This is a question I regularly get. In this post I will explain Microsoft’s way and share my opinion on this.
The way Microsoft developed it
A user, can view, release, and delete their own quarantined messages, if the message was quarantined as spam or bulk email. As of April 2020, users can also view or delete their own quarantined phishing (not high confidence phishing) messages.
Many people wonder, do I want to give my end users this option to access the quarantine?
In short, you have no option. Microsoft just let all users with none administrator privileges log in on https://protection.office.com/quarantine to view their messages (not high confidence) in the quarantine and, if necessary, to release them. You cannot block access to it. If your end users know the link, they can access it.
I totally agree with Microsoft’s way through this, users are actively forced to view the messages before releasing them. No attachments and links can be opened from the preview. I notice that users are also dealing smarter with spam and phishing, because they are actively working on it through this system. But my advice will also be to give the end users some adoption before you share the link to the quarantine.
I always say, just explain them to see the quarantine as a second junk folder based on the policy’s the company have setup.
A scenario you can talk about
I assume for this example that you have turn on the mailbox intelligence option in the ATP anti-phising policy.
A good message in the quarantine (false positive):
Suppose the end user had frequently contact with Jan Hendrix on email@example.com. The other month, Jan Hendrix no longer works at CompanyX and sends a message from firstname.lastname@example.org. The mail does not arrive in the inbox, because mailbox intelligence thinks, this is not Jan Hendrix. The end user can check the quarantine to release it, if they expect an email from email@example.com that does not arrive. If the end user got frequently contact again with firstname.lastname@example.org, the self learned system behind the quarantine will mark email@example.com as allowed in the mailbox intelligence function.
A bad message in the quarantine:
When Jan Hendrix does not have a GMAIL address at all and is still working at CompanyX. You may tell what problems it can cause when the end user trust Jan Hendrix and they receive a message with suspicious links and all the other bad stuff from firstname.lastname@example.org. This email account is presented by someone else on behalf of Jan Hendrix.
When the end user see this message in their quarantine, they can preview it and delete the message. Of course this method need some adoption. But as soon as the end users understand this well, they gain more confidence in which mail they can or cannot let through and will see the quarantine as a second junk mailbox.
Turn on user spam notifications in ATP anti-spam policies
We all know that end users will not actively go to the quarantine themselves. We can help them with this, by turning on the user spam notifications. This a notification email they get from the quarantine. You can turn this on with the ATP anti-spam policy.
- Login on https://protection.office.com/antispam
- Open your global spam filter policy
- Click on ‘Configure end-user spam notifications…’
- Check ‘Enable end-user spam notifications’
You can choose how often the notification will send and the language of the notification.
I personally find this notification useful, but Microsoft could change the layout a bit. The notification is sent from ‘email@example.com’, without a display name and the mail contains links. I would have preferred that you only received a message with something like ‘check the quarantine for a certain date’.
As I have said earlier in this blog, the end users just need some adoption to make them familiar with the quarantine and the notification. Before they found out the quarantine by themselves.