Forum Discussion

NicoRotaryCH's avatar
NicoRotaryCH
Copper Contributor
Apr 13, 2023

WHO released emails from quarantine?

Today when I looked at https://security.microsoft.com/quarantine

I saw this:

I haven't found a way to explain who or how these emails where released.

Where do I find this information?

Thank you

  • NicoRotaryCH from the security portal, navigate to the audit blade and search for the activity called the Released Quarantine message 

     

    Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

     

  • Hello Nico You can view how many emails were sent and received by your user in a day by logging in to Office 365 Admin Portal and clicking on "REPORTS" and then "Sent and received mail" under "Protection". You can then choose custom date selection and change custom date range to one day and click "View table" to see the mail amount in the table view¹. If you want to track which of your admins released email from quarantine, you can turn on audit logging before you can start searching the Office 365 audit log. To turn it on, click "Start recording user and admin activity" on the Audit log search page in the Security & Compliance Centre². I hope this helps!
  • NicoRotaryCH from the security portal, navigate to the audit blade and search for the activity called the Released Quarantine message 

     

    Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

     

    • NicoRotaryCH's avatar
      NicoRotaryCH
      Copper Contributor

      eliekarkafy 

       

      OK I did some more testing.

      I used the Network message ID as keyword search for both the message I released...

       

      ... and the message that was released for unknown reasons:

       

      Unfortunately I can find any release information in the audit log.

      FYI the details of the message: 

      Do you have any more ideas? Otherwise I will open a ticket.

      Thank you!

      • eliekarkafy's avatar
        eliekarkafy
        MVP

        NicoRotaryCH lets do this, in the audit logs blade select all the quarantine activities and check what results will get you. Don't forget to set the date of you incident 

         

    • NicoRotaryCH's avatar
      NicoRotaryCH
      Copper Contributor

      eliekarkafy 

      Thank you very much!

      Unfortunately this only help to some extent: I ran both classic and regular searches

       

      but they only generated one result. This is not one of the three messages but a release I did for testing purposes.

       

      So the three messages released are not on the list!

Resources