I created a transport rule that raises the scl on bulk emails, and send the emails to the quarantine. How can i quickly identity emails that were detected by the rule and sent to the quarantine? Does EOP stamp an attribute on the message header? can i find these emails running a report a report in EOP\Defender ?
The Get-MailDetailTransportRuleReport gives you a detailed list of all messages processed by transport rules, you can filter it down to specific rules as needed. Message trace details also contain this information. Header will also contain some information, but those are generally harder to get compared to the two aforementioned methods.