Sometimes emails hit the Quarantine state because the message is spam-ish or potentially malicious to be delivered to the end user (Admin quarantined). Usually when end users notify you regarding the legitimate email being quarantined, review section in Office 365 (https://protection.office.com/threatreview ) protection blade will help you to retrieve, review and release those legitimate messages to intended users. However, I faced an abnormal situation of “Internally shared emails were frequently quarantined for no valid reason”. And, they had no suspicious behavior/trend.
Whenever there is a legitimate email being quarantined, we can fetch it from the review section. Simply by typing the sender address or subject line will sort the message and allow us to review it and then take the necessary action.
These messages below are obvious Malwares and Phish. So this is not my concern at all ! O365 security is doing a great job here catching hundreds of malicious items daily !!
But how about these two cases?
- Legitimate/genuine mails are admin quarantined – from a trusted partners or external vendors/customers being regularly admin quarantined even without reaching to end user spam folder?
- Even internal emails shared within the organization being admin quarantined?
Workarounds?
Whitelisting won’t fix this – Filling up your whitelist is not a good idea as “Whitelisting” and address or domain means, it will completely bypass the spam filter which is an obvious risk.
On the 1st case, the external domain is a very valid domain with a valid SPF and email content didn’t seem to match any suspicious trend policy. I can simply go ahead and release these messages if this happens occasionally but that’s not the best practice in this modern era. Adding these internal addresses is not recommended either (you should not add your own domain/emails to whitelist in Exchange online) .
Resolution?:
Bottom-line is, those emails are marked as Phishing meaning that there’s a link somewhere in that email that’s broken and doesn’t go where it states it should. However, as I submitted these emails to Microsoft and raised a support ticket, I was informed that this is an issue Microsoft Spam team/product group is currently working diligently to fix this issue soon. Hence at this point of time, it is a waiting game and just a matter of baring with them during the process.
ETA: None as of now
I will update this post as soon as I receive a progress update from Microsoft support.
Microsoft Cloud Infrastructure Technical Journal 