View your quarantined messages
Your ability to view quarantined messages is controlled by the quarantine policy that applies to the quarantined message type (which might be the default quarantine policy for the quarantine reason).
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Review > Quarantine. To go directly to the Quarantine page, use https://security.microsoft.com/quarantine.
On the Quarantine page, you can sort the results by clicking on an available column header. Click Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):
- Time received*
- Quarantine reason*
- Release status*
- Policy type*
- Message ID
- Policy name
- Message size
- Mail direction
When you're finished, click Apply.
To filter the results, click Filter. The following filters are available in the Filters flyout that appears:
- Message ID: The globally unique identifier of the message.
- Sender address
- Recipient address
- Time received: Enter a Start time and End time (date).
Expires: Filter messages by when they will expire from quarantine:
- Next 2 days
- Next 7 days
- Custom: Enter a Start time and End time (date).
- Quarantine reason:
Release status: Any of the following values:
- Needs review
- Release requested
Policy Type: Filter messages by policy type:
- Anti-malware policy
- Safe Attachments policy
- Anti-phishing policy
- Anti-spam policy
When you're finished, click Apply. To clear the filters, click Clear filters.
Use Search box and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- Message ID
- Sender email address
- Recipient email address
- Subject. Use the entire subject of the message. The search is not case-sensitive.
- Policy name. Use the entire policy name. The search is not case-sensitive.
After you've entered the search criteria, press ENTER to filter the results.
The Search box on the main Quarantine page will search only quarantined items in the current view, not the entire quarantine. To search all quarantined items, use Filter and the resulting Filters flyout.
After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
View quarantined message details
When you select quarantined message from the list, the following information is available in the details flyout that appears.
When you select an email message in the list, the following message details appear in the Details flyout pane:
- Message ID: The globally unique identifier for the message.
- Sender address
- Received: The date/time when the message was received.
- Quarantine reason
- Policy type: The type of policy. For example, Anti-spam policy.
- Recipient count
- Recipients: If the message contains multiple recipients, you need to click Preview message or View message header to see the complete list of recipients.
- Expires: The date/time when the message will be automatically and permanently deleted from quarantine.
To take action on the message, see the next section.
To remain in the details flyout, but change the quarantined message that you're looking at, use the up and down arrows at the top of the flyout.
Take action on quarantined email
Your ability to take action on quarantined messages is controlled by the quarantine policy that applies to the quarantined message type (which might be the default quarantine policy for the quarantine reason). This section describes all available actions.
After you select a quarantined message from the list, the following actions are available in the details flyout:
Release email*: Delivers the message to your Inbox.
View message headers: Choose this link to see the message header text. The Message header flyout appears with the following links:
Copy message header: Click this link to copy the message header (all header fields) to your clipboard.
Microsoft Message Header Analyzer: To analyze the header fields and values in depth, click this link to go to the Message Header Analyzer. Paste the message header into the Insert the message header you would like to analyze section (CTRL+V or right-click and choose Paste), and then click Analyze headers.
The following actions are available after you click More actions:
Preview message: In the flyout that appears, choose one of the following tabs:
- Source: Shows the HTML version of the message body with all links disabled.
- Plain text: Shows the message body in plain text.
Remove from quarantine: After you click Yes in the warning that appears, the message is immediately deleted without being sent to the original recipients.
Download email: In the flyout that appears, configure the following settings:
- Reason for downloading file: Enter descriptive text.
- Create password and Confirm password: Enter a password that's required to open the downloaded message file.
When you're finished, click Download, and then Done to save a local copy of the message. The .eml message file is save in a compressed file named Quarantined Messages.zip in your Downloads folder. If the .zip file already exists, a number is appended to the filename (for example, Quarantined Messages(1).zip).
Block sender: Add the sender to the Blocked Senders list in your mailbox. For more information, see Block a mail sender.
* This option is not available for messages that have already been released (the Released status value is Released).
If you don't release or remove the message, it will be deleted after the default quarantine retention period expires (as shown in the Expires column).
The icons in order and their corresponding descriptions are summarized in the following table:
Icon Description Release email View message headers Preview message Remove from quarantine Block sender
Take action on multiple quarantined email messages
When you select multiple quarantined messages in the list (up to 100) by clicking in the blank area to the left of the first column, the Bulk actions drop down list appears where you can take the following actions:
- Release messages: Delivers the messages to your Inbox.
- Delete messages: After you click Yes in the warning that appears, the messages are immediately removed from quarantine without being sent to the original recipients.