Email - Advanced Threat Protection (ATP)
The safety and security of individual data and privacy continues to be a top priority for Alliant’s IT Team, and we continue to pursue products and services to enhance or protect our environment. Phishing and Spam continue to be problematic at times for our business email system, and we’ve taken measures to help address this problem. Recently, we acquired a new email protection service called Advanced Threat Protection (ATP) for our Office 365 email. The intent of this service is to reduce the amount of spam and phishing attempts at Alliant. While it may not eliminate these unwanted emails entirely, in testing we’ve seen a great reduction in the number reaching inboxes.
We have enabled this program for all Alliant accounts. You will not notice a change to your inbox, but you will start receiving occasional messages like the one below. The quarantine system “catches” or flags potential spam or phishing and allows you to take action to release the message to your inbox, block the sender, or review further. You will have 30 days to decide what to do with these messages in the quarantine system. There is the slight possibility that a legitimate email could be quarantined, so it’s important to occasionally review your blocked message list to ensure that no legitimate emails exist in quarantine.
You can reach the Office 365 quarantine website by clicking “review” on any blocked message, or directly at security.microsoft.com/quarantine
. On the left, you can navigate to “Threat Protection” and “Review” to see the list of all blocked messages. Any emails blocked can be released from here back to your inbox.
As a user, you can view, release, and delete quarantined messages where you are a recipient, and the message was quarantined as spam or bulk email. As of April 2020, you can view or delete quarantined phishing (not high confidence phishing) messages where you are a recipient. You view and manage your quarantined messages in the Security & Compliance Center or (if an admin has set this up) in end-user spam notifications.
What do you need to know before you begin?
View your quarantined messages:
After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
Export message results
View quarantined message details:
When you select an email message in the list, the following message details appear in the Details flyout pane:
Take action on quarantined email:
After you select a message, you have options for what to do with the messages in the Details flyout pane:
If you don't release or remove the message, it will be deleted after the default quarantine retention period expires.
Take action on multiple quarantined email messages:
When you select multiple quarantined messages in the list (up to 100), the Bulk actions flyout pane appears where you can take the following actions:
What do you need to know before you begin?
- To open the Quarantine page directly, go to https://protection.office.com/quarantine.
- Admins can configure how long messages are kept in quarantine before they're permanently deleted (anti-spam policies). Messages that have expired from quarantine are unrecoverable. For more information, see Configure anti-spam policies in EOP.
- Admins can also enable end-user spam notifications in anti-spam policies. Users can release quarantined spam messages directly from these notifications. Users can review quarantined phishing messages (not high confidence phishing messages) directly from these notifications. For more information, see End-user spam notifications in EOP.
- Messages that were quarantined for high confidence phishing, malware, or by mail flow rules (also known as transport rules) are only available to admins, and aren't visible to users. For more information, see Manage quarantined messages and files as an admin in EOP.
- You can only release a message and report it as a false positive (not junk) once.
View your quarantined messages:
- In the Security and Compliance Center, go to Threat Management > Review > Quarantine.
- You can sort the results by clicking on an available column header. Click Modify columns to show a maximum of seven columns. The default values are marked with an asterisk (*):
- Received*
- Sender*
- Subject*
- Quarantine reason*
- Released?*
- Policy type*
- Expires*
- Recipient
- Message ID
- Policy name
- Size
- Direction
- To filter the results, click Filter. The available filters are:
- Expires time: Filter messages by when they will expire from quarantine:
- Today
- Next 2 days
- Next 7 days
- Custom: Enter a Start date and End date.
- Received time: Enter a Start date and End date.
- Quarantine reason:
- Bulk
- Spam
- Phish
- Policy Type: Filter messages by policy type:
- Anti-phish policy
- Hosted content filter policy (anti-spam policy)
- Expires time: Filter messages by when they will expire from quarantine:
- Use Sort results by (the Message ID button by default) and a corresponding value to find specific messages. Wildcards aren't supported. You can search by the following values:
- Message ID: The globally unique identifier of the message. If you select a message in the list, the Message ID value appears in the Details flyout pane that appears. Admins can use message trace to find messages and their corresponding Message ID values.
- Sender email address: A single sender's email address.
- Policy name: Use the entire policy name of the message. The search is not case-sensitive.
- Recipient email address: A single recipient's email address.
- Subject: Use the entire subject of the message. The search is not case-sensitive.
After you find a specific quarantined message, select the message to view details about it, and to take action on it (for example, view, release, download, or delete the message).
Export message results
- Select the messages you're interested in, and click Export results.
- Click Yes in the confirmation message that warns you to keep the browser window open.
- When your export is ready, you can name and choose the download location for the .csv file.
View quarantined message details:
When you select an email message in the list, the following message details appear in the Details flyout pane:
- Message ID: The globally unique identifier for the message.
- Sender address
- Received: The date/time when the message was received.
- Subject
- Quarantine reason: Shows if a message has been identified as Spam, Bulk or Phish.
- Recipients: If the message contains multiple recipients, you need to click Preview message or View message header to see the complete list of recipients.
- Expires: The date/time when the message will be automatically and permanently deleted from quarantine.
- Released to: All email addresses (if any) to which the message has been released.
- Not yet released to: All email addresses (if any) to which the message has not yet been released.
Take action on quarantined email:
After you select a message, you have options for what to do with the messages in the Details flyout pane:
- Release message: In the flyout pane that appears, choose whether to Report messages to Microsoft for analysis. This is selected by default, and reports the erroneously quarantined message to Microsoft as a false positive.
When you're finished, click Release messages. - View message header: Choose this link to see the message header text. To analyze the header fields and values in depth, copy the message header text to your clipboard, and then choose Microsoft Message Header Analyzer to go to the Remote Connectivity Analyzer (right-click and choose Open in a new tab if you don't want to leave Microsoft 365 to complete this task). Paste the message header onto the page in the Message Header Analyzer section, and choose Analyze headers:
- Preview message: In the flyout pane that appears, choose one of the following options:
- Source view: Shows the HTML version of the message body with all links disabled.
- Text view: Shows the message body in plain text.
- Remove from quarantine: After you click Yes in the warning that appears, the message is immediately deleted.
- Block Sender: Prevents the sender from sending messages to you.
If you don't release or remove the message, it will be deleted after the default quarantine retention period expires.
Take action on multiple quarantined email messages:
When you select multiple quarantined messages in the list (up to 100), the Bulk actions flyout pane appears where you can take the following actions:
- Release messages: The options are the same as when you release a single message, except you can't select Release messages to specific recipients; you can only select Release message to all recipients or Release messages to other people.
- Delete messages: After you click Yes in the warning that appears, the message are immediately deleted without being sent to the original recipients.
