Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Simplifying the Quarantine Experience
Published Aug 24 2021 08:00 AM 50K Views

Managing false positives should be easy

As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize their security tools in a way that best fits and meets their needs while ensuring that such customization do not compromise on the productivity of its employees. This is why in Microsoft Defender for Office 365 we look at not only offering the best protection and tools to manage detected threats and possible misses, but also focus on continually improving the solutions we offer for protection from false positives. After all, email remains the number one attack vector used by bad actors. Our key principles remain:

  • Making it easy for end user to identity false positive across a variety of situations such as individual mailboxes, shared mailboxes, and delegated scenarios
  • Keeping users secure as they interact with these emails
  • Ensuring security teams can efficiently review and act on quarantine messages.


Exciting new updates are coming soon!

Microsoft Defender for Office 365 is rolling out key quarantine management features that will help empower SecOps professionals and end users when triaging emails:

  • Quarantine folder policy and user release request workflow
  • Customer organization branding
  • Streamlined email submission from the quarantine portal
  • Robust release of bulk quarantined emails  
  • Secured preview of quarantined emails
  • Quarantine support for shared mailboxes  


Quarantine folder policy and user release request workflow

Today Microsoft allows organizations to empower their end users to triage phishing messages. Some organizations would prefer to limit these triage capabilities to their security teams, and others find the capability allows them to augment a smaller SecOps team by extending the process to end users.


With the new quarantine folder policy, SecOps will be able to configure custom end user access (including request release permissions) to messages quarantined by Exchange Online Protection and Microsoft Defender for Office 365 policies which will help alleviate the inefficiencies that comes with fixed controls.



Figure 1: New quarantine policy allows for granular control of user accessFigure 1: New quarantine policy allows for granular control of user access



Custom organization branding

Deception is a key component of phishing attacks, and customers want to eliminate any hesitation when it comes to legitimate system automated messages. We are adding capabilities to making it possible for SecOps to customize end user quarantine notifications with their respective organization logo, email display name, and disclaimer. Doing so helps ensure that users have safe and secure access to their quarantined messages and trains them to recognize legitimate notifications.


Figure 2: Custom organizational branding for quarantine notifications.Figure 2: Custom organizational branding for quarantine notifications.



Streamlined email submission from quarantine portal

With this change we’re giving SecOps the ability to allow senders for a specified period, right from the quarantine workflow. When releasing emails to end users, admins can now opt to remember this decision by creating an entry in the tenant allow/block list that corresponds to the indicator of compromise aligned with the message in question. SecOps can now also choose to allow or prevent users from submitting messages to Microsoft for analysis.



Robust release of bulk quarantined emails

Quarantine release should be efficient, not tedious. In large organizations it can take time to triage quarantine mails. The previous structure in place was aimed at releasing emails in a serialized approach but will now be replaced with a parallel form, helping streamline the process and save your SecOps team valuable time.   


Secured preview of quarantined emails

To limit exposure to unwanted or malicious content, we are enhancing how users preview quarantined messages to provide additional security against embedded threats.  With this change some components in quarantined messages will be distorted and not displayed by default. To see the full contents of the message, users can choose to reveal the full message.


Figure 3: Images are withheld from users to prevent embedded threats.Figure 3: Images are withheld from users to prevent embedded threats.



Quarantine support for shared mailboxes

With this update, users who have been granted delegate access to shared mailbox either through direct access or security group access will now be able to triage the quarantine folder items of those mailboxes. This makes managing the quarantine for shared mailboxes easier for users.


Support for priority accounts

In 2020 we launched Priority Account Protection in Defender for Office 365, helping security teams focus on the most visible and most targeted users in their environments. We’re expanding this visibility by incorporating priority account tags in the quarantine experience, enabling security teams to focus on these priority accounts as they triage the quarantine folder. 


Sending end user quarantine notification with user mailbox language locale

We are providing the possibility for end user spam notification to go out by default in the end user mailbox language setting.

Previously, security admins had to choose the user specific language for Office 365 to use while sending user quarantine notifications. In an organization where users speak multiple languages this becomes a challenge.


A new look for the quarantine portal

We are revamping the design of the quarantine portal to allow for a better user experience when triaging false positive emails. This new look and feel is more than a cosmetic change – we’ve designed the new experience to help surface more data in a more useful and simple way. The screenshots below show what the new UX adds, like more filters, a revamped flyout, and better filter visibility.



Figure 4: The quarantine portal todayFigure 4: The quarantine portal today



Figure 5: The new look for the quarantine portalFigure 5: The new look for the quarantine portal


New email detail panel

Earlier this year we launched the email entity page, which gives SecOps a 360-degree view of an email, putting all the relevant details in the hands of the analyst. We are replacing the email details panel in quarantine with a panel that provides the same in-depth view of each email in quarantine which will bolster SecOps confidence when making decisions.



Figure 6: We've added components from the email entity page to the quarantine experience.Figure 6: We've added components from the email entity page to the quarantine experience.



Stay tuned!

We’re continuing to enhance the quarantine experience and workflow for both end users and security teams. Here’s a few enhancements you can expect to see in the coming months:

  • We’ll be adding an hourly frequency for end user spam notifications to enable customers to increase the frequency of these notifications to users when the need arises
  • Large scale bulk release, allowing SecOps to release more than 100 mails at a time
  • Enhanced search functionality to accommodate things like such as partial string matches





Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.




Version history
Last update:
‎Aug 23 2021 04:01 PM
Updated by: