Move and Reclassify Messages

Use the Messages page to move or reclassify messages if you think they have been incorrectly classified. You can move or reclassify up to 100 messages at a time by changing the number of messages displayed per page. You can also move and reclassify a message directly from the Verdict & Techniques panel of the Message Report page.

You can also move and reclassify messages using the Remediation and Reclassification API. See the API guide for details https://developer.cisco.com/docs/message-search-api/.

Reclassifying only affects the verdict on the selected message(s). It does not indicate any change in action on future messages from the selected sender or based on the message content. The message will be queued for review by Cisco Talos. Talos may use the feedback to influence future classifications. For false positive messages, consider adding Verdict Override Rules.

About Hybrid Exchange Accounts

Secure Email Threat Defense can act only on mailboxes located in Exchange Online (O365). If you are in the process of migrating your mailboxes from on-premises Exchange to Exchange Online (O365), remediation (move or deletion) will only work for mailboxes located in Exchange Online (O365). You will not be notified that the remediation for on-premises Exchange mailboxes has failed.

Read Remediation Mode

If you are in Read mode, you can reclassify (apply a different verdict to) messages.

  1. Select the message(s) you want to reclassify.

  1. Select a verdict from the drop-down menu. You can reclassify the messages as BEC, Scam, Phishing, Malicious, Spam, Graymail, or Neutral or you can select Keep verdict.

  1. Click Update to apply the new classification.

Read/Write Remediation Mode

If you are in Read/Write remediation mode, you can move suspicious messages out of user Inboxes and into their Junk or Trash, or to a Quarantine folder they cannot access. Similarly, if you determine a message that was moved to Junk, Trash, or Quarantine is not suspicious, you can move it back to user Inboxes. You can also Delete messages entirely. This process also allows you to reclassify (apply a different verdict to) messages.

  1. Select the message(s) you want to move or reclassify.

  1. Select a verdict from the Reclassify drop-down menu. You can reclassify the messages as BEC, Scam, Phishing, Malicious, Spam, Graymail, or Neutral, or you can select Keep verdict.

  1. Select an action from the Request Action drop-down menu. You can Move to Junk, Move to Trash, Move to Inbox, Move to Quarantine, Delete, or you can select Do Not Move.

  1. Click Update to apply the new classification and take action on the messages.

If a message has been moved, it is indicated in the Last Action column.

For outgoing and internal message, the Move to Inbox action moves the message to the Sent folder of the initial sender of the message, instead of to their Inbox.

Delete Messages

Super-admin and admin users can permanently delete messages from mail boxes using the Delete action in the Reclassify/Remediate workflow. Deleted messages are moved to the recoverableitemspurges folder. This folder is not accessible to users and Secure Email Threat Defense cannot restore deleted messages to Inboxes.

  1. Select the message(s) you want to delete.

  1. Select a verdict from the Reclassify drop-down menu. You can reclassify the messages as BEC, Scam, Phishing, Malicious, Spam, Graymail, or Neutral, or you can select Keep verdict.

  1. Select Delete from the Request Action drop-down menu.

  1. Click Update to delete the message(s).

  1. A Confirm Deletion dialog indicates that messages cannot be recovered and verifies that you want to continue. Click Delete to continue.

Delete is indicated in the Last Action column.

Quarantine Messages

Quarantine folders are created automatically for each mailbox and are hidden from Outlook users. The secret folder name is visible to Super-admin and admin users on the Administration > Business page. In Outlook, messages in the quarantine folder are automatically purged according to your Deleted Items purge settings. Secure Email Threat Defense cannot restore messages back to user Inboxes after they are purged from the quarantine folder.

To manually move messages to quarantine:

  1. Select the message(s) you want to move to quarantine.

  1. Select a verdict from the Reclassify drop-down menu. You can reclassify the messages as BEC, Scam, Phishing, Malicious, Spam, Graymail, or Neutral, or you can Keep verdict.

  1. Select Move to Quarantine from the Request Action drop-down menu.

  1. Click Update to quarantine the message(s).

Move to Quarantine is indicated in the Last Action column.