Forum Discussion
Configure Quarantine Notifications to Admins when the any Email is quarantined
Hi All,
Good morning, I would like to understand the possible options in EOP and defender for O365 to send an alert or notification mail to the E-mail administrator as soon as any mail is quarantined for any user mailbox in Exchange online.
I searched most of the options, but I don't see any solid solution for this. Please share your thoughts and experience on this.
Thanks in advance.
4 Replies
We use the second option, but for fewer alert types (e.g. malicious URL clicked) fed directly into the security team's ticket queue.
We also have Report Message enabled and configured to send copies to a dedicated SecOps mailbox (Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery) so Defender does not (generally) devour our copies of the sightings. This is reinforced with policies just for SecOps at the top of the anti-phish, anti-spam and anti-malware policy tables.
Hi, you can use quarantine policies; Microsoft Defender for Office 365 allows you to customize quarantine notifications via quarantine policies.
Access Quarantine Policies:
Log on to the Microsoft 365 security portal: https://security.microsoft.com.
Go to Email and Collaboration > Policies and Rules > Threat Policies.
In the Policies section, select Quarantine Policies.
Create or edit a quarantine policy:
Click Add Policy to create a new policy or select an existing policy to modify it.
Specify the conditions for which quarantined emails trigger notifications.
Enable Administrator Notification and add administrator email addresses in the Notification Recipients field.
Apply Policy:In the Apply this policy if section, define the conditions for which emails are quarantined (e.g., phishing, malware, spam).
Save the policy and verify that it is enabled.
Alternatively, you can configure alerts in Microsoft Defender for Office 365:
Microsoft Defender for Office 365 allows you to configure alerts for quarantined emails.
Access Alert Policies:
Go to https://security.microsoft.com.
Select Email and Collaboration > Policies and Rules > Alert Policies.
Create a new alert policy:Click + Add Alert Policy.
Provide a name and description for the alert (e.g., “Quarantine Email Notification”).
In the Category category, select Email Protection.
In the Task activity, select Quarantined emails from the policy.
Configure alert notifications:Set the severity of the alert (e.g., High, Medium, Low).
Add administrators' email addresses in the Recipients field to send notifications.
Set frequency and threshold:Specify how often the alert should be triggered and whether it should notify every quarantined email or only after reaching a certain threshold.
Save Policy.
I do not see the option "Quaratined Emails" from the activity list. The only thing I see is "Quarantine release request" which I do not allow users to do.
Nor do I see the ability to alert administrators in the quarantine rule.
What you have written sounds exactly what I want... except that going to either the Alert or Quarantine policy settings the options you listed aren't available me. There is no "Enable Administrator Notification" when creating a custom quarantine policy and neither is there any related task activity when creating a new Alert Policy.
Is this perhaps something only available if paying extra for either plan 1 or 2?
