Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Instant/Live Alerts for Quarantined Emails

Copper Contributor

Hello and hopefully this is the right forum. My work email is Outlook and is filtered through Windows Defender. I'm still not sure of what Defender does that the regular Junk email folder doesn't do?

 

But my question with an example... I work as an estimator and submit bids to owners. An issue I have with Defender is that it quarantines messages and tells me the next day that it quarantined a message. At this point, my bid was due the day before and I missed this vital piece of information that was quarantined with no real-time notifications. This is obviously extremely frustrating as I can lose bids and work for my company because of this delay. Bids are fast pace and busy in the last few hours before submission. I don't have time to keep checking other programs. I also get emails from both existing contacts and new contacts, so it is difficult setting up filters for new contacts on bid day when I am too busy with other tasks. 

 

How can I get live updates for quarantined email? Heck, I'd like to turn off the email quarantine feature and just let the regular junk mail folder do its work. At least the junk mail folder has a live/real-time indicator. 

3 Replies

It's a common ask, @Arindam Thokder might be able to share the latest on this.

@Vasil Michev lol, so it sounds like it is a commonly ignored ask if it has never been incorporated into the program.

Microsoft slaps the word Defender on what, five, six related products now? This group is for Defender for Office 365, the rebrand of the Advanced Threat Protection add-on for Exchange Online. I have it on good authority that the accepted abbreviation is MDO, and I'm going to assume that MDO / Exchange Online is your problem.

I cannot think of any defensive layer in MDO or EXO that insists that the messages it detects shall go to hosted quarantine. Even the malware filter can be circumvented by nominating an account for SecOps, though you probably don't want to do that.

The product default action for a filter might be to quarantine, or a threat policy set by your organisation might be to quarantine. That does not have to apply to everyone. Most threat policies can be duplicated to apply an action just to one group, with everyone else under a general policy. Your "fast reaction" group might have hits from the problematic policy delivered to their Junk Email folders or might receive an instant notification mail for each hit; there are lots of possibilities. If your in-house IT do not have the time or the expertise, ask them to involve your Microsoft partner. In this climate, lost business should be a fairly compelling argument.

Some caveats:

Turning the dial down on a defence may increase the risk to your organisation. Quarantine gives time for the zero-hour automated purge and other mitigating factors to apply. You may need to convince your IT that you have the skills to handle this extra risk, or you may need to accept protective measures such as multi-factor authentication or conditional access.

Some of the changes I have suggested will add to your Inbox noise. If you pass the load to your Junk Email folder you may find it harder to find items wrongly sent to Junk Email for other reasons.

There is generally a reason why Microsoft sent an item to quarantine. There has been a lot of noise this year about clever supply chain attacks, but the simplest form of this is where an attacker breaks into a party on your supply chain to send you malware using the spoofed reply tactic. You should be wary of opening quarantined attachments from known customers unless you have an idea of why the message was quarantined.