Exchange Online - Email routing and security features

If junk email is delivered to your inbox, right-click the email, select 'Report', then choose an appropriate option. 

If a legitimate email is delivered to your Junk Email folder, right-click the email, select 'Report', then choose 'Not Junk'. 

Consistently reporting your mis-classified messages will ensure that future messages of a similar nature are delivered to the appropriate folders. 

You will have seen MailTips before, for example, they currently show when people have an 'Out Of Office' set. There are now some more MailTips that provide real-time notifications, and appear in Outlook and Outlook on the web, when composing or receiving emails. 

They provide helpful alerts about potential issues, such as sending messages to large groups, responding to external senders, or detecting potential impersonation attempts. These prompts enhance email security and help prevent miscommunication by guiding you before you send or interact with email messages.  

First Contact MailTip 

This feature highlights when you are contacted by an email address for the first time. It helps prevent impersonation attempts where someone may use a familiar display name with a different or similar email address.  

• If you are emailing someone you have contacted before, but this warning appears, verify the email address carefully.
• If you have never been contacted by the sender before, this is expected behaviour and does not necessarily indicate a security risk.

Potential impersonation MailTip 

This warning does not indicate a definite security issue, but it suggests exercising caution. It appears when the system detects characteristics that could indicate an impersonation attempt. 

Potentially risky mail MailTip 

This alert appears when an email has failed one or more security checks but has not been confirmed as malicious. 

These warnings do not mean the email is unsafe, but they highlight the need for caution when interacting with the senders’ messages or opening attachments. 

All emails are automatically scanned and assessed to determine if they are safe to deliver. The system checks factors such as the sender address, message content, any links or attachments and whether the message matches known patterns of spam or phishing. 

Based on this assessment, email is directed as follows: 

• Inbox 
  The message is considered safe and delivered as normal. 

• Junk Email 
  The message appears to be spam but is not considered harmful. It is delivered to your Junk folder so you can review it if needed. 

• Quarantine 
  The message is more suspicious. For example, it may contain harmful links or be a phishing attempt. These messages are held in a secure quarantine area and not delivered to your mailbox. You’ll usually receive a daily summary if any malware free messages have been quarantined. Some details on this can be found below. 
• Dropped (not delivered) 
  Some messages are blocked completely. This happens when the system is highly confident the message is malicious or where rules are in place to automatically reject certain types of content or senders. 

The quarantine notification email will have the following properties: 

Sender: quarantine@messaging.microsoft.com  

A link that when you hover over it is: https://security.microsoft.com/quarantine

The email will look similar to the image below: 

Microsoft quarantine portal

Clicking the “Quarantine page” link will take you to the Microsoft quarantine portal within the Security Center, where you can review and, potentially, based on the email classification, release emails if necessary. You may need to login if you have not already done so. 

We advise that you save the quarantine URL above, and use that instead of the link in the email should you need to review your email. 

Be cautious when releasing emails from this location, as quarantined emails may contain spam or phishing attempts. Releasing an email from quarantine does not mean that future similar email will not be quarantined.

You may still need to report this as ‘Not Junk’ or ‘Not Phishing’, this may need to be done several times for the system to learn. In addition you can ‘Allow Sender’ from the flyout on the right when you select the email you wish to release. 

Other emails may appear in the portal that have been quarantined without notification if they have been definitively identified as malicious. In these cases, you may be unable to release such emails.  

Shared mailboxes

In addition to viewing your own email, you should also be able to review quarantined email sent to a shared mailbox that you can send emails from. If you can only read email and not send this may not work for you.

To view Shared Mailbox quarantined email you will need to select Filter, towards top right, on the quarantine page and set the recipient address field to that of the Shared Mailbox. If you do not know the email address of the Shared Mailbox you can look it up using the Outlook Address Book. 

Microsoft Documentation: Find and release quarantined messages as a user - Microsoft Defender for Office 365 | Microsoft Learn

Zero-hour Auto Purge (ZAP) is a security feature that automatically removes malicious emails from inboxes after they have been delivered. Following delivery, if an email is identified as phishing, spam, or containing malware, ZAP moves it to the Junk Email or Quarantine folder without requiring user action.  

This security feature may result in messages that were in your inbox, disappearing without your interaction. You can later recover these from your junk mail folder or quarantine using the instructions provided in this document.