Emails marked as suspicious and held within quarantine
Messages marked as suspicious malicious or spam are moved to the Microsoft Quarantine portal for further administrative review.
When messages like these are flagged, it is important to take precautions to ensure that the messages are reviewed thoroughly before deciding to release a message to the recipient.
What to do when you are unsure if a message should have been blocked.
1. Perform a message trace on the sender email address to see if there have been other successfully delivered messages from the sender.
2. Try reversing the message trace direction by inputting the sender's domain address into the recipient field. This is to determine if employees have regular communications to the sender.
3. When in doubt, reach out to the recipient (employee) of the quarantined message asking if they were expecting any emails from this sender, or if they have had previous communications.
4. If you find the employee is expecting this message, notify them to contact their business contact and state that their messages contain malicious files and their IT department should review security measures. We should NEVER release a message that contains malicious content, even if the attachment contains legitimate information that does not mean there is a hidden payload attached to the attachment.
An example of this could be the sender's computer is infected with a virus which injects code into an excel or word document. The sender does not know this and sends their file to the Sollis Health employee as usual. Microsoft will (hopefilly) detect the malious code and block the message. From this point, the sender will need to be notified of the likelihood of their computer being compromised and their IT department preform a full sweep of their computer.
Example: Malware
1. Open the Microsoft Quarantine portal.
2. Review the messages within the portal. You may find messages are marked as spam or as malware. In this example we will review malware.
3. Click on the message marked as malware and click "Take Actions".
4. Choose "Investigate email" from the Initiate automated investigation section of the "Take actions" screen.
5. Open the Investigations portal and locate the message you submitted. Click on the 
icon in the ID field to drill into the investigation. (Note investigations can take upwards of 1 hour to complete).
6. In the image below you can see numerous objects are reviewed and if evidence of malicious content is found, this is highlighted in red. Malicious entities found will be automatically remediated.
7. Microsoft will review for malicious activity on the user's mailbox and search across all mailboxes for the malicious contents. In the image below you can see that 14 messages were sent and 0 were found in users mailboxes (because they were blocked and moved into quartinine).
Example: Phishing
Users can request messages are released from quarantine but they may not actually be safe to release. In the following example there is a Vonage Visual VM sent to a shared mailbox and a user requested the message to be released.
1. Open the Microsoft Quarantine portal.
2. Review the messages within the portal. You may find messages are marked as spam or as malware. In this example we will review phishing.
3. Click on the message marked as malware and click "Take Actions".
4. Choose "Investigate email" from the Initiate automated investigation section of the "Take actions" screen.
5. Open the Investigations portal and locate the message you submitted. Click on the icon in the ID field to drill into the investigation. (Note investigations can take upwards of 1 hour to complete).
6. In this example, the message was blocked because of a malicious attachment which contains a payload to collect credentials.