Forum Discussion
Block from quarantine. What does it do?
Hi rhodesengr,
Whether a detected message is quarantined by Exchange Online Protection depends on the protection feature that detected the message (malware detection and high-confidence phishing detections) and the Preset security policies.
The preferred (and only) way to update the Microsoft 365 tenant machine learning regarding false positives and negatives is using submissions:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide
MathieuVandenHautte I appreciate the reply bit it doesn't answer my question. If I choose an email in Quarantine, and select Block for the action, what happens differently if another email comes from the same address. Seems like nothing different. Just goes to Quarantine again.
The article on Secure by Default does not say so, but it would not surprise me if high-confidence spam goes straight to the hosted quarantine regardless of policy. However, the article also says that if the MX does not point directly to O365 then you can cheerfully overrule all of that with a mail flow rule.
It isn't clear to me from your original post if you are redirecting from Godaddy or are accepting mail via a connector. If the latter, have you worked through the enhanced filtering for connectors in the Threat Policies section of MDO? I can't help much there as I have not used that sort of configuration since I moved off-premises over 5 years ago. I do know that neither MDO nor many other solutions will work particularly well if they do not understand your own upstream arrangements. Accepting mail from a redirection is generally a hopeless exercise, unless you want a lot of practice doing content filtering.
I just want to block the spam. I don't really have any interest in trying to figure out the Microsoft crap. I tried blocking all the messages in Quarantine one by one for a few days and I did not notice any significant reduction in emails getting through to Quarantine. That's why I said that blocking from Quarantine doesn't seem to do anything. I am back to just deleting the emails that end up in Quarantine and use Inky to block the few that get though to either my inbox or Junk folders.
Basically the Quarantine is just an aggravating annoyance that I can't easily just turn off. I am paying big bucks for an email security feature on GoDaddy that actually blocks domain and addresses but Quarantine is circumventing my ability to use Inky by intercepting most of the spam. I guess that's good for someone not paying for the Inky feature but I would like to just shut it off. My only other alternative would be to Release each email and then block them but that's additional work making my life harder rather than easier. Seems ridculous to Release an email just so I can properly block it.
- If you don't know why MDO is taking the action it is performing then it's difficult to say how you could change the config to permit the Inky-stamped items through. If the problem is an anti-spam filter then you can write a mail flow rule to detect the Inky pattern in the content and deliver a notice to you complete with the original e-mail as an attachment. If however the problem is a malware or high-confidence phish verdict then you need to consider more exotic solutions such as appointing your mailbox as a Secops mailbox or writing an anti-phishing policy just for your mailbox that effectively turns the defence off.
Hi rhodesengr,
The MS docs (MS Learn) only provide this information regarding the recommended creation of block entries for domains and email addresses:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide#create-block-entries-for-domains-and-email-addressesEmails from blocked domains and addresses are marked as phishing and quarantined by default.
Users in the organization also can't send emails to these blocked domains and addresses.
