Quarantined by Microsoft

This section includes:

• Quarantined by Microsoft
  • About "Quarantined by Microsoft"
  • Identifying emails that were quarantined by Microsoft Defender
  • Filtering emails that were quarantined by Microsoft Defender
  • Showing quarantined incoming and outgoing email
  • Enabling the "Quarantined by Microsoft" functionality
  • Releasing "Quarantined by Microsoft" emails
  • Limitations

About "Quarantined by Microsoft"

When Perception Point X‑Ray is integrated with a Microsoft email solution, Microsoft Defender may quarantine emails before the emails reach Perception Point X‑Ray. Perception Point X‑Ray therefore doesn't ever receive these emails, and consequently can't scan these emails. This can result in a scenario where admin users must manage quarantined emails in two platforms: Perception Point X‑Ray and Microsoft Defender.

To enable admin users to manage quarantined emails in just one platform [Perception Point X‑Ray], emails that were quarantined by Microsoft Defender can be included in the Perception Point X‑Ray Scans page - even though these emails weren't scanned by Perception Point X‑Ray. Only a limited set of data is shown in the Scans page for emails that were quarantined by Microsoft Defender. In addition, only a limited set of actions can be performed on these "quarantined by Microsoft Defender" emails.

• Emails that are quarantined by Microsoft are not scanned by Perception Point X‑Ray.

• It is possible to use the Scans page to release from quarantine an email that was quarantined by Microsoft Defender. See Releasing "Quarantined by Microsoft" emails below.

Note: This "quarantined by Microsoft" functionality is available only for organizations that use Microsoft 365 [Exchange Online] and have one of the following integrations with Perception Point X‑Ray: Microsoft 365 - Inline Microsoft 365 - API Microsoft Exchange

• Email alerts are not sent for emails that were quarantined by Microsoft. [See Alerts]

Identifying emails that were quarantined by Microsoft Defender

You can easily identify emails in the Scans page that were quarantined by Microsoft Defender. These emails have the "Quarantined by Microsoft" icon [] on the left of the Scans page.

In addition, "Quarantined by Microsoft" emails will have the following attributes:

• Action: Quarantined by Microsoft

• Verdict: Malicious

Filtering emails that were quarantined by Microsoft Defender

Perform the procedure below to list all the emails that were quarantined by Microsoft Defender:

1. In the Scans page, open the Advanced filters feature. For details, see Advanced filters.

2. Scroll down the list of filter options, and then under Action, select "Quarantined by Microsoft".

   

3. Click "Apply Filters" to display a list of emails that were quarantined by Microsoft Defender.

   Note: You can also select Action > "Released from Microsoft Quarantine" to display those emails that were released from quarantine in Microsoft. No bulk actions are performed on "Quarantined by Microsoft" emails. When you display only "Quarantined by Microsoft" emails, all bulk actions are disabled, and it is not possible to select any of the listed scans.

Showing quarantined incoming and outgoing email

Connection scope:

• If Perception Point X‑Ray is configured to scan incoming email only, then the Scans page will include incoming email that was quarantined by Microsoft Defender - outgoing email that was quarantined by Microsoft Defender will not be displayed.

• If Perception Point X‑Ray is configured to scan incoming and outgoing email, then the Scans page will include both incoming email and outgoing email that was quarantined by Microsoft Defender.

Enabling the "Quarantined by Microsoft" functionality

Note: You should enable the "Quarantined by Microsoft" functionality only after being directed to do so by your Customer Success Manager.

See the available video.

To enable the "Quarantined by Microsoft" functionality:

1. Open the Account > Bundles and Channels page.

2. On the right of Email Service > Microsoft 365, click Channel Settings.

3. In the Email Service Settings pane that opens, click Edit.

4. Under Microsoft Account Options, select the "Show emails quarantined by Microsoft" check box.

   Note: If you don't see the "Show emails quarantined by Microsoft" check box, contact Perception Point Support [support@perception-point.io] or your Customer Success Manager.

5. Click Save.

Troubleshooting

If you don't see any "quarantined-by-Microsoft" emails included in the Scans page 24 hours after enabling the functionality, then perform the procedure below. The procedure will refresh the requested permissions that are associated with the Perception Point remediation app - in order to grant additional permissions to the app. In some organizations, the new permission will be added automatically as part of the automatic permissions refresh of Microsoft.

1. Sign-in to the Microsoft 365 admin center.

2. In the left navigation menu, select Admin centers > Identify.

3. In the left navigation menu, select Applications > Enterprise applications.

4. Click "Search by application name or object ID"

5. In the list of applications, locate and then select "Perception Point (Mail App)".

6. Under Security, click Permissions.

7. Select "Grant admin consent for <your Microsoft Account>".

8. If required, select your Microsoft account.

   A list of the "Permissions requested" will be displayed.

9. Click Accept.

The Azure Mail App may grant the following new permission:

• Actor: Perception Point (Mail App)

• Operation: Add member to role

• New Value: ExchangeServiceAdmins

Releasing "Quarantined by Microsoft" emails

You can release an email that was quarantined by Microsoft only when you display details of the email scan.

To release a "quarantined by Microsoft" email:

1. In the Scans page, locate the scan, and then display details of the scan.

2. Click "Release" [].

   The "Release Email from Quarantine" dialog box opens.

   

3. Select any of the following options, as required:

   Mark this email as Clean	If this option is selected, when the email is released from quarantine, the verdict of the scan is changed from Malicious to Clean. If this option is not selected, when the email is released from quarantine, the verdict of the scan is kept as Malicious.
   Release without scan	Releases the email from quarantine. The email is sent to the recipients mailbox. The email is NOT scanned by Perception Point X‑Ray. Select this option only if you fully trust the sender of the email and the content.
   Release and full scan	The email is released from quarantine. The email is then scanned by Perception Point X‑Ray. If malicious content is detected, the email may be quarantined again, depending on the quarantine settings that are set for the organization. The quarantine settings define which scan verdicts will cause an email to be quarantined: Malicious, Spam, and/or Restricted. For details on the quarantine settings, see Which verdicts cause quarantine. Note: If the "Mark this email as clean" option above is selected, the email will be given a clean verdict, and released from quarantine, irrespective of the verdict of the Perception Point X‑Ray scan.

Limitations

• No bulk actions are performed on "Quarantined by Microsoft" emails.

• When you display only "Quarantined by Microsoft" emails, all bulk actions are disabled, and it is not possible to select any of the listed scans.

See also: 

• Scans