How To
Summary
Microsoft 365 (including Outlook Online) uses Microsoft Defender for Office 365 to scan incoming emails for threats like spam, phishing, or malicious links.
DocuSign envelope emails (often from domains like `@docusign.net`) are frequently flagged due to embedded URLs or attachments, leading to quarantine without delivery to the inbox.
This is a known issue per Microsoft, as DocuSign emails can trigger false positives in Defender's filters for "malicious URL" or spam.
Objective
Admins can enable user notifications to alert recipients about quarantined emails, allowing them to review and release legitimate ones (e.g., DocuSign envelopes).
NOTE: By default which is by design, the quarantines can be "silent" if your organization's quarantine policy doesn't enable notifications. This means, users receive no alerts about held messages. The messages will remain in quarantine for up to 15-30 days (configurable) before auto-deletion.
See outline steps per Microsoft and other resources to enable notifications, plus ways to prevent or handle DocuSign-specific quarantines.
Environment
Office 365, Outlook Online, DocuSign
Steps
Step 1: Enable Quarantine Notifications for Users
Notifications are controlled by quarantine policies in Microsoft Defender. These policies determine if/when users get emailed summaries of quarantined daily digest messages from Microsoft.
IMPORTANT: By default, some policies (like `DefaultFullAccessPolicy`) have notifications disabled, causing silent quarantines.
Prerequisites
- You need admin access: Global Admin, Security Admin, or roles with "Exchange Administrator" permissions.
- Access the Microsoft Defender portal.
Configure via the Microsoft Defender Portal (Recommended for Most Admins)
1. Go to Email & collaboration > Policies & rules > Threat policies > Quarantine policies.
2. Select an existing policy (e.g., the default `DefaultFullAccessWithNotificationPolicy`) or create a custom one:
- Click + Create > Quarantine policy.
- Name it (e.g., "UserNotificationPolicy").
- Under End-user actions, enable options like "Allow users to release messages" (for spam/bulk) and "Request release" (for phishing/malware).
- Under Notifications, turn on Send end-user spam notification every (days) and set the frequency (e.g., 1 day for daily alerts).
- Optionally, customize the sender address, add your company logo, or set the notification language.
3. Save the policy.
4. Assign it to threat protection features:
- Go to Anti-spam policies (under Threat policies) > Edit your inbound policy > Actions tab > Set "Quarantine message" to your new policy.
- Repeat for Anti-phishing, Safe Links, or Anti-malware if needed (DocuSign often hits spam/phishing).
5. Test: Send a test DocuSign envelope or simulate a quarantine. Users should receive a notification email with links to review/release messages.
Notifications include details like sender, subject, and quarantine reason. Users click links to preview/release via the Quarantine
Configure via PowerShell (For Advanced Admins)
Connect to Exchange Online PowerShell:
```
Connect-ExchangeOnline
```
Enable notifications in a policy:
```
Set-QuarantinePolicy -Identity "DefaultFullAccessWithNotificationPolicy" -EndUserSpamNotificationFrequency 1
```
(1 = daily; options: 1-7 days.) Assign to anti-spam:
```
Set-HostedContentFilterPolicy -Identity "Default" -QuarantinePolicy "DefaultFullAccessWithNotificationPolicy"
```
View policies: `Get-QuarantinePolicy`.
Global Settings for Faster Notifications
In the Defender portal > Email & collaboration > Policies & rules > Threat policies > Anti-spam > Global settings, set Send end-user spam notifications to "Within 4 hours" for quicker alerts (instead of daily).
Step 2: How Users Can Access and Manage Quarantined Emails
Even without notifications, users can self-service:
1. Sign in to Outlook Online.
2. Click the ? (Help) icon > Help & feedback > View all Outlook settings > Search for "Quarantine".
3. Filter by Date, Sender (e.g., DocuSign), or Reason (e.g., Spam).
4. Preview the message > Release (delivers to Inbox) or Report as not junk (trains filters for future DocuSign emails).
Users get limited permissions based on the policy (e.g., they can't release high-confidence phishing but can request admin approval).
Step 3: Prevent Future DocuSign Quarantines
To avoid silent holds entirely:
- Add DocuSign to Allowed Senders (Anti-Spam Policy):
1. Defender portal > Anti-spam policies > Edit inbound policy > Allowed and blocked senders > Add domains like `docusign.net`.
2. This bypasses spam filtering but review regularly for security.
- Handle Impersonation/Phishing False Positives:
- In Anti-phishing policies > Impersonation tab, add DocuSign to "Mark as safe" for spoofing (DocuSign uses legitimate "impersonation" for branding).
- Safe Links Exceptions (for URL blocks):
- Threat policies > Safe Links > Manage URLs > Add DocuSign domains to exceptions.
- DocuSign-Side Tips (from DocuSign support):
- Ensure your DocuSign account uses verified sender domains.
- Check DocuSign notifications settings to avoid bulk-like emails.
- Transport Rule for Notifications (Workaround for Specific Users):
- In Exchange Admin Center Mail flow > Rules > Create rule: If sender is the Microsoft’s quarantine address, add CC to user/admin for alerts.
Additional Tips
- Audit Quarantines Regularly: Admins can use Reports > Email & collaboration reports > Quarantine message summary in Defender to spot patterns (e.g., DocuSign spikes).
- Train Users: Educate on checking quarantine if expecting DocuSign envelopes—missing signatures can delay workflows.
- Retention: Quarantined emails auto-delete after the policy's retention period (default 15 days for spam)—release promptly.
This setup should end silent quarantines Marcus and empower users. If you're not an admin, share these steps with your IT team. For more, see Microsoft's guide: [Quarantine notifications].
Supported articles to search for:
Defend - Configuring Unified Quarantine with Microsoft Defender for Office 365
Handling DocuSign emails
O365 Exchange online mail flow rule:
NOTE: You can set it to send a copy to your phishing mailbox in case you need to investigate or restore the original.
Mail flow rule:
- Name: Block: DocuSign phishing
- Apply this rule if: The sender / domain is / docusign.net
- And: The message headers... / matches these text patterns: Reply-To message header matches: hotmail.com or gmail.com or onmicrosoft.com or outlook.com
- And: The subject or body / subject matches these text patterns: Complete with Docusign:
- Do the following: Block the message / delete the message without notifying anyone
- And: Generate incident report > (send to your phishing mailbox)
Supported articles to search for:
How to configure quarantine permissions and policies
Guidance requested on emails and quarantine
Defend - Configuring Unified Quarantine with Microsoft Defender for Office 365
Handling DocuSign emails
O365 Exchange online mail flow rule:
NOTE: You can set it to send a copy to your phishing mailbox in case you need to investigate or restore the original.
Mail flow rule:
- Name: Block: DocuSign phishing
- Apply this rule if: The sender / domain is / docusign.net
- And: The message headers... / matches these text patterns: Reply-To message header matches: hotmail.com or gmail.com or onmicrosoft.com or outlook.com
- And: The subject or body / subject matches these text patterns: Complete with Docusign:
- Do the following: Block the message / delete the message without notifying anyone
- And: Generate incident report > (send to your phishing mailbox)
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
25 November 2025
UID
ibm17252539