| Bulk / spam | Users commonly can view, release and delete under historical default policies; custom policy may restrict. | BCL/SCL, business relationship, sender history, unsubscribe quality, authentication, cohort preference and campaign pattern. | Release selected recipients, report/submit, delete, block, or retain until expiry according to policy. | Quarantine details, headers, recipient scope, user/admin action, release/submission result and recurring-sender decision. |
| High-confidence spam | May be user-manageable under defaults, but organizations often apply stricter release governance. | SCL 9, TABL/block source, sender reputation, content pattern, authentication, other recipients and campaign evidence. | Admin confirm/release and submit when legitimate; deny/delete when malicious or unwanted. | Classification, policy hit, release authority, Microsoft result and exception expiration. |
| Phishing / spoof / impersonation | Regular phishing and spoof/impersonation capabilities depend on assigned quarantine policy. | Composite authentication, SPF/DKIM/DMARC, lookalike/impersonation target, URLs, reply-to, display name, relationship and campaign. | Request release or admin release only after evidence; submit false positive/negative; remediate sender or block threat. | Headers, URL/entity evidence, submission ID, reviewer decision, release verification and follow-up. |
| High-confidence phishing | Users cannot self-release regardless of custom quarantine policy; request release may be presented where configured. | Full threat investigation, campaign/incident context, credential lure, URLs/files, authentication and recipient blast radius. | Admin-only denial/delete or exceptional evidence-backed release with submission and validation. | Security approval, investigation, submission, selected recipients, post-release monitoring and incident linkage. |
| Malware / Safe Attachments malware or phishing | Admin-only; users cannot release these items. | Attachment/file verdict, hashes, detonations or entity evidence where licensed, related messages, endpoint/identity indicators and campaign. | Do not release without exceptional validated false-positive procedure; submit and use isolated analysis. | File/message identifiers, analysis location, chain of custody, submission, decision and incident/remediation record. |
| Mail-flow rule quarantine | Admin-only by default; direct rule quarantine isn't visible to users. | Rule name, conditions/exceptions, business purpose, sender/recipient context, headers and whether the rule still matches design. | Release or deny under rule-owner approval; correct the transport rule through change control if behavior is wrong. | Rule/version, match evidence, ticket, owner approval, release result and rule-change link. |
| Post-delivery or ZAP-related item | Capability depends on protection feature and reason. | Original delivery, later verdict change, user interaction, related campaign, mailbox/endpoint impact and remediation status. | Coordinate quarantine decision with incident investigation; do not treat release as an isolated mail-delivery task. | Timeline, alert/incident, original and updated verdict, remediation, reviewer and closure. |