustrate the principal. The script fetches details of messages in quarantine using the Get-QuarantineMessage cmdlet and populates a PowerShell list with details of each message. You could use the output of Get-QuarantineMessage directly, but this approach allows for some additional processing of each message, such as extracting its source domain and calculating how long more it will remain in quarantine.

We then use the list to do some basic analysis to find out why messages are being quarantined, who’s receiving these messages, and where the messages come from:

$Report | Group Type | Sort Count -Descending | Format-Table Name, Count
Type of Quarantined messages

Count Name
----- ----
   10 Spam
    5 Phish
    3 HighConfPhish
    1 Malware

Messages quarantined per recipient address

Finally, we export the messages to a CSV file. The intention here is that someone can review the list of messages and decide which to release for onward delivery. All other lines in the CSV file are removed. To release the messages, we can then import message details from the CSV and use the Release-QuarantineMessage cmdlet to release them:

Import-CSV c:\temp\QuarantinedMessages.csv | Release-QuarantineMessage -ReleaseToAll

It’s all very straightforward PowerShell so you can customize it to add whatever idea you think is valuable. For instance, you could email the CSV file to reviewers.

Simple ideas can be the best. And applying PowerShell to solve problems is a simple idea that works well in lots of places within Office 365. Which is why the Office 365 for IT Pros eBook includes so many examples of PowerShell in action.

2 Replies to “Analyzing Quarantined Messages with PowerShell”

  1. Hi Great script, I have 1 question. This seems to pull only the current dates quarantined emails. I tried changing the line $Report = [System.Collections.Generic.List[Object]]::new(); $Now = Get-Date


    $Report = [System.Collections.Generic.List[Object]]::new(); $Now = Get-Date.AddDays(-14) but it errors out.

    How would I get the report to pull all quarantined messages.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.