Exchange Online Protection (EOP) is the baseline mail-filtering service Microsoft includes with every Pitt mailbox. It evaluates inbound messages for spam, bulk mail, phishing, and malware, then either delivers them, drops them in your Junk Email folder, or holds them in quarantine. This article explains the difference between Junk Email and quarantine, how to review and release quarantined messages, how to customize your safe-sender and blocked-sender lists, and how to report missed spam or phishing. For details on the second protection layer (Defender for Office 365, Safe Links, and Safe Attachments), see Email Protection: Defender for Office 365.
How EOP Filters Your Mail
Every message arriving at your Pitt inbox is evaluated against multiple filtering layers — connection filtering, anti-malware scanning, anti-spam scanning, and anti-phishing analysis. Each layer produces a verdict, and the verdict determines what happens to the message.
EOP filtering verdicts and the action taken for each
| Verdict |
What It Means |
Action |
| Clean |
No spam, phishing, or malware indicators |
Delivered to your Inbox |
| Bulk mail |
Marketing newsletters, promotional mail, mass announcements from legitimate senders |
Delivered to your Inbox or Junk Email folder depending on your bulk-mail preference |
| Spam |
Unsolicited messages matching spam patterns |
Delivered to your Junk Email folder |
| High-confidence spam |
Strong spam indicators |
Held in quarantine |
| Phishing |
Indicators of credential theft or impersonation |
Held in quarantine |
| High-confidence phishing |
Strong phishing indicators |
Held in quarantine, admin review required for release |
| Malware |
Attachment or content identified as harmful |
Held in quarantine, admin review required for release |
Junk Email Folder vs. Quarantine
The two destinations for filtered mail behave differently and live in different places. Knowing which to check is half the battle when a message goes missing.
How the Junk Email folder differs from EOP quarantine
| |
Junk Email folder |
Quarantine |
| Where it lives |
In your mailbox, alongside Inbox and Sent |
In Microsoft's hosted security service, not in your mailbox |
| How to access |
Outlook on the web, classic Outlook, the new Outlook, mobile Outlook |
security.microsoft.com/quarantine or quarantine notification messages |
| Retention |
Until you delete it, or 30 days if auto-empty is enabled |
Up to 30 days, then permanently deleted (the exact period depends on the message category) |
| Recovery if expired |
Recoverable from Deleted Items / Recover deleted items |
Not recoverable — expired quarantine messages are gone |
If a message is missing, check both.
Spam is normally in Junk Email; high-confidence spam, phishing, and malware are normally in quarantine. If you don't know which verdict applies, check the Junk Email folder first (one click in Outlook), then the quarantine portal.
Reviewing Quarantined Messages
There are two ways to see what is in your quarantine: wait for a periodic notification, or go directly to the quarantine portal. Both ultimately land you in the same place — the Microsoft Defender portal — and either is fine.
Option A: Quarantine Notification Messages
On a regular schedule (more often when you receive more quarantined mail, less often when you don't), Microsoft sends a digest of recently quarantined messages to your Pitt inbox. You can identify the notification by:
- Sender:
EOP ESN <quarantine@messaging.microsoft.com>
- Subject: typically "Microsoft 365 security: You have messages in quarantine" (Microsoft adjusts this from time to time)
The notification lists each newly quarantined message and offers three action buttons next to each:
- Review Message — opens the message in the Microsoft Defender portal so you can see the body, headers, and the reason it was quarantined. From there you can release, block, or delete it.
- Release — delivers the message to your inbox. See the Releasing a Quarantined Message section below before using this — there is a right way and a wrong way to use it.
- Block sender — adds the sender to your personal Blocked Senders list. Future messages from that sender will be routed to Junk Email or remain in quarantine.
The notification is informational — not every action is always available.
For high-confidence phishing and malware, the only action visible in the notification is Review. To release such messages, an administrator must approve the request. The article's Releasing a Quarantined Message section below covers this.
Option B: Direct Access to the Quarantine Portal
You can review and act on quarantined messages at any time, without waiting for a notification:
- Go directly to security.microsoft.com/quarantine and sign in with your Pitt account. You can also launch the same destination from Spam and Virus Filtering on myPitt.
- If you navigate away and need to find your way back inside the Defender portal, select Email & collaboration in the left menu, then Review, then Quarantine.
- On the Email tab, you will see your quarantined messages with columns for Subject, Sender, Received, Quarantine reason, and Expires.
- Use the Filter control to narrow the list by sender, recipient, date range, or quarantine reason.
- Select a message to open the details flyout, which shows headers, a preview where permitted, and the actions available for that message.
Releasing a Quarantined Message
Releasing a message delivers it from quarantine to your inbox. Once a message is in your inbox, the protections that filtered it out no longer apply — which makes this step worth slowing down for.
Only release messages you were specifically expecting. If you don't recognize the sender, weren't expecting the message, and cannot independently confirm it is legitimate — for example, by calling or texting the sender at a number you already had — leave the message in quarantine and let it expire. EOP quarantined it for a reason. The most common cause of a released-then-regretted message is releasing a message that wasn't expected in the first place.
How to Release a Message You Recognize
- Open the message in the quarantine portal at security.microsoft.com/quarantine.
- Use Preview message to confirm the content matches what you were expecting from that sender. If it does not, do not release it.
- Select Release email. The message is delivered to your inbox.
For high-confidence phishing and malware, the only action available to you is Request release. Microsoft does not allow direct user release of these categories regardless of how the quarantine policy is otherwise configured — a deliberate safeguard against social-engineering pressure to release confirmed malicious mail. An administrator must approve before delivery, and the status will read Release requested until they do.
Do not report quarantined or just-released messages as phishing or spam.
A message that was held in quarantine has already been identified and acted on — Pitt Digital Security and Microsoft do not need a second report of it, and a duplicate report adds noise that competes with reports of genuinely missed threats. If you release a message and then realize it is spam or phishing, simply delete it from your inbox. Do not use the KnowBe4 Phish Alert Button (PAB), the Outlook Report button, or phish@pitt.edu for messages you just released — those reporting paths are for messages that bypassed the filters and arrived in your inbox unexpectedly. See Reporting Spam and Phishing That Reached Your Inbox below for the distinction.
Other Actions in the Quarantine Details Flyout
- Preview message — view the message body safely without releasing it.
- View message headers — useful when forwarding technical details to the Help Desk.
- Block sender — adds the sender to your personal Blocked Senders list so future messages bypass your inbox.
- Delete from quarantine — removes the message immediately rather than waiting for the expiration date.
If you released a message and then selected a link or opened an attachment in it.
That is a different situation from realizing after the fact that the message was junk. Call the Technology Help Desk at
412-624-HELP (4357) and ask for Pitt Digital Security. Do not report the released message through the PAB or the Report button — call directly so an analyst can scope the impact on your account in real time.
Customizing Your Filtering
You can refine how EOP treats mail you receive in three ways: safe senders, blocked senders, and your bulk-mail preference.
Safe Senders and Blocked Senders in Outlook on the Web
- Open Pitt Email (Outlook) via myPitt.
- Select the gear icon in the upper right.
- In the Settings search box, type
senders and select Junk email. (You can also navigate to Mail > Junk email.)
- Use + Add safe sender to add an address or domain whose mail should never be filtered as junk, or + Add blocked sender to add one whose mail should always be sent to Junk Email.
- Optionally, select Trust email from my contacts to automatically treat anyone in your Contacts as a safe sender.
- Select Save.
To edit an entry, select it and use the pencil icon to modify or the trash icon to remove. Always select Save after changes.
Safe Senders and Blocked Senders in Classic Outlook (Desktop)
- Right-click any message in your inbox.
- Hover over Block and select Junk Email Options.
- Use the Safe Senders tab to add trusted addresses or domains. Select Also trust email from my Contacts to extend the same treatment to your contacts.
- Use the Blocked Senders tab to add addresses or domains whose mail should be routed to Junk Email.
- Select OK.
You can also block a single sender quickly: right-click the message and select Block > Block Sender. The sender's address is added to your Blocked Senders list automatically.
Bulk-Mail Filtering Preference
Bulk mail — marketing newsletters, mass announcements, and promotional messages from legitimate senders — sits between clean mail and spam. Some people want it delivered; others want it filtered. You can set your preference at the account level:
- Open Manage My Account via myPitt.
- Select Email & Messaging, then Set Email Preferences.
- Select the Filtering tab.
- Choose your bulk-mail aggressiveness and save.
For details, see Customize Your Email Filtering.
Reporting Spam and Phishing That Reached Your Inbox
EOP is signature- and reputation-based, and no signature catches every message. When something gets through, reporting it improves filtering for you and everyone else at Pitt.
Scope: the reporting paths below are for messages that arrived in your inbox normally — never for messages you released from quarantine.
A message that was held in quarantine has already been identified. If you released one and then realized it was spam or phishing, delete it; don't report it. See Releasing a Quarantined Message above.
Reporting Spam
For ordinary spam (unwanted but not dangerous) that landed in your inbox, mark it as junk so EOP learns from the verdict.
- Outlook on the web: Select the message, then select Report > Report junk on the ribbon. The message moves to your Junk Email folder and the verdict is sent to Microsoft.
- Classic Outlook (desktop): Right-click the message, hover over Junk, and select Junk or Block Sender.
Reporting Phishing
For suspected phishing, use the dedicated phishing-reporting path, not the spam path — Pitt Digital Security needs the message's full metadata to investigate, and the phishing-report path preserves it.
See Phishing Emails: Don't Take the "Bait" for the full preference order. In short:
- Preferred: Use the KnowBe4 Phish Alert Button (PAB) in Outlook. See Reporting Phishing Emails Using KnowBe4's Hybrid Phish Alert Button.
- Alternative: Use Outlook's built-in Report > Report phishing.
- Last resort: Forward the message as an attachment (not a standard forward) to phish@pitt.edu.
Frequently Asked Questions
Select a question to expand the answer.
⚠ I released a message from quarantine and then realized it is spam or phishing. What do I do? Important
Simply delete it from your inbox. Do not report the released message via the PAB, the Outlook Report button, or phish@pitt.edu. The message was already correctly identified by quarantine — a duplicate report adds noise to the security workflow that competes with reports of genuinely missed threats, without providing any new information. The reporting paths are reserved for messages that arrived in your inbox without being quarantined first.
The exception: if you also selected a link in the message or opened an attachment, that is a different situation. Call the Help Desk at 412-624-HELP (4357) and ask for Pitt Digital Security so an analyst can assess the impact directly. Do not use the Report button for this — call.
To avoid this situation in the future: only release messages you were specifically expecting from a sender you recognize. If you don't recognize the sender or weren't expecting the message, leave it in quarantine and let it expire.
Can I read a quarantined message before deciding to release it?
Yes, for most categories. Open the message in the quarantine portal and select Preview message. The preview renders the message body safely. For high-confidence phishing and malware, previewing may be restricted; use the message headers to decide whether to request release.
Can I release more than one message at a time?
Yes. Select the checkboxes next to each message in the quarantine list and use the bulk-action toolbar that appears. The actions available in bulk are the same as for an individual message and are subject to the same restrictions on high-confidence phishing and malware.
How long do messages stay in quarantine?
Up to 30 days, depending on the message category. The exact expiration date is shown in the Expires column. After a message expires, it is permanently deleted and cannot be recovered — so if you are waiting on an administrator to approve a release request, do not wait until the last day.
Can I release a message a second time?
No. Once a message has been released to your inbox, the release action is no longer available for that message. The released copy in your inbox is the canonical one — treat it like any other message in your mailbox.
I forward my Pitt email to another address. Does the forward apply to released messages and notifications?
Yes. A message you release from quarantine is delivered to your Pitt inbox and is then subject to any forwarding rules you have set, the same as any other delivered message. Quarantine notification messages are also subject to forwarding.
Can I turn off the periodic quarantine notification messages?
Quarantine notifications are not configurable per user — they are governed by the University's quarantine policy. If you do not want them in your inbox, create an Outlook rule that routes messages from quarantine@messaging.microsoft.com to a folder of your choice. See Creating Rules in Outlook.
Why don't I see messages that contained viruses or malware in my quarantine?
Messages identified as malware are held in an administrator-only quarantine view rather than your personal one, because confirmed-malicious mail should never be available for end-user release. Many virus-laden messages are also blocked outright at the gateway and never enter quarantine at all. If you need to investigate a specific blocked message — for example, to confirm a sender's account wasn't compromised — contact the Help Desk; administrators can search the full quarantine and message-trace logs.
Can I customize how strict or lenient my spam filtering is?
The University's general spam filtering settings are not configurable per user — they are tuned at the tenant level to balance protection and false positives across all of Pitt. What you can customize is your bulk-mail preference (see the Customizing Your Filtering section above) and your personal Safe Senders and Blocked Senders lists.
A spam message reached my inbox. How do I report it as a missed catch?
Use the built-in Report button in Outlook (ribbon in Outlook on the web, or three-dot menu) and select Report junk. The legacy method of forwarding to junk@office365.microsoft.com is no longer the recommended path. For suspected phishing, use the KnowBe4 Phish Alert Button instead — see Phishing Emails: Don't Take the "Bait".
Key Contacts
Technology Help Desk 412-624-HELP (4357)
Quarantine questions, release requests for high-confidence categories, safe-sender list assistance |
Pitt Digital Security Via Help Desk
Suspected phishing, message released in error, compromised account |