Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

WHO released emails from quarantine?

Copper Contributor

Today when I looked at https://security.microsoft.com/quarantine

I saw this:

NicoRotaryCH_0-1681398197437.png

I haven't found a way to explain who or how these emails where released.

Where do I find this information?

Thank you

8 Replies
best response confirmed by NicoRotaryCH (Copper Contributor)
Solution

@NicoRotaryCH from the security portal, navigate to the audit blade and search for the activity called the Released Quarantine message 

eliekarkafy_0-1681403268595.png

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

 

@eliekarkafy 

Thank you very much!

Unfortunately this only help to some extent: I ran both classic and regular searches

NicoRotaryCH_0-1681460777194.png

NicoRotaryCH_1-1681460877065.png

 

but they only generated one result. This is not one of the three messages but a release I did for testing purposes.

 

So the three messages released are not on the list!

@eliekarkafy 

 

OK I did some more testing.

I used the Network message ID as keyword search for both the message I released...

NicoRotaryCH_0-1681462348298.png

 

... and the message that was released for unknown reasons:

NicoRotaryCH_1-1681462390907.png

 

Unfortunately I can find any release information in the audit log.

FYI the details of the message: 

NicoRotaryCH_2-1681462599294.png

Do you have any more ideas? Otherwise I will open a ticket.

Thank you!

@NicoRotaryCH lets do this, in the audit logs blade select all the quarantine activities and check what results will get you. Don't forget to set the date of you incident 

eliekarkafy_0-1681463238056.png

 

@eliekarkafy 

 

Thank you - but there are also no lines for the released message:

NicoRotaryCH_0-1681479396321.png

 

well, something happened in the backend, do you have any automation that release messages automatically? if not I suggest you open a ticket with the Exchange team to check if something abnormal happened from their end within your tenant.
Will do, thank you!
Hello Nico You can view how many emails were sent and received by your user in a day by logging in to Office 365 Admin Portal and clicking on "REPORTS" and then "Sent and received mail" under "Protection". You can then choose custom date selection and change custom date range to one day and click "View table" to see the mail amount in the table view¹. If you want to track which of your admins released email from quarantine, you can turn on audit logging before you can start searching the Office 365 audit log. To turn it on, click "Start recording user and admin activity" on the Audit log search page in the Security & Compliance Centre². I hope this helps!
1 best response

Accepted Solutions
best response confirmed by NicoRotaryCH (Copper Contributor)
Solution

@NicoRotaryCH from the security portal, navigate to the audit blade and search for the activity called the Released Quarantine message 

eliekarkafy_0-1681403268595.png

 

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

 

View solution in original post