Microsoft Defender for Office 365: Filter Update for Quarantine Portal

Originally posted by Microsoft Mar 16, 2023 Uncategorized 0 Comments

In the Microsoft 365 Defender portal, the Admin / SecOps can review quarantined messages on the Email & Collaboration > Review > Quarantine page. On this quarantine page, all the quarantined email messages are listed. These messages can be quarantined if the messages are classified as malicious or spam or other admin actions. Admins/ SecOps can view messages which are quarantined due to a specific policy anti-malware, Safe Attachments, anti-spam, etc.) with a specific reason for quarantining. These reasons are Phish, Malware, Spam etc.

This message is associated with Microsoft 365 Roadmap ID 117520

When this will happen:

Standard Release: We will begin rollout in early April and expect to complete rollout by late May.

GCC, GCC-H, DoD: We will begin rollout in mid-May and expect to complete rollout by late June.

How this will affect your organization:

In the anti-malware policy, along with quarantining messages with attachments that are malicious (malware or phish), the common attachment filter settings can be configured to quarantine messages which contain attachments with specific file extensions. All of these email messages with specific file extensions are shown as Malware for the filter Quarantine reason. As a result, it’s not easy to identify messages that were quarantined due to attachments being malicious or simply matching the file type.

With this change, we’re adding a new filter known as Admin Action – File type block to the Quarantine reason filter. Applying this filter will show the email messages that were quarantined by the common attachment filter. This change will be visible on the Quarantine page and also in the respective Get-QuarantineMessage cmdlet (parameter QuarantineTypes to include AdminActionFileTypeBlock).

With the addition of this filter, it should make it easy for the Admin / SecOps to filter and review the messages which are blocked purely due to file type block.

What you need to do to prepare:

View image in new tab

There is no action required on your end at this time. For more information, please visit this documentation.

Message ID: MC528356

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: