HelpDesk
sign in

Email - Quarantined Message

Creation date: 3/6/2024 10:47 AM    Updated: 9/13/2024 8:14 PM   email microsoft outlook quarantine security
Print...
This applies only to Outlook mailboxes and does not impact GMail accounts.

Microsoft utilizes automated systems to detect suspicious emails. Sometimes, this causes safe emails to be identified incorrectly as malicious. If Microsoft deems the message to be malicious with high confidence, it cannot be released without first going through a manual inspection by someone on our IT team. Emails are stored in quarantine for up to 30 days. If an email needs to be released, be sure to request the release early so there is enough time for it to be reviewed and released before the 30 days is up. After expiration, there is no way to release the message.

When you click the "Request Release" button on a suspected bad email, the following takes place:
  1. A notification email is sent to the NCMC IT staff that there is a message that needs to be reviewed.
  2. A member of the IT staff logs into the Microsoft Security portal and reviews the message. Depending on when the release was requested and current workload, it may take an extra day or two before it can be reviewed.
  3. During the review, the IT staff can view whether the email passed multiple security checks.
  4. If needed, the staff member may also preview the message to verify the content.
  5. If the message is deemed to be bad after the review, the release is denied. If the message turns out to be safe, the message is released and also sent to Microsoft to improve their automated detection abilities in the future. If the IT staff member can't confidently determine whether the email is safe or not, they may reach out to you to get more information, like if you were expecting the email or if you are familiar with the person/company.
When IT reviews the message, the following is what they can view and how it is used to help determine if safe:
  • Received Date/Time - Does the time received make sense for the type of email sent?
  • Subject - What is this email about?
  • Quarantine Reason - Why did Microsoft block it?
  • Recipients - How many people got this message, was it a mass email?
  • Detection Technologies - What did Microsoft use to determine this was bad?
  • Sender Display Name - Who does this email appear to be from?
  • Sender Address - Does the sender address match who they appear to be?
  • Sender Mail From Address - Does the mail from match the sender address?
  • Return Path - If replied to, or bounced back, who does it go to?
  • Sender IP - What infrastructure did they send from, where geographically?
  • SPF Check - Did they pass the first level of email security standards?
  • DKIM Check - Did they pass the second level of email security standards?
  • DMARC Check - Does the sender domain specify what to do with the email if it fails SPF and/or DKIM?
  • Composite Authentication Check
  • URL's (including hidden ones) - Are there any suspicious URL's?
  • Attachment Names and File Types  - Are there any suspicious file names or file types?
  • Attachment Threat - What threat did Microsoft find in the attachment?
  • Attachment Detection Tech/Malware Family - What type of threat was found?
  • Message Header - Does the header look correct, or has it been tampered with?
  • Preview Message (Source and Plain Text) - Does the layout of the email look legit, is it grammatically correct, any spelling errors, is there hidden content in the plain text view?
Get help for this page