Forum Discussion
Solved
Outlook Quarantine repeatedly blocks blocks valid emails
The Quarantine programme blocks email repeatedly from the same email addresses, despite the email being released each time. I cannot see a button "always trust from this sender" similar to the junk mail box
It is extremely frustrating as time sensitive emails are being held in quarantine. The notification is not sent immediately and this causes unwarranted and unnecessary delays.
Is there any way to turn the quarantine service off? It is a useless service from my perspective and offers nothing but delays and frustration. The Junk Mail box is more than adequate.
Ironically, the only phishing attempts I have received managed to dodge both the quarantine and junk mail folder
- If the same address or domain is repeatedly a problem, have you checked to see why? There could be a reason. I have two live cases running at the moment where contact 1 says "I am constantly getting phish" and contact 2 says "Can you safelist mail from this supplier?" Needless to say, both contacts are talking about the same shared SMTP service. Adding the sender or domain to the trusted senders or trusted domains lists in your anti-phishing policy may help, though you should avoid senders that are obvious targets for spoofing and freemail domains containing many, many senders.
If you genuinely feel the EOP service is oversensitive, have you examined your anti-phishing policy? You have the option to decrease the sensitivity and to take lesser actions rather than quarantine. You can turn off mailbox intelligence impersonation protection if it keeps on causing different problems and there are too many senders to put in trusted lists. You cannot stop EOP quarantining what it calls "high confidence phish" and malware.
Finally, if you are not the person in your organisation setting the anti-phishing policy then you can ask them to write a policy just for you, if you can convince them that you are smarter than the average bear. Mr Ranger may not like it, but there are additional mitigations they can apply to your mailbox to offset the risk from a looser policy.
3 Replies
- If the same address or domain is repeatedly a problem, have you checked to see why? There could be a reason. I have two live cases running at the moment where contact 1 says "I am constantly getting phish" and contact 2 says "Can you safelist mail from this supplier?" Needless to say, both contacts are talking about the same shared SMTP service. Adding the sender or domain to the trusted senders or trusted domains lists in your anti-phishing policy may help, though you should avoid senders that are obvious targets for spoofing and freemail domains containing many, many senders.
If you genuinely feel the EOP service is oversensitive, have you examined your anti-phishing policy? You have the option to decrease the sensitivity and to take lesser actions rather than quarantine. You can turn off mailbox intelligence impersonation protection if it keeps on causing different problems and there are too many senders to put in trusted lists. You cannot stop EOP quarantining what it calls "high confidence phish" and malware.
Finally, if you are not the person in your organisation setting the anti-phishing policy then you can ask them to write a policy just for you, if you can convince them that you are smarter than the average bear. Mr Ranger may not like it, but there are additional mitigations they can apply to your mailbox to offset the risk from a looser policy.- Thank you for the thorough and helpful reply!
Am I correct in that, provided I do not click on links, files, folders etc. except in emails received from trusted sources, there is no immediate risk in the messages reaching my inbox? And no risk at all where the message is deleted?
Or can an email 'infect' my account, simply by being delivered and/or opened?
My IT dept. will need to make the changes to my anti-phishing policy, so I want to be sure I understand the level of risk I am asking for!
It is only maybe 3 emails in the last year that have been held, but they were urgent & ultimately weren't seen until the following day, hence the momentary flare up of frustration.
Thanks again for your reply & insight, it is much appreciated- We see a small number of vulnerabilities that can attack via the preview pane or when the message is opened, but they are very rare. The days when Outlook (or Outlook Express!) were open invitations to compromise are over. The smartphone attack surface may be a concern, particularly if your organisation's app policies permit any old mail client (shudder).
Trusted sources can be breached, unless they are very secure. A lot of my grief comes from compromised customers, suppliers and prospects. Naturally my users trust them, unless they see something innately / inanely wrong.
Do not minimise the nuisance factor if your anti-spam and anti-phishing polices admits more obvious rubbish that you can easily spot. If a policy is being changed for the whole organisation, remember to multiply any slight risk by the number of recipients. That is one reason why a "veteran user group" policy might be an idea. You need an age / experience qualifier so newbie VIP users cannot demand instant membership of the veteran group. A clueful IT department might ask for a proven record of user submissions before admitting a user to the group. Make a serious / egregious error of judgement and you are kicked out of the group.
Let us assume a worst-case scenario where your IT department says no to your request. You mention a low incident rate and and a delay in reaction; are you sure your quarantine user policies are set up properly? I am not an expert as we do not use notifications, but it seems that they can be set to notify on a 4-hourly basis rather than daily. The relevant documentation appears to be here:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide
All corrections and additional observations welcome.
