Forum Discussion
Email Showing as Quarantined in a Message Trace, but Not Showing up in MS Defender
A customer of ours was waiting on an email to arrive and to help figure out where the email was or if it was sent yet we ran a message trace. The message trace showed that the email was sent to quarantine. With this information in mind, I went to MS Defender > Email & collaboration > Review > Quarantine but could not find the message.
I modified some of the filters and could not get the quarantined message to appear. I triple checked the filters I created and made sure the information was correct. I also removed all filters and looked for the time period the email came in, but could not find it.
Not sure if this is related, but this email had a significant delay likely coming from the sender.
Any thoughts or ideas? Or anything that I am missing?
6 Replies
Shot in the dark but do you have access to email explorer in the security portal? It has a lot of useful info and the Open email entity after you click a message is really helpful.
https://security.microsoft.com/threatexplorerv3
This is probably not related and I have no hard proof but I think April 8th something changed. A lot of email started going into our Junk folders from our relay servers (sadly, yes we still have some apps using this) scanners we switched to OAuth but we had a rough end of the week once it came to light.
Open a support case with MS, you might need to provide them Network Message IDs to be able to see them in quarantine.
Unfortunately, we can contact ms support through admin center because licensing was purchased through a reseller and not directly from Microsoft. Reseller support is not an option. Unless there is another way to reach out to ms support, I couldn't get very far with that.
We had same issue with Zapped emails and had to provide them with these to be able to see them in quarantine.
You should be able to filter quarantined messages based on the MessageID, which in turn you can get from the message trace:
Get-QuarantineMessage -MessageId "<blabla-AB4D661B46@blabla.com>"
Even when filtering by the message ID, I still do not see the message in quarantine. This is through MS Defender portal not PowerShell. Based on your reply, should I try via PowerShell? Could MS Defender be bugging out and not showing this message?
