Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Preset policies have suddenly started notifying users of quarantined messages

Iron Contributor

Hi all.  We have been using preset policies (standard and strict) for some time and were happy with the fact that they don't notify users of messages which have been quarantined (and nor is it possible to change the notification policy).  However, quarantine notifications suddenly started turning up in users' mailboxes at the weekend.

 

Have Microsoft changed something or released an unplanned change?  Hoping you can help clarify the situation.

24 Replies

@OzOscroft We're also seeing the same and wondered if Microsoft changed something. 

@OzOscroft Our users have reported this too. My biggest concern is that a user may inadvertently release emails that have been correctly identified as phishing/malware and action them, making the quarantine system pointless.

@teetotal_mike @TV202 - thanks for confirming my suspicions that it's a change Microsoft have made, nothing we've done.  For info., we first noticed it on Saturday 17th March, was this the same with you?  We also think it's only affecting those covered by the strict preset policy rather than those on standard - is this your experience as well please?

 

For info., I've raised a ticket with Microsoft and will keep you posted.

@OzOscroft They seem to have started in the early hours of the 18th for us (UK time). Users on the standard policies are receiving the notifications here too, so it would appear to be a global issue.

@teetotal_mike the planned changes from Microsoft applied to both strict and standard policies.

 

(Updated) Exchange Online Protection: Bulk Filter (BCL) Improvements
MC467231 · Published Nov 15, 2022 · Last updated Feb 7, 2023

ADMIN IMPACT
FEATURE UPDATE


Message Summary
Updated February 7, 2023: We have updated the rollout timeline below. Thank you for your patience.
Exchange Online Protection (EOP) assigns a bulk complaint level (BCL) to inbound messages from bulk mailers. A higher BCL indicates a bulk message is less likely to be wanted by the user.
We are rolling out several changes in how we allocate BCL scores to messages to provide more accurate scoring and coverage for bulk messages. We are also updating the threshold for the strict policy from 4 to 5 to better align with the new scoring. In addition, customers using Microsoft Defender for Office P2 or customers with E5 licenses will be able to view the BCL score for a message in advanced hunting.


When this will happen:
We will begin rolling out in mid-November and expect to complete rollout by late April (previously January).


How this will affect your organization:
This change is expected to improve the handling of bulk messages within your organization and should not impact users. In the case of aggressive bulk settings where the threshold is 4 or less, may result in wanted bulk messages being called bulk and it is recommended that such policies be reviewed.


What you need to do to prepare:
There is nothing you need to do; however, it is good practice to review your Antispam policies to ensure that you have an appropriate value for BCL, particularly if you have a threshold of 4 or less.

@OzOscroft  The "Apply quarantine policy" option has changed from "AdminOnlyAccessPolicy" to "DefaultFullAccessWithNotificationPolicy" in the action section of you Anti-Phishing Policy:

Screenshot 2023-03-24 161939.png

NOTE: There are several of these dropdown boxes.

best response confirmed by OzOscroft (Iron Contributor)
It might have been roadmapped and scheduled, but this change is nonetheless unwelcome. Turning on user quarantine access should be an organisation's decision, not one mandated by Microsoft (even if just as a default). For one thing there is the additional support burden, and for another there are the colossal numbers of phishing attempts spoofing quarantine notices of all shapes and sizes (not just EOP). There is also the fact that it's sometimes harder to recognise a malicious mail in quarantine than in an Inbox. Want a Socratic defence? Don't enable user quarantine access.

I believe that ideally the default policies should be tougher than the actual policies in use for typical users, especially if the tenancy is sufficiently active and dispersed for a new accepted domain to be added without proper consideration. I hear what is said about the pre-set policies engaging new features that some customers might miss. This particular case argues the opposite. Certainly read the roadmap when you can, but I know that I don't always get time to.

Thanks @WDebruyne .  However, we're using the Strict and Standard preset policies which do not allow you to change (or even see) which quarantine policy is being applied.  The only other policies in use are the default ones, but standard and strict take precedence so they wouldn't come into play (even so, I've checked the defaults and they're set to AdminOnlyAccessPolicy anyway).  This is why I suspect Microsoft have changed the configuration of the notifications and there's nothing we can do about it.

Thanks @TV202 .  The change you've highlighted is about how bulk messages are flagged and handled.  It doesn't mention anything about changing notifications and even says there should be no impact on users.  Unforutnately I therefore don't think this answers why users have suddenly started receiving quarantine notifications.

Thanks @Alex Hudish - that's the update we all seem to have missed!  Not being able to configure this is terrible, but at least we know why the change has happened.

 

I'd encourage anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom!

 

Here's the main text (excluding the detailed table of changes) for info.:

------------------------

Message Summary

Updated March 22, 2023: We have updated the rollout timeline below. Thank you for your patience.

We are updating the recommended quarantine notification policy in the Standard and Strict preset security policies.

 

With the DefaultFullAccessWithNotificationPolicy, Users will receive quarantine notifications for emails quarantined due to the corresponding threat policy.

*Note that the Quarantine policy assigned here is ineffective since the delivery location is Junk folder

Here is what the quarantine notification looks like: 

OzOscroft_0-1679911452671.png

 


View image in new tab

 

When this will happen:

We will begin rolling this out in mid-February 2023 and complete rolling out by mid-April 2023 (previously mid-March).

How this will affect your organization:

If your organization has enabled preset security policies, these will be automatically updated to include the quarantine notification policies (DefaultFullAccessWithNotificationPolicy) as listed in the above table for the standard and strict protection preset profiles.

What you need to do to prepare:

No action required. Please review the following links to learn more:

Hi all.  As well as encouraging anyone who doesn't like this change to head to https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter/:/messages/MC505088 and hit the Dislike button at the bottom, I've added a request in the feedback portal.

 

Please upvote if you think that Admins should be able to configure when users receive quarantine notifications:

Allow Admins to configure quarantine notifications for Standard and Strict preset threat policies · ...

@OzOscroft What is the reasoning behind making the default to allow users to release quarantined messages?  

Is there no way to apply another notification policy when using Strict Protection?  

 

In our env, we have a number of companies that designate one or two users to go through quarantine and release etc.  This new policy undermines all of that.  

Hi @tommyg845 - I've no idea why Microsoft have made this change.  I agree that it's not a positive one and is increasing the risk of users releasing potentially malicious messages without appropriate due dilligence.  Here's hoping the feedback request to allow us to apply different notification policies gets enough upvotes and is heeded!

This is broken and need to be fixed. Not being able to stop the notifications and preventing the release of possible infected emails is out of the control of us admins. I have changed all the Quarantine Setting from DefaultFullAccessWithNotificationPolicy. to either AdminOnlyAccessPolicy or even my own custom policy with no notification. But I can not stop the notifications. This is broken and need to be fixed so we can properly administer control of spamware in to our organization. Before we get hit by ransomware and it all because Microsoft allowed this to happen.

@mvalecruz  @OzOscroft Thanks for reporting this. This change was only made for regular phishing emails. That bucket mostly contains emails which failed dmarc/spoof and as such can have some false positives. So, giving end user notifications will enable them to see potentially useful emails stuck in quarantine and release them. But I understand why some admins feel like this is a risk. We will look to address this soon. Just a quick check, would a policy which enables end user quarantine notifications but need admin approval to release, an acceptable policy to you?

@Nithin Nara Thank you for your attention, we have a small company and came from a previous email system that was fully controlled by a white list. Our employees fully understand that the spam server is under admin control and know when to contact me when emails are expected and not reaching them.

Management here prefer not to get any notifications hitting their inbox. This the way is has worked for many years.

 

MIcrosoft need to allow admins to manage notifications, the suggested solution "Just a quick check, would a policy which enables end user quarantine notifications but need admin approval to release, an acceptable policy to you?" is acceptable but not perfect, please allow admins to both have the option you mentioned and to turn notifications off for both policies, this should have always been an option.
1 best response

Accepted Solutions
best response confirmed by OzOscroft (Iron Contributor)