Instant/Live Alerts for Quarantined Emails

Hi Chris_Rokitski_ ,

The short answer is that an admin would implement Quarantine policies on a tenant to be able to "control what users are able to do to quarantined messages based on why the message was quarantined".In essence this is done to lower the risk by delegating that control from the user to the admin.

This can of course become an inconvenience if legitimate emails get frequently flagged as of potential risk but rather than getting in a "please allow this sender" logic your SOCs or IT Admins work should be focused around understanding why the other end is getting flagged up by Microsoft's Machine Learning as a potential threat.

From experience most of the time legitimate emails being flagged up are because the 3rd party sending you an email tends to use a mailer program that is not set up correctly with SPF and DKIM records, or they are legitimately spoofed.

In any case again the quick answer on whether this behaviour can be changed so you get all these items into your Junk folder rather than in quarantine is YES you can. At the expense of risk.

The setting is controlled via a number of policies in the backend set by your administrator. They have explicitly set for instance that "messaged detected as an impersonated user" would go to Quarantine instead of moving it to the Junk Folder. Example below of these individual settings from an Anti-Phishing policy (https://security.microsoft.com/antiphishing)

Anti-phishing policy

Hope this helps!