Quarantined by Microsoft

This section includes:

• Quarantined by Microsoft
  • About "Quarantined by Microsoft"
  • More about "Quarantined by Microsoft"
  • Identifying emails that were quarantined by Microsoft Defender
  • Filtering emails that were quarantined by Microsoft Defender
  • Showing quarantined incoming and outgoing email
  • Enabling the "Quarantined by Microsoft" functionality
  • Releasing "Quarantined by Microsoft" emails
  • Limitations

About "Quarantined by Microsoft"

When FortiMail Workspace Security is integrated with a Microsoft email solution, Microsoft Defender may quarantine emails before the emails reach FortiMail Workspace Security. FortiMail Workspace Security therefore doesn't ever receive these emails, and consequently can't scan these emails. This can result in a scenario where admin users must manage quarantined emails in two platforms: FortiMail Workspace Security and Microsoft Defender.

To enable admin users to manage quarantined emails in just one platform [FortiMail Workspace Security], emails that were quarantined by Microsoft Defender can be included in the FortiMail Workspace Security Scans page - even though these emails weren't scanned by FortiMail Workspace Security. Only a limited set of data is shown in the Scans page for emails that were quarantined by Microsoft Defender. In addition, only a limited set of actions can be performed on these "quarantined by Microsoft Defender" emails.

More about "Quarantined by Microsoft"

• Emails that are quarantined by Microsoft are not scanned by FortiMail Workspace Security.

• Emails that are quarantined by Microsoft are not included in Digest reports. [See About Digest reports]

• You can't request an investigation for an email that was quarantined by Microsoft. [See Requesting an investigation]

• It is possible to use the Scans page to release from quarantine an email that was quarantined by Microsoft Defender. See Releasing "Quarantined by Microsoft" emails below.

Note: This "quarantined by Microsoft" functionality is available only for organizations that use Microsoft 365 [Exchange Online] and have one of the following integrations with FortiMail Workspace Security: Microsoft 365 - Inline Microsoft 365 - API Microsoft Exchange

• Email alerts are not sent for emails that were quarantined by Microsoft. [See Alerts]

Identifying emails that were quarantined by Microsoft Defender

You can easily identify emails in the Scans page that were quarantined by Microsoft Defender. These emails have the "Quarantined by Microsoft" icon [] on the left of the Scans page.

In addition, "Quarantined by Microsoft" emails will have the following attributes:

• Action: Quarantined by Microsoft

• Verdict: Malicious

Filtering emails that were quarantined by Microsoft Defender

Perform the procedure below to list all the emails that were quarantined by Microsoft Defender:

1. In the Scans page, open the Advanced filters feature. For details, see Advanced filters.

2. Scroll down the list of filter options, and then under Action, select "Quarantined by Microsoft".

   

3. Click "Apply Filters" to display a list of emails that were quarantined by Microsoft Defender.

   Note: You can also select Action > "Released from Microsoft Quarantine" to display those emails that were released from quarantine in Microsoft. No bulk actions are performed on "Quarantined by Microsoft" emails. When you display only "Quarantined by Microsoft" emails, all bulk actions are disabled, and it is not possible to select any of the listed scans. This filter will show only those emails that were quarantined after the "Quarantined by Microsoft" functionality was enabled.

Showing quarantined incoming and outgoing email

Connection scope:

• If FortiMail Workspace Security is configured to scan incoming email only, then the Scans page will include incoming email that was quarantined by Microsoft Defender - outgoing email that was quarantined by Microsoft Defender will not be displayed.

• If FortiMail Workspace Security is configured to scan incoming and outgoing email, then the Scans page will include both incoming email and outgoing email that was quarantined by Microsoft Defender.

Enabling the "Quarantined by Microsoft" functionality

Note: You should enable the "Quarantined by Microsoft" functionality only after being directed to do so by your Customer Success Manager.

See the available video.

To enable the "Quarantined by Microsoft" functionality:

1. Open the Settings > Bundles and Channels page.

2. On the right of Email Service > Microsoft 365, click Channel Settings.

3. In the Email Service Settings pane that opens, click Edit.

4. Under Microsoft Account Options, select the "Show emails quarantined by Microsoft" check box.

   Note: If you don't see the "Show emails quarantined by Microsoft" check box, contact FortiMail Workspace Security Support [support@perception-point.io] or your Customer Success Manager.

5. Click Save.

   Note: If you are unable to "Show emails quarantined by Microsoft" then perform the troubleshooting procedure shown below. If the issue persists, then contact FortiMail Workspace Security Support [support@perception-point.io]. After you perform the procedure above, it may take up to 24 hours for "quarantined-by-Microsoft" emails to be shown in the Scans page. After you enable "Show emails quarantined by Microsoft", emails that are quarantined by Microsoft will be included in FortiMail Workspace Security. If you then disable "Show emails quarantined by Microsoft", emails that were previously quarantined by Microsoft and were included in FortiMail Workspace Security will continue to be shown in FortiMail Workspace Security.

Troubleshooting

If you don't see any "quarantined-by-Microsoft" emails included in the Scans page 24 hours after enabling the functionality, then perform the procedure below. The procedure will refresh the requested permissions that are associated with the Perception Point remediation app - in order to grant additional permissions to the app. In some organizations, the new permission will be added automatically as part of the automatic permissions refresh of Microsoft.

1. Sign-in to the Microsoft 365 admin center.

2. In the left navigation menu, select Admin centers > Identity.

3. In the left navigation menu, select Applications > Enterprise applications.

4. Click "Search by application name or object ID"

5. In the list of applications, locate and then select "Perception Point (Mail App)".

6. Under Security, click Permissions.

7. Select "Grant admin consent for <your Microsoft Account>".

8. If required, select your Microsoft account.

   A list of the "Permissions requested" will be displayed.

9. Click Accept.

The Azure Mail App may grant the following new permission:

• Actor: Perception Point (Mail App)

• Operation: Add member to role

• New Value: ExchangeServiceAdmins

Note: If you are still unable to "Show emails quarantined by Microsoft", then contact FortiMail Workspace Security Support [support@perception-point.io] for assistance.

Releasing "Quarantined by Microsoft" emails

You can use FortiMail Workspace Security to release an email that was quarantined by Microsoft. You can release these quarantined emails only when you display details of the email scan in the Scans page.

To release a "quarantined by Microsoft" email:

1. In the Scans page, locate the scan, and then display details of the scan.

2. Click "Release" [].

   The "Release Email from Quarantine" dialog box opens.

   

3. Select any of the following options, as required:

   Mark this email as Clean	If this option is selected, when the email is released from quarantine, the verdict of the scan is changed from Malicious to Clean. If this option is not selected, when the email is released from quarantine, the verdict of the scan is kept as Malicious.
   Release without scan	Releases the email from quarantine. The email is sent to the recipients mailbox. The email is NOT scanned by FortiMail Workspace Security. Select this option only if you fully trust the sender of the email and the content.
   Release and full scan	The email is released from quarantine. The email is then scanned by FortiMail Workspace Security. If malicious content is detected, the email may be quarantined again, depending on the quarantine settings that are set for the organization. The quarantine settings define which scan verdicts will cause an email to be quarantined: Malicious, Spam, and/or Restricted. For details on the quarantine settings, see Which verdicts cause quarantine. Note: If the "Mark this email as clean" option above is selected, the email will be given a clean verdict, and released from quarantine, irrespective of the verdict of the FortiMail Workspace Security scan.

Note: You can use the Action > "Released from Microsoft Quarantine" filter to display only those emails that have been released from quarantine, after they were quarantined by Microsoft. For details, see Advanced filters.

Limitations

• No bulk actions are performed on "Quarantined by Microsoft" emails.

• When you use filters to display only "Quarantined by Microsoft" emails, all bulk actions are disabled, and it is not possible to select any of the listed scans.

See also: 

• Scans