Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=quarantined-messages

Quarantined Messages

The Quarantined Messages page lists the email messages that have been quarantined for all your protected mailboxes.

The page includes the following lists:

Quarantined messages are shown in tabs based on the quarantine type. The available tabs depend on the features configured for your environment.

By default, the report shows messages processed on the current day.

Note

You must set an owner for a distribution list to receive quarantined messages and their summary. For information on how to add an owner to a distribution list, see Distribution list owners.

EMS mode

If you're subscribed to Sophos EMS, Sophos scans journal copies of emails but doesn't intercept or take action on the original messages. When you see messages labeled as "Quarantined" on the Quarantined Messages page, those messages weren't actually quarantined. Instead, they were delivered to the recipient's mailbox.

The quarantine status shown is a simulation of what Sophos Email would have done if it had been the active security service. Since EMS is a monitor-only tool, it doesn't block or hold the message. If a message is considered risky, you'll need to manually review or claw back the delivered email.

For more information on Sophos EMS, see Sophos EMS (Email Monitoring System).

Email security quarantine

This list shows messages quarantined by your standard Email Security policies. These are messages Sophos Email identified as spam, malware, or otherwise suspicious based on your inbound protection settings.

In this list, you can take the following actions:

  • Release
  • Release and Allow
  • Delete
  • Delete and Block

For information, see Release or delete messages.

Messages remain in quarantine for 30 days.

Post-delivery quarantine

This list appears only when post-delivery protection and its features are turned on.

This list shows messages that were delivered to user mailboxes but later identified as malicious or risky and clawed back by Sophos Email.

In this list, you can take the following actions:

  • Click Release or Delete the message from the list view or from Message Details.

    For information, see Release or delete messages.

  • Add IP addresses and domains to allow or block lists if Allow/Block list is turned on.

    For information, see Manage user settings.

Messages that aren't released within 30 days are deleted.

M365 quarantine

This list appears only when M365 Quarantine is turned on and a post-delivery connection is configured.

This list shows messages quarantined by Microsoft 365.

To update the list with the latest quarantine data from Microsoft 365, click the Refresh icon. You must acknowledge the request to connect to Microsoft services before the update can be processed.

In this list, you can click Release or Delete from the list view or from Message Details. For information, see Release or delete messages.

Message details

Click the subject of a message in any quarantine list to see its details.

In Message Details, each message shows the following tabs. The available tabs and actions differ between the M365 quarantine list and other quarantine lists.

  • Details: Shows general information about the message.

    You can see whether the message is quarantined due to a clawback.

    Show me how

  • Raw Header: Shows the email header details.

  • Message: Shows the body of the email.

  • Attachments: Shows the name and size of attachments in the message.

    You can download one or more attachments. They're zipped in a password-protected file.

    You can strip and reattach message attachments. You can also reattach attachments removed by Data Control rules

    When a message's attachments are stripped by a Data Control rule action, the original message is quarantined and a copy, without the attachment, is delivered to the recipient. You can reattach attachments before releasing the message, if you think they're safe. The message stays in quarantine until all the attachments have been reattached and the message released.

  • URLs: Shows URLs found in the message.

If a message was quarantined by SophosLabs Intelix threat analysis, you can click View Report to see the Intelix Threat Summary for that message. If a message with attachments is quarantined for other reasons, before being scanned by Intelix, you can submit it to Intelix for scanning. To do this, click Scan with Intelix.

  • Details: Shows general information about the message.
  • Raw Header: Shows the email header details.

  • Message: Shows the body of the email.

    Note

    For messages in the M365 quarantine list, opening the Message tab connects to Microsoft services. You must acknowledge the request before you can get the data, and the process may take longer than usual.

  • Attachments: Shows the name and size of attachments in the message.

    You can only view attachment names and sizes. Download, strip, and reattach actions aren't available.

  • URLs: Shows URLs found in the message.

Find out how to use advanced search features to filter messages in any quarantine list.

You can use Advanced Search to filter messages.

Show me how

The following search conditions are available in Advanced Search:

  • From: The sender. Supports partial strings. Not case sensitive.

  • To: The recipient. Supports partial strings. Not case sensitive.

    Note

    In the M365 quarantine list, From and To searches use the email header addresses, not the SMTP envelope sender or recipient addresses.

  • Subject: Supports partial strings. Not case sensitive.

  • Message size: Finds emails smaller or larger than a megabyte (MB) value. This uses the MIME size of an email, which may be greater than the raw file size. See Calculating email attachment file sizes.

  • Attachment: The type of attachment. Supports partial strings.

    Note

    • When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.
    • Special characters, including punctuation marks such as periods (.), commas (,), and hash symbols (#), as well as symbols, accent marks, ASCII control characters, and formatting characters, are ignored in the search criteria fields.

You can combine different search conditions. When you use several search conditions, a message must match all search conditions using a logical AND operator.

You can filter messages by Direction, Status, or Reason.

If you change the date range or filter the messages, you need to click the refresh icon to update the search results.

Search results

In your search results, the search conditions you selected appear in the search box. You can adjust your search by clicking the gray cross icon next to a condition to remove it. Your search results are updated immediately.

You can click the direction arrows to filter your results for inbound or outbound messages. The down arrow is for inbound messages, the up arrow for outbound messages. If you click a direction arrow, your search results are updated immediately.

There's no indication of email direction in the Post delivery quarantine and M365 quarantine lists because all the messages are inbound.

Actions

You can perform actions on quarantined messages.

Blocking

This feature isn't applicable to the M365 quarantine list.

In Quarantined Messages, you can click the subject of a message you want to block and then view its message details. Next, click Block under SMTP From and select either Block sender or Block sender domain to add the sender's email address or the domain to your block list.

You can also click Block IP Address under IP Address to add the IP address to your block list. Alternatively, you can add email addresses and domains from the Inbound Allow/Block list.

Warning

Be careful when you block an IP address. You can accidentally block a whole service. For example, if you block the IP address used by Microsoft 365, you won't receive messages from any Microsoft 365 users.

You can add descriptions when blocking a sender's email address, domain, or IP address to specify the reason for each block entry. For example, a description might be "blocked due to spam". You can view and edit these descriptions later on the Inbound Allow/Block list.

For more information, see Inbound Allow/Block.

Release or delete messages

You can release or delete messages from the message list or from Message Details.

Click the tab that matches the quarantine list you are viewing.

Show me how to release messages in email security quarantine

Show me how to release messages in post-delivery quarantine

  • Click Release to release messages from quarantine and send them to users.

  • Click Release and Allow to release messages and add the sender's email address to the Inbound Allow/Block list.

    Note

    When a message is released from quarantine, Sophos Email rescans it before delivery.

  • Click Delete to delete quarantined messages.

  • Click Delete and Block to delete messages and add the sender's email address to the Inbound Allow/Block list.

If you've turned on Allow/Block List for your users, you can also see options to add IP addresses and domains to allow or block lists. See Manage user settings.

  • Click Release to request Microsoft 365 to deliver the message.
  • Click Delete to request Microsoft 365 to delete the message.

Quarantined messages are deleted after 30 days.

Schedule a report

You can schedule regular reports of quarantined messages to be sent via email to selected admins.

Show me how to schedule an Email Security Quarantine Report

Show me how to schedule a Post Delivery Quarantine Report

For information on scheduling a report, see Schedule reports.

Export a report

You can export a report as a CSV or PDF file that contains a record of activities for a selected date range or for the last 90 days. The exported file contains all applied filters at the time of export.

Click Export to download a quarantine report as a CSV or PDF file.