TenLens
Back to script library
Entra / Microsoft 365 · Exchange Online

Report quarantined messages

Showing how to download details of quarantined messages, do some analysis, and create a CSV file that can be edited.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline -ShowBanner:$false

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

$ModuleCheck = Get-Module -Name ExchangeOnlineManagement
If ($ModuleCheck -eq $Null) {
     Write-Host "Your PowerShell session is not connected to Exchange Online."
     Write-Host "Please connect to Exchange Online using an administrative account and retry."; Break }
 
Write-Host "Finding messages in quarantine"
# Check https://docs.microsoft.com/en-us/powershell/module/exchange/get-quarantinemessage?view=exchange-ps for other
# parameters that can be used to refine the set of quarantined messages
$QMessages = Get-QuarantineMessage
$Report = [System.Collections.Generic.List[Object]]::new(); $Now = Get-Date
 
# Extract the data we want to report abouit each quarantined message
ForEach ($Message in $QMessages) {
 
   $RemainingTime = (New-TimeSpan -Start $Now -End $Message.Expires)
   $Remaining = $RemainingTime.Days.toString() + " days " + $RemainingTime.Hours.toString() + " hours"
   [String]$Recipient = $Null; $i = 0
   ForEach ($Address in $Message.RecipientAddress) {
        If ($i -eq 0) {
           $i++
           $Recipient = $Address}
        Else
           {$Recipient = "; " + $Address }
   }
   $ReportLine = [PSCustomObject]@{  #Update with details of what we have done
           Identity         = $Message.Identity
           Received         = Get-Date($Message.ReceivedTime) -format g
           Recipient        = $Recipient
           Sender           = $Message.SenderAddress
           Subject          = $Message.Subject
           SenderDomain     = $Message.SenderAddress.Split("@")[1]
           Type             = $Message.QuarantineTypes
           Expires          = Get-Date($Message.Expires) -format g
           "Time Remaining" = $Remaining }
    $Report.Add($ReportLine)
}
 
CLS
Write-Host "Type of Quarantined messages"
$Report | Group Type | Sort Count -Descending | Format-Table Name, Count
 
Write-Host "Messages quarantined per recipient address"
$Report | Group Recipient | Sort Count -Descending | Format-Table Name, Count
 
Write-Host "Problem domains"
$Report | Group SenderDomain |Sort Count -Descending | Format-Table Name, Count
 
Write-Host "High confidence Phishing Messages"
$Report | ? {$_.Type -eq "HighConfPhish"} | Format-Table Received, Recipient, Sender, Subject
 
$Report | Export-CSV -NoTypeInformation c:\Temp\QuarantinedMessages.CSV
# After editing the list, you can release the messages with:
# Import-CSV c:\temp\QuarantinedMessages.csv | Release-QuarantineMessage -ReleaseToAll
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.