Instant/Live Alerts for Quarantined Emails

Copper Contributor

Hello and hopefully this is the right forum. My work email is Outlook and is filtered through Windows Defender. I'm still not sure of what Defender does that the regular Junk email folder doesn't do.

 

But my question with an example... I work as an estimator and submit bids to owners. An issue I have with Defender is that it quarantines messages and tells me the next day that it quarantined a message. At this point, my bid was due the day before and I missed this vital piece of information that was quarantined with no real-time notifications. This is obviously extremely frustrating as I can lose bids and work for my company because of this delay. Bids are fast pace and busy in the last few hours before submission. I don't have time to keep checking other programs. 

 

How can I get live updates for quarantined email. Heck, I'd like to turn off the email quarantine feature and just let the regular junk mail folder do its work. At least the junk mail folder has a live/real-time indicator. 

6 Replies
Hi Chris,

Are you an admin of your organization? You could set up notifications when email goes in quarantine to a certain account. Else you could navigate to: https://security.microsoft.com/quarantine?viewid=Email

This should provide you a personalised view of your quarantined emails.

Finally you can also have your Admin change where the emails end up if you'd prefer these going to the junk folder rather than Quarantine.

Let me know if this helped?

@kaydaskalakis

Thanks for the reply and help. I'm not an admin but I do get notifications. I just get them the next day which is a day late, lol.

It's cludgy having to monitor a second account in a fast pace bid, but I guess if it can't be fixed, I'll have to use the work around. 

 

Any idea why there is a spam folder in Outlook if there is a Quarantine site too? Why have both? If one isn't working good enough, why not get rid of it and only have one? If they are both working good enough, why have two?

Hi Chris,

This forum is focused on Defender for Identity. I'm guessing that based on the nature of your query, you'd be better placed asking about this in the Defender for O365 forum, which is the product we have that's designed to protect the email and collaboration space.

I'd probably suggest that you speak to your IT admins too - there's a tonne of options available around populating allow lists for known recipients and other settings that could make your experience more streamlined.

Hope this helps solve your problem eventually.

Thanks for pointing out the forum. I'll pop over there and see what I can find.

Hi @Chris_Rokitski_ ,

 

The short answer is that an admin would implement Quarantine policies on a tenant to be able to "control what users are able to do to quarantined messages based on why the message was quarantined".In essence this is done to lower the risk by delegating that control from the user to the admin.

This can of course become an inconvenience if legitimate emails get frequently flagged as of potential risk but rather than getting in a "please allow this sender" logic your SOCs or IT Admins work should be focused around understanding why the other end is getting flagged up by Microsoft's Machine Learning as a potential threat.

From experience most of the time legitimate emails being flagged up are because the 3rd party sending you an email tends to use a mailer program that is not set up correctly with SPF and DKIM records, or they are legitimately spoofed.

In any case again the quick answer on whether this behaviour can be changed so you get all these items into your Junk folder rather than in quarantine is YES you can. At the expense of risk.

The setting is controlled via a number of policies in the backend set by your administrator. They have explicitly set for instance that "messaged detected as an impersonated user" would go to Quarantine instead of moving it to the Junk Folder. Example below of these individual settings from an Anti-Phishing policy (Anti-phishing - Microsoft 365 security)

Anti-phishing policyAnti-phishing policy

 

Hope this helps!

 

Where did you find this menu? I showed it to my support department and they could not find it to be able to access it.