Between 2022 and 2023, business email compromise (BEC) attacks rose by 55%. Furthermore, organizations that manage over 5,000 email accounts are 90% likely to receive at least one BEC attack weekly.
Email is one of the most frequently used tools for both personal and professional communication. But with its convenience and accessibility also comes an onslaught of malicious threats that deliver malware or compromise sensitive data.
To counter these threats, email systems have implemented a proactive measure called email quarantine. It functions as a digital holding area that isolates suspicious emails before they reach your primary inbox. Let’s explore the concept of email quarantine in this article.
What does it mean to have an email quarantined?
When an email is quarantined, it means that the email has been deemed suspicious or potentially harmful. As such, it has been isolated to prevent it from being delivered directly to the recipient’s primary inbox.
It’s a precautionary measure that aims to minimize email security threats and protect users from cyber security attacks.
Email quarantines are carried out as part of email security systems. These systems scan incoming emails for signs of spam, phishing, malware, and other malicious content.
When these are detected, they go to a separate, isolated space called the quarantine instead of being delivered straight to an inbox.
In effect, it acts as a safety buffer to ensure that malicious emails don’t reach users directly, minimizing the risk of clicking harmful links, downloading malicious attachments, or being exposed to deceptive content.
Why do emails get quarantined?
Emails can get quarantined if the system detects words, patterns, or senders that can be categorized as spam, phishing, malware, or other cyber security attacks.
Spam Detection
Email quarantines can happen to emails that are classified as spam. To detect this, email systems use various criteria, including content analysis, known spam signatures, and sender reputation.
Phishing Attempts
Emails that contain information that aims to deceive users into providing sensitive information are flagged as phishing emails. Email systems are trained to detect communications disguised as coming from legitimate sources and flag them if they attempt to ask for passwords, credit card numbers, and other sensitive data.
Malicious Attachments
Email quarantine may also be the course for emails containing attachments recognized as malware or other malicious software. This prevents employees from inadvertently opening the attachments and compromising their data.
Suspicious Links
Emails that contain links to known malicious websites or URLs with unusual patterns are quarantined to prevent users from accessing harmful content.
Sender Reputation
The sender’s reputation can also play a part in email quarantines. If the email originates from an IP address or domain that has been blacklisted for previous malicious activities or spammy behavior, the emails will not be sent directly to the recipient’s inbox.
Violations of Content Policies
Organizations can set content policies in an email system, such as inappropriate language or sensitive data. If a received email contains content that violates these established policies, it will be quarantined.
DMARC/DKIM/SPF Failures
DMARC (Domain-based Message Authentication, Reporting, and Conformance), DKIM (DomainKeys Identified Mail), and SPF (Sender Policy Framework) email authentication methods help verify the authenticity of an email. If an email fails these authentications, they may be spoofed and quarantined.
Mass Emailing
If the sender sends an email to a large number of recipients, especially if it is not typical practice, the email can be deemed suspicious and flagged as spam or an unwanted marketing campaign.
Unusual Sending Patterns
An email account that sends a large volume of emails within a short period and doesn’t usually do so may look like they are sending compromised emails. Any communication coming from these accounts may be quarantined. If it’s a false positive, the situation may be clarified with the email system provider.
Custom Rules and Filters
Organizations can set custom rules, filters, and keywords based on their unique needs or experiences with certain threats. When an email matches these customizations, it leads to them being quarantined.
How to check quarantined emails in Outlook
Depending on your email system’s settings, you may be able to get notified about quarantine emails in the form of a digest or real-time alert. These notifications allow you to review suspicious emails and decide whether to allow receipt or delete them. This may be important in emails that come out as false positives. Because no system is infallible, legitimate emails may also get flagged and quarantined due to certain trigger words or patterns. To view your quarantined email in Outlook, you can take any of these five routes:
Via Email Notifications
If your email system notifies you of emails that have been quarantined, you can click on the notifications to view, release, report, or delete quarantined items.
Via Security & Compliance Center (For Administrators)
Administrators may view their quarantined emails with their Security & Compliance Center admin accounts. Once logged in, go to Thread Management > Review > Quarantine. Here, you’ll be able to find all quarantined emails.
Via Outlook on the Web
If your organization has set up a quarantine folder in each user’s Outlook on the Web mailbox. To find quarantined emails in Outlook Desktop, open the app and click the 'Home' tab. Then, click 'Junk' to see all the emails that Outlook has set aside. You can check what's in each email by clicking on it. If it's not a threat, click 'Release' to move it to your inbox. If it's unwanted, hit 'Delete' to remove it.
Via Direct Link
If your organization or IT department has provided you with a direct link to your personal quarantined items, you can use this to view, accept, or delete quarantined emails.
Via Third-Party Tools
Some organizations use third-party email filtering services to manage quarantined emails. To check your items, you’ll need to access the interface for these tools. Contact your IT department for guidance.
How long do messages stay in quarantine?
Quarantined emails are not stored indefinitely. Email systems employ a retention period that keeps the suspicious email in quarantine for a certain amount of time. After the retention period, the emails are automatically deleted if no action has been taken by the user. The specific length of the retention period will vary based on the system setting and organizational policies.
Email Quarantine: An Extra Line of Defense
While email quarantine systems add an extra protective layer that shields users from potential cyber security threats, it’s essential to know that it’s not bulletproof.
Despite implementing this safety measure in your email accounts, a malicious email can still be sent directly to your employees’ inboxes.
With 75% of all email data breaches involving the human element and an alarming 28% of employees responding to BEC attacks, it’s essential to invest in awareness training that will teach your employees to recognize and overcome phishing threats.
Start easy with this Terranova Security Free Phishing Simulation that will help your employees learn the intricacies of phishing attacks and how to identify red flags.
It will also give you valuable insights into who in your organization is prone to phishing attacks and how to reduce risk through changes to user behavior.