This chapter covers email quarantine and submission management in Microsoft 365, a critical domain for the MS-102 exam under Security Threats (Objective 3.2). You will learn how Exchange Online Protection (EOP) and Microsoft Defender for Office 365 quarantine potentially malicious messages, how administrators and users manage quarantined items, and how to submit false positives/negatives for analysis. Expect 5-10% of exam questions to touch on quarantine policies, submission workflows, and the underlying mechanisms that protect your organization from email threats.
Jump to a section
Imagine a corporate mailroom where every incoming letter is scanned by a security guard (Exchange Online Protection). Most letters go straight to the recipient's desk, but suspicious ones—those with powder, odd smells, or from unknown senders—are placed in a locked holding cell (quarantine). The guard logs each item: sender, recipient, reason for hold, and timestamp. The recipient gets a notification that they have a held letter and can review it via a secure web portal (the quarantine portal). If the letter is harmless, the recipient can click "Release" and the guard delivers it. If it's dangerous, they click "Report" and the guard destroys it. The guard also follows policies: some items are held for all users (e.g., malware), others only for certain departments (e.g., phishing for finance). Every action is audited. This system prevents dangerous mail from ever reaching desks while allowing legitimate items to be retrieved after inspection. In Microsoft 365, the quarantine is that holding cell, and the security guard is the combination of anti-malware, anti-phishing, anti-spam, and transport rules that filter mail before delivery.
What is Email Quarantine and Why Does It Exist?
Email quarantine in Microsoft 365 is a secure holding area for messages that are identified as potentially harmful or unwanted by Exchange Online Protection (EOP) and, if licensed, Microsoft Defender for Office 365 (MDO). The primary purpose is to prevent malicious or unsolicited messages from reaching end users' inboxes while allowing administrators (and optionally users) to review and take action on them. Without quarantine, false positives (legitimate messages flagged as spam) would be lost, and users would be exposed to malware and phishing attempts.
The quarantine system is designed to balance security and usability. By default, messages identified as malware, high-confidence phishing, or spam are quarantined. Phishing messages (not high-confidence) are also quarantined by default in EOP. Bulk email and low-confidence spam are sent to the Junk Email folder by default, but can be redirected to quarantine via policy.
How Quarantine Works Internally
When a message arrives at Exchange Online, it passes through multiple filtering layers in sequence:
Connection Filtering: Checks sender IP against allow/block lists and reputation. Messages from blocked IPs are rejected at SMTP level, not quarantined.
Anti-Malware Filtering: Scans attachments for known malware signatures. If malware is detected, the message is quarantined (or rejected if policy dictates).
Anti-Spam Filtering (Content Filter): Analyzes message content, headers, and sender reputation. Assigns a Spam Confidence Level (SCL) from -1 to 9. Messages with SCL 5 or 6 are marked as spam; SCL 7-9 are high-confidence spam. Bulk Complaint Level (BCL) from 0-9 indicates bulk email likelihood.
Anti-Phishing Filtering: Uses machine learning to detect phishing attempts. High-confidence phishing is a separate verdict with higher severity.
Transport Rules (Mail Flow Rules): Can override filtering verdicts or force quarantine.
User Safelists/Blocklists: If the sender is on the user's Safe Senders list, the message skips spam filtering (unless malware or high-confidence phishing). If on Blocked Senders, it is rejected.
Once a message passes all filters, the final verdict determines its disposition:
Deliver to Inbox
Deliver to Junk Email Folder (for spam with SCL 5-6 if not configured to quarantine)
Quarantine (for malware, high-confidence phishing, phishing, spam if policy says so, bulk if policy says so)
Reject (hard bounce at SMTP)
Messages that are quarantined are stored in a dedicated quarantine mailbox (a hidden system mailbox) per tenant. Each quarantined message has a unique identifier and retains the original envelope information (sender, recipient, subject, timestamp). The retention period is configurable: default is 30 days, but can be set from 1 to 30 days for spam, phishing, and bulk; for malware, it is fixed at 30 days (cannot be changed). After the retention period expires, the message is permanently deleted.
Key Components and Defaults
Quarantine Policies:
A quarantine policy defines what actions are allowed for end users (review, release, delete, report) and whether they receive notifications.
Default policies exist for each verdict type: AdminOnlyAccessPolicy (malware and high-confidence phishing – only admins can manage), DefaultFullAccessPolicy (spam and bulk – end users can manage), and DefaultPhishOnlyAccessPolicy (phishing – end users can release but not delete).
You can create custom policies with granular permissions (e.g., allow release but not delete, or require admin approval for release).
End-User Spam Notifications:
By default, end users receive a daily digest email every 3 days listing quarantined messages that they are allowed to manage.
The notification includes sender, subject, date, and a link to the quarantine portal.
Users can release, delete, or report messages directly from the notification or by logging into the quarantine portal at https://security.microsoft.com/quarantine.
Quarantine Portal (Microsoft 365 Defender):
Admins can view all quarantined messages across the tenant.
Filters: by verdict (malware, phishing, high-confidence phishing, spam, bulk), recipient, sender, subject, date range, policy type, and release status.
Actions: Release (with optional report to Microsoft), Release and report as clean (false positive), Delete, Download message headers, Preview message (but not attachments due to security).
Bulk operations: select multiple messages to release or delete.
Submission: from the portal, admins can submit messages to Microsoft for analysis to improve filtering.
Submission Management:
Admins can submit false positives (legitimate mail flagged as bad) and false negatives (bad mail that was delivered) to Microsoft for analysis.
Submissions can be made via the Submissions page in Microsoft 365 Defender (https://security.microsoft.com/reportsubmission).
You can submit individual messages or use the User-reported messages feature to collect user reports.
Submissions can be sent to Microsoft for analysis (which updates the filtering model) or used to create allow/block entries in the Tenant Allow/Block List.
Tenant Allow/Block List:
A tenant-level list that overrides filtering verdicts.
Supports entries for: domains, email addresses, file hashes (SHA256), URLs, and spoofed senders.
Entries can be set to expire after a specified number of days (default 30, max 90) or never expire (for blocks).
Allows are only applied to messages that would otherwise be filtered; they do not allow malware or high-confidence phishing unless explicitly configured.
The list has a maximum of 500 entries for allows and 500 for blocks (per category).
Configuration and Verification Commands
Using Exchange Online PowerShell, administrators can manage quarantine and submissions. Common cmdlets:
Get-QuarantineMessage: Retrieves quarantined messages with filters.
Release-QuarantineMessage: Releases a message from quarantine.
Delete-QuarantineMessage: Deletes a quarantined message.
New-QuarantinePolicy: Creates a custom quarantine policy.
Set-QuarantinePolicy: Modifies an existing policy.
Get-QuarantinePolicy: Lists policies.
Submit-ReportedMessage: Submits a user-reported message to Microsoft.
Get-TenantAllowBlockListItems: Views entries in the Tenant Allow/Block List.
New-TenantAllowBlockListItems: Adds entries.
Remove-TenantAllowBlockListItems: Removes entries.
Example: Release a quarantined message by its Identity:
Release-QuarantineMessage -Identity "abc12345-6789-4def-9012-3456789abcdef0"Example: Create a custom quarantine policy that allows end users to release and delete but not report:
New-QuarantinePolicy -Name "CustomEndUserPolicy" -EndUserQuarantinePermissionsValue 7 -ESNEnabled $true(Note: Permission values are bitmasks: 1=View, 2=Release, 4=Delete, 8=Report. Value 7 = View+Release+Delete)
Interaction with Related Technologies
Microsoft Defender for Office 365 (MDO): Adds Safe Attachments and Safe Links scanning. If Safe Attachments detonates a file and finds malware, the message is quarantined as malware. Safe Links may block URLs at click time, but that is not quarantine.
Mail Flow Rules (Transport Rules): Can be configured to quarantine messages that match specific conditions (e.g., external emails with sensitive content). The action "Quarantine the message" sends it to quarantine with a custom quarantine policy.
User-Reported Messages: The Report Message add-in or built-in reporting in Outlook allows users to report phishing or junk. These reports go to the Submissions page and can be configured to also send a copy to a designated mailbox.
Advanced Delivery: Configures scenarios like third-party phishing simulations or mail from security operations centers (SOCs) to skip filtering. This is not quarantine but prevents legitimate simulation emails from being quarantined.
Understanding these components and their defaults is crucial for the MS-102 exam. You must know which verdicts are quarantined by default, the retention periods, and how to customize quarantine policies.
Message Arrives at Exchange Online
An inbound SMTP connection reaches Exchange Online. The receiving server performs connection-level checks: reverse DNS lookup, sender IP reputation, and IP allow/block lists. If the sender IP is on a blocked list, the server rejects the connection with a 550 error and no further processing occurs. If allowed, the server accepts the message and begins filtering.
Anti-Malware and Anti-Phishing Scan
The message is scanned by the anti-malware engine (Microsoft's engine and potentially a second engine for redundancy). Attachments are decompressed and checked against known malware signatures. If malware is detected, the message is assigned a verdict of Malware. Simultaneously, anti-phishing machine learning models evaluate the message for phishing indicators like spoofed domains, URL analysis, and sender impersonation. High-confidence phishing triggers a separate verdict.
Anti-Spam Content Filtering
The content filter analyzes the message body, headers, and metadata. It calculates the Spam Confidence Level (SCL) from -1 (skip filtering) to 9 (high-confidence spam). Messages from safelisted senders get SCL -1. The Bulk Complaint Level (BCL) is also calculated for bulk email. Based on policy, messages with SCL 5-6 are marked as spam; SCL 7-9 as high-confidence spam. BCL 4-9 is considered bulk.
Apply Filtering Verdict and Policy
The system combines all verdicts into a single decision. The most severe verdict takes precedence: Malware > High-confidence phishing > Phishing > Spam > Bulk. The quarantine policy associated with the recipient determines the action. For example, if the verdict is Malware, the message is quarantined with the AdminOnlyAccessPolicy by default. The message is moved to the quarantine mailbox and a quarantine record is created.
End-User Notification (if enabled)
If the quarantine policy has end-user spam notifications enabled, the system sends a digest email to the user every 3 days (configurable from 1 to 15 days). The digest lists all quarantined messages that the user is allowed to manage. The user can click a link to view the message in the quarantine portal. Notifications are not sent for malware or high-confidence phishing because end users cannot manage those.
User or Admin Action on Quarantine
A user logs into the quarantine portal or clicks the link in the notification. They see messages they are permitted to manage. They can release the message (delivers to inbox), delete it, or report it as a false positive (submits to Microsoft). Admins can perform these actions for any quarantined message. Release delivers the original message to the recipient's inbox, bypassing filtering again but still subject to transport rules.
Submission to Microsoft (Optional)
If a user or admin reports a false positive, the message is submitted to Microsoft for analysis via the Submissions page. Admins can also submit false negatives (bad mail that was delivered). Microsoft analyzes the submission and may update the filtering model. The submission can also be used to add an allow or block entry to the Tenant Allow/Block List for future messages.
Enterprise Scenario 1: Large Financial Institution with Strict Compliance Requirements
A bank with 10,000 employees must ensure that no malware or phishing reaches users. They configure EOP and MDO P2 licenses. They set all anti-spam policies to quarantine rather than Junk folder. They create a custom quarantine policy for spam and bulk that allows end users to release messages only after a manager approves (using a custom workflow via Power Automate). For malware and high-confidence phishing, only the security team can manage. They set the retention period to 30 days for all verdicts. They also enable user-reported messages and configure the Report Message add-in for Outlook. The security team monitors the Submissions page daily to identify trends. Performance is not an issue because the quarantine mailbox can handle millions of messages. A common misconfiguration is setting the retention period too short (e.g., 1 day) causing legitimate messages to be deleted before users review them. Another issue is not customizing the end-user notification frequency; the default 3-day digest may be too slow for time-sensitive messages.
Enterprise Scenario 2: Healthcare Organization with Third-Party Phishing Simulations
A hospital uses a third-party phishing simulation service to train employees. Simulation emails are often flagged as phishing and quarantined, defeating the purpose. They configure Advanced Delivery in the Microsoft 365 Defender portal to allow the simulation service's domain and IPs to bypass filtering. They also add the simulation URLs to the Tenant Allow/Block List as allows. However, they must be careful not to allow actual phishing from that domain. They set the allow entries to expire after 30 days. The security team regularly reviews the quarantined messages to ensure no real threats are missed. A common mistake is not configuring Advanced Delivery properly, causing simulation emails to be quarantined and users not receiving them, which reduces training effectiveness.
Enterprise Scenario 3: Multinational Corporation with Multiple Domains
A company with 50 domains and 100,000 users uses a central security team to manage quarantine. They need different policies for different user groups (e.g., executives vs. regular employees). They create multiple quarantine policies and assign them to anti-spam policies per domain. They also use transport rules to quarantine messages with sensitive data (e.g., credit card numbers) and assign a custom quarantine policy that only legal can manage. They monitor the quarantine portal for large volumes of false positives that indicate a misconfigured allow list. Performance considerations: The quarantine portal can be slow if there are millions of messages; using filters and bulk actions is essential. A common issue is that users from different domains may have different language preferences for notifications; this is configured per policy. Another challenge is managing the Tenant Allow/Block List limits (500 entries each) – they must periodically clean up expired entries.
What MS-102 Tests on This Topic
The MS-102 exam covers email quarantine and submission management under Objective 3.2 (Security Threats). You should expect questions on:
Default quarantine actions for each verdict: Malware and high-confidence phishing are quarantined by default; phishing, spam, and bulk are configurable. Know that spam and bulk can be sent to Junk folder or quarantine.
Quarantine retention periods: 30 days default, 1-30 days configurable for spam/phishing/bulk; malware is fixed at 30 days.
End-user notification frequency: Default every 3 days, configurable 1-15 days.
Quarantine policy permissions: AdminOnlyAccessPolicy (malware, high-confidence phishing), DefaultFullAccessPolicy (spam, bulk), DefaultPhishOnlyAccessPolicy (phishing). Know the exact names and what each allows.
Submission types: False positive (legitimate flagged as bad) and false negative (bad delivered). Submissions can be made via the Submissions page or user-reported messages.
Tenant Allow/Block List: Limits (500 allows, 500 blocks per category), expiration (default 30 days, max 90, or never for blocks).
Common Wrong Answers and Why Candidates Choose Them
"Quarantine retention period for malware can be set to 15 days." – Wrong. Malware retention is fixed at 30 days. Candidates confuse malware with spam/phishing which are configurable.
"End users can release malware-quarantined messages by default." – Wrong. Malware uses AdminOnlyAccessPolicy; only admins can manage. Candidates assume all quarantined items are user-manageable.
"User-reported messages are automatically submitted to Microsoft." – Wrong. They appear in the Submissions page but require admin action to submit. Candidates think the report triggers automatic analysis.
"The Tenant Allow/Block List can have unlimited entries." – Wrong. There is a 500-entry limit per category. Candidates underestimate governance.
Specific Numbers and Terms to Memorize
SCL: -1 to 9; 5-6 spam, 7-9 high-confidence spam.
BCL: 0-9; 4+ considered bulk.
Retention: 30 days default for spam/phishing/bulk (configurable 1-30); malware 30 days fixed.
Notification frequency: 3 days default (1-15 configurable).
Tenant Allow/Block List limits: 500 allows, 500 blocks per category (domains, addresses, files, URLs, spoof).
Default quarantine policies: AdminOnlyAccessPolicy, DefaultFullAccessPolicy, DefaultPhishOnlyAccessPolicy.
Edge Cases and Exceptions
High-confidence phishing vs. phishing: Both are quarantined by default, but high-confidence phishing uses AdminOnlyAccessPolicy; phishing uses DefaultPhishOnlyAccessPolicy (users can release).
Mail flow rules can quarantine messages with a custom policy. The exam may ask what happens if a transport rule quarantines a message that would otherwise be delivered.
Advanced Delivery: Used for third-party phishing simulations and SOC mail. This bypasses filtering entirely, not just quarantine.
User safelists override spam filtering but not malware or high-confidence phishing. A message from a trusted sender can still be quarantined if it contains malware.
How to Eliminate Wrong Answers
If a question mentions "malware" and "user can release," that is false. Malware always requires admin.
If a question says "default retention for spam is 15 days," it is false; default is 30, but it can be changed.
If a question says "user-reported messages are automatically submitted to Microsoft," look for the word "automatically" – it's false.
If a question mentions unlimited entries in Tenant Allow/Block List, it is false.
Focus on the exact defaults and permissions. The exam loves to test the difference between verdict types and their default quarantine policies.
Default quarantine actions: malware and high-confidence phishing are quarantined with admin-only access; phishing, spam, and bulk are quarantined with user access (configurable).
Quarantine retention: 30 days default for spam/phishing/bulk (configurable 1-30); malware fixed at 30 days.
End-user spam notifications are sent as a digest every 3 days by default (configurable 1-15 days).
The Tenant Allow/Block List has a limit of 500 allows and 500 blocks per category (domain, address, file, URL, spoof).
User-reported messages appear in the Submissions page but require admin action to submit to Microsoft.
Advanced Delivery allows bypassing filtering for third-party phishing simulations and SOC mail.
Custom quarantine policies can be created with granular permissions (view, release, delete, report).
Mail flow rules can quarantine messages with a custom quarantine policy.
These come up on the exam all the time. Here's how to tell them apart.
Quarantine for Spam
Default policy: DefaultFullAccessPolicy (end users can view, release, delete, report).
Retention period configurable from 1 to 30 days (default 30).
End users receive notifications (if enabled).
Can be redirected to Junk folder instead of quarantine.
SCL 5-6 or BCL 4+ trigger this verdict.
Quarantine for Malware
Default policy: AdminOnlyAccessPolicy (only admins can manage).
Retention period fixed at 30 days, cannot be changed.
End users do not receive notifications for malware.
Cannot be redirected to Junk folder; always quarantined or rejected.
Detected by anti-malware engine; SCL not applicable.
Mistake
All quarantined messages are automatically deleted after 30 days.
Correct
Only malware-quarantined messages have a fixed 30-day retention. For spam, phishing, and bulk, the retention is configurable from 1 to 30 days, with a default of 30. After the retention period expires, the message is permanently deleted. However, admins can manually delete messages earlier.
Mistake
End users can release any quarantined message.
Correct
End users can only release messages that are managed by quarantine policies that grant them release permissions. By default, malware and high-confidence phishing use AdminOnlyAccessPolicy, so end users cannot release those. Only admins can manage those verdicts.
Mistake
User-reported messages are automatically submitted to Microsoft for analysis.
Correct
When users report a message using the Report Message add-in, it goes to the Submissions page in Microsoft 365 Defender, but an admin must manually submit it to Microsoft for analysis. The report does not automatically trigger a submission; it is a staging area.
Mistake
The Tenant Allow/Block List can have unlimited entries.
Correct
The Tenant Allow/Block List has a maximum of 500 entries for allows and 500 entries for blocks per category (domain, address, file, URL, spoof). Exceeding this limit requires removing old entries before adding new ones.
Mistake
Quarantine notifications are sent immediately when a message is quarantined.
Correct
End-user spam notifications are sent as a daily digest, not immediately. The default frequency is every 3 days, configurable from 1 to 15 days. There is no real-time notification for individual messages.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default and only retention period for malware-quarantined messages is 30 days. This cannot be changed. Unlike spam, phishing, and bulk, where you can configure 1 to 30 days, malware retention is fixed. After 30 days, the message is permanently deleted. Exam tip: Remember that malware is always 30 days, and it's the only verdict with a fixed retention.
No, by default high-confidence phishing uses the AdminOnlyAccessPolicy, which means only administrators can manage those messages. End users cannot view, release, delete, or report them. This is the same as malware. The exam may test this distinction: phishing (not high-confidence) uses DefaultPhishOnlyAccessPolicy, which allows users to release.
Admins can submit false positives via the Submissions page in Microsoft 365 Defender (https://security.microsoft.com/reportsubmission). You can also use the user-reported messages feature: when users report a message using the Report Message add-in, it appears in the Submissions page, and you can then submit it to Microsoft. Alternatively, you can use the PowerShell cmdlet Submit-ReportedMessage.
When a message is released, it is delivered to the original recipient's inbox. The message bypasses anti-spam and anti-phishing filtering again but is still subject to transport rules (mail flow rules). It is also subject to Safe Attachments and Safe Links scanning if MDO is licensed. The release action is logged in the audit log.
Spam verdict is based on Spam Confidence Level (SCL 5-6) and indicates unsolicited commercial email. Bulk email verdict is based on Bulk Complaint Level (BCL 4-9) and indicates email from bulk senders that may be unwanted but not necessarily spam. Both can be quarantined or sent to Junk folder. The exam may ask about default actions: by default, both are sent to Junk folder, but can be redirected to quarantine via anti-spam policy.
End-user spam notifications are configured per quarantine policy. You can enable or disable them and set the frequency (1 to 15 days, default 3). Use the Set-QuarantinePolicy cmdlet: Set-QuarantinePolicy -Identity "DefaultFullAccessPolicy" -ESNEnabled $true -ESNFrequency 3. Notifications are only sent for verdicts where the user has permissions to manage (i.e., not for malware or high-confidence phishing).
The Tenant Allow/Block List is a tenant-level list that overrides filtering verdicts. You can add entries for domains, email addresses, file hashes (SHA256), URLs, and spoofed senders. Allows prevent messages from being filtered (except malware/high-confidence phishing by default). Blocks cause messages to be rejected or quarantined. Entries have an expiration date (default 30 days, max 90) or can be set to never expire for blocks. The list has a limit of 500 allows and 500 blocks per category.
You've just covered Email Quarantine and Submission Management — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?