Let’s say that you’ve followed my blog post on how to assign the quarantine management responsibility to a user. This is risky. Even though quarantine management has been assigned outside of IT you should still monitor when an email has been released from quarantine because phishing is the #1 method that criminals use to gain a foothold in your network. The quarantine manager could easily make a mistake, or the messaging policy may need to be tweaked. In either case, it will be easier to track if the admin team is made aware of quarantine releases.
Create a new Activity Policy in Defender
Navigate to https://security.microsoft.com/cloudapps/policies/management and create a new Activity Policy. Provide a name for the policy, set a severity rating and category. Add a description if desired.
Next, we have to build the filter set so that we are capturing only the activities that we are interested in. In this case, we are interested in activities by the quarantine manager when they have released a message.
Click the Edit and preview results button (shown above) to verify that you are capturing only the release email activity by the selected user. As you can see below, our filter has captured the activity that we want to alert the admi about.
Now complete the policy by adding the email address of where you want the alert to be delivered.
All we do is support IT professionals. Help for IT Pros, M365 admin News, Security community, peer groups, MSP training and more. https://www.thirdtier.net
