Forum Discussion
Preset policies have suddenly started notifying users of quarantined messages
Hi all. We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy). However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend.
Have Microsoft changed something or released an unplanned change? Hoping you can help clarify the situation.
- MC505088
OzOscroft Our users have reported this too. My biggest concern is that a user may inadvertently release emails that have been correctly identified as phishing/malware and action them, making the quarantine system pointless.
teetotal_mike TV202 - thanks for confirming my suspicions that it's a change Microsoft have made, nothing we've done. For info., we first noticed it on Saturday 17th March, was this the same with you? We also think it's only affecting those covered by the strict preset policy rather than those on standard - is this your experience as well please?
For info., I've raised a ticket with Microsoft and will keep you posted.
OzOscroft They seem to have started in the early hours of the 18th for us (UK time). Users on the standard policies are receiving the notifications here too, so it would appear to be a global issue.
- alexhudish
Microsoft
MC505088Thanks alexhudish - that's the update we all seem to have missed! Not being able to configure this is terrible, but at least we know why the change has happened.
I'd encourage anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom!
Here's the main text (excluding the detailed table of changes) for info.:
------------------------
Message Summary
Updated March 22, 2023: We have updated the rollout timeline below. Thank you for your patience.
We are updating the recommended quarantine notification policy in the Standard and Strict preset security policies.
With the DefaultFullAccessWithNotificationPolicy, Users will receive quarantine notifications for emails quarantined due to the corresponding threat policy.
*Note that the Quarantine policy assigned here is ineffective since the delivery location is Junk folder
Here is what the quarantine notification looks like:
When this will happen:
We will begin rolling this out in mid-February 2023 and complete rolling out by mid-April 2023 (previously mid-March).
How this will affect your organization:
If your organization has enabled preset security policies, these will be automatically updated to include the quarantine notification policies (DefaultFullAccessWithNotificationPolicy) as listed in the above table for the standard and strict protection preset profiles.
What you need to do to prepare:
No action required. Please review the following links to learn more:
- What are quarantine notifications? Quarantine notifications (end-user spam notifications) in Microsoft 365 - Office 365 | Microsoft Learn
- Specific controls set in Preset Security Policies: Microsoft recommendations for EOP and Defender for Office 365 security settings - Office 365 | Microsoft Learn
- We recommend enabling preset security policies for your organization: Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365 - Office 365 | Microsoft Learn
Hi all. As well as encouraging anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom, I've added a request in the feedback portal.
Please upvote if you think that Admins should be able to configure when users receive quarantine notifications:
- It might have been roadmapped and scheduled, but this change is nonetheless unwelcome. Turning on user quarantine access should be an organisation's decision, not one mandated by Microsoft (even if just as a default). For one thing there is the additional support burden, and for another there are the colossal numbers of phishing attempts spoofing quarantine notices of all shapes and sizes (not just EOP). There is also the fact that it's sometimes harder to recognise a malicious mail in quarantine than in an Inbox. Want a Socratic defence? Don't enable user quarantine access.
I believe that ideally the default policies should be tougher than the actual policies in use for typical users, especially if the tenancy is sufficiently active and dispersed for a new accepted domain to be added without proper consideration. I hear what is said about the pre-set policies engaging new features that some customers might miss. This particular case argues the opposite. Certainly read the roadmap when you can, but I know that I don't always get time to. Thanks WDebruyne . However, we're using the Strict and Standard preset policies which do not allow you to change (or even see) which quarantine policy is being applied. The only other policies in use are the default ones, but standard and strict take precedence so they wouldn't come into play (even so, I've checked the defaults and they're set to AdminOnlyAccessPolicy anyway). This is why I suspect Microsoft have changed the configuration of the notifications and there's nothing we can do about it.
- This is broken and need to be fixed. Not being able to stop the notifications and preventing the release of possible infected emails is out of the control of us admins. I have changed all the Quarantine Setting from DefaultFullAccessWithNotificationPolicy. to either AdminOnlyAccessPolicy or even my own custom policy with no notification. But I can not stop the notifications. This is broken and need to be fixed so we can properly administer control of spamware in to our organization. Before we get hit by ransomware and it all because Microsoft allowed this to happen.
nithinnaramvalecruz OzOscroft Thanks for reporting this. This change was only made for regular phishing emails. That bucket mostly contains emails which failed dmarc/spoof and as such can have some false positives. So, giving end user notifications will enable them to see potentially useful emails stuck in quarantine and release them. But I understand why some admins feel like this is a risk. We will look to address this soon. Just a quick check, would a policy which enables end user quarantine notifications but need admin approval to release, an acceptable policy to you?
This is a good solution.
OzOscroft I can't believe how dumbfoundingly stupid this change is. It opens the quarantine up to inexperienced users and LOWERS my security and it defeats the purpose of having the rules by spamming my users with "you have spam" emails.
It's time to start looking at moving the company to another platform for mail.OzOscroft
The only way I've found to prevent users from being notified about quarantined messages is to disable the "Standard Protection" policy:Once you do that, your custom policies are now the priority and the other policies go back into effect:
It's a "use at your own risk" scenario, which is unfortunate. I think it will also lower your Microsoft "Secure Score" if that's a metric you track. I'm still doing some reading to see if it affects any other components of the M365 Security system.
I would strongly prefer to be able to use Microsoft's recommended Standard or Secure preset security policies without having to worry that the end users will undermine the whole thing by releasing malicious messages into their mailboxes, but that isn't currently possible. 😞- The most silly thing about this change has been that now I have end users emailing me asking about whether the quarantine notification emails they've suddenly started receiving are spam!
I'm tempted to say yes... we'll see. kleveille The other solution I found is that continuing to use O365 was becoming a liability. From the wide onmicrosoft.com domain allowing bots to spam us and flooded my users with these unwanted messages we moved our entire operation to GSuite. It's cut my operation costs to maintain email by at least half and not getting nearly as much spam from Microsoft's own domains.
