Block from quarantine. What does it do?

Question

I have a big problem with pharma spam. I get about 100 "viagra" emails a day. My email is through Godaddy and I have their Advanced Email Security which is apprently powered by a third part called Inky. My email system was doing a decent job of delivering this spam to my junk folder. Inky puts links in each email and from those links I can block the full email address and also select the email's domain and/or sub-domain.

Sometime last year, Microsoft started diverting a lot of these emails to their Quarantine. Only a few get through to my Junk folder. But in doing this, I don't get the Inky links and apparently have lost the ability to Block the address and/or domain. The Quarantine page has a Block feature and I can try to individually Block each of the spam emails but it doesn't seems to actually block them before getting delivered to Quarantine. I'd rather just let them get through to my Junk folder because then I can use the Inky links to a a "real" block on the addresses. I can't find documentation on what the Quarantine Block feature actually does. The info icon says "sends directly to your Junk Folder" but it doesn't seem to do that. I looked into shutting off the Quarantine diversion completely but apparently MS doesn't let you do that. So now I have to manage both my Junk folder and my Quarantine.

Neither Quarantine or Inky allow you to mass-block a group of emails so either way I have to Block each one by one. That would be a nice thing to add.

Just seems like the Defender Block doesn't do anything.

mathieuvandenhautte · Answer

Hi rhodesengr,Whether a detected message is quarantined by Exchange Online Protection depends on the protection feature that detected the message (malware detection and high-confidence phishing detections) and the Preset security policies.The preferred (and only) way to update the Microsoft 365 tenant machine learning regarding false positives and negatives is using submissions:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide&nbsp;

rhodesengr · Answer

MathieuVandenHautte&nbsp;I appreciate the reply bit it doesn't answer my question. If I choose an email in Quarantine, and select Block for the action, what happens differently if another email comes from the same address. Seems like nothing different. Just goes to Quarantine again.

mathieuvandenhautte · Answer

Hi rhodesengr,The MS docs (MS Learn) only provide this information regarding the recommended creation of block entries for domains and email addresses:https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide#create-block-entries-for-domains-and-email-addresses&nbsp;Emails from blocked domains and addresses are marked as&nbsp;phishing&nbsp;and quarantined by default.Users in the organization also can't send emails to these blocked domains and addresses.&nbsp;&nbsp;

exmsw4319 · Answer

rhodesengr&nbsp;&nbsp;The article on Secure by Default does not say so, but it would not surprise me if high-confidence spam goes straight to the hosted quarantine regardless of policy. However, the article also says that if the MX does not point directly to O365 then you can cheerfully overrule all of that with a mail flow rule.&nbsp;It isn't clear to me from your original post if you are redirecting from Godaddy or are accepting mail via a connector. If the latter, have you worked through the enhanced filtering for connectors in the Threat Policies section of MDO? I can't help much there as I have not used that sort of configuration since I moved off-premises over 5 years ago. I do know that neither MDO nor many other solutions will work particularly well if they do not understand your own upstream arrangements. Accepting mail from a redirection is generally a hopeless exercise, unless you want a lot of practice doing content filtering.&nbsp;&nbsp;

rhodesengr · Answer

I just want to block the spam. I don't really have any interest in trying to figure out the Microsoft crap. I tried blocking all the messages in Quarantine one by one for a few days and I did not notice any significant reduction in emails getting through to Quarantine. That's why I said that blocking from Quarantine doesn't seem to do anything. I am back to just deleting the emails that end up in Quarantine and use Inky to block the few that get though to either my inbox or Junk folders.&nbsp;Basically the Quarantine is just an aggravating annoyance that I can't easily just turn off. I am paying big bucks for an email security feature on GoDaddy that actually blocks domain and addresses but Quarantine is circumventing my ability to use Inky by intercepting most of the spam. I guess that's good for someone not paying for the Inky feature but I would like to just shut it off. My only other alternative would be to Release each email and then block them but that's additional work making my life harder rather than easier. Seems ridculous to Release an email just so I can properly block it.

Forum Discussion

Block from quarantine. What does it do?

7 Replies

Resources