Skip to content

Quarantined Messages

The Quarantined Messages page lists the email messages that have been quarantined for all your protected mailboxes.

If you aren't using M365 Security, you only see one list, with quarantined messages from all your email domains. If you're using M365 Security and have turned on Auto search and remediate or On demand clawback, you see two tabs. Click Post delivery quarantine to see messages quarantined by M365 Security. Or click Email security quarantine to see your other quarantined messages.

By default, the report displays the messages that have been processed during the current day.

Note

You must set an owner for a distribution list to receive quarantined messages and their summary. For information on how to add an owner to a distribution list, see Distribution list owners.

Advanced Search

You can use Advanced Search to filter messages by the following terms:

  • From: Sender. Supports partial strings. Not case sensitive.
  • To: Recipient. Supports partial strings. Not case sensitive.
  • Subject: Supports partial strings. Not case sensitive. Click the subject of a message to see its details. See Message Details.
  • Message size: Greater than or less than a number of MB. This uses the MIME size of an email, which may be greater than the raw file size. See Calculating email attachment file sizes.
  • Attachment: Type of attachment. Supports partial strings.

    Note

    • When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.
    • Special characters, including punctuation marks such as periods (.), commas (,), and hash symbols (#), as well as symbols, accent marks, ASCII control characters, and formatting characters, are ignored in the search criteria fields.

You can combine different search terms. They are applied with the AND condition.

You can filter messages by Direction, Status, or Reason.

If you change the date range or filter the messages, you need to click the refresh icon to update the search results.

Search results

In your search results the search terms you selected appear in the search box. You can refine your search by clicking individual parameters to remove them. Your search results are updated immediately.

You can click the direction arrow to filter your results for inbound or outbound messages. The down arrow is for inbound messages, the up arrow for outbound messages. If you click a direction arrow your search results are updated immediately.

There's no indication of email direction in the Post delivery quarantine list because all the messages are inbound.

To view message details, click the Subject.

Email gateway message details

In Message Details, you can click the following for more information about the message:

  • Details: Shows general information about the message.

    Click Block IP Address if you want to add the IP address or domain to the Inbound Allow/Block list, and then click Ok to confirm. Any sender using this IP address or domain is blocked. Click Cancel to cancel the action.

  • Raw Header: Shows the email header details.

  • Message: Shows the body of the email.
  • Attachments: Shows the name and size of attachments in the message.

    You can download one or more attachments. They are zipped in a password-protected file.

    You can strip and reattach message attachments. You can also reattach attachments removed by Data control rules.

    When a message's attachments are stripped by a Data control rule action, the original message is quarantined and a copy, without the attachment, is delivered to the recipient. You can reattach attachments before releasing the message, if you think they're safe. The message stays in quarantine until all the attachments have been reattached and the message released.

  • URLs: shows URLs in the message.

If a message was quarantined by SophosLabs Intelix threat analysis, you can click View Report to see the Intelix Threat Summary for that message. If a message with attachments is quarantined for other reasons, before being scanned by Intelix, you can submit it to Intelix for scanning. To do this, click Scan with Intelix.

Delete or release messages

You can delete or release messages from the message list, or from Message Details. Do as follows:

  • Click Release to release messages from quarantine and send them to users.
  • Click Release and Allow to release messages and add the sender's email address to the Inbound Allow/Block list.
  • Click Delete to delete quarantined messages.
  • Click Delete and Block to delete messages and add the sender's email address to the Inbound Allow/Block list.

If you've turned on Allow / Block List for your users, you can also see options to add IP addresses and domains to allow or block lists. See Manage settings for Sophos Central Self Service.

Quarantined messages are deleted after 30 days.

Post delivery quarantine message details

This section only applies to messages in the Post delivery quarantine list. If you don't have post delivery protection turned on, this list doesn't appear.

In Message Details, you can click the following for more information about the message:

  • Details: Shows general information about the message. You can also see whether the message is quarantined due to a clawback.

    Click Block IP Address if you want to add the IP address or domain to the Inbound Allow/Block list, and then click Ok to confirm. Any sender using this IP address or domain is blocked. Click Cancel to cancel the action.

  • Raw Header: Shows the email header details.

  • Message: Shows the body of the email.
  • Attachments: Shows the name and size of attachments.
  • URLs: Shows URLs in the message.

You can delete or release messages from the message list, or from Message Details. Do as follows:

  • Click Release to release messages from quarantine and send them to users.
  • Click Delete to delete quarantined messages.

If you've turned on Allow / Block list for your users, you can also see options to add IP addresses and domains to allow or block lists. See Manage settings for Sophos Central Self Service.

Messages in Post delivery quarantine that aren't released or deleted within 30 days are deleted.