ZAP (Zero AutoPurge) quarantined emails - Long delays removing from user inboxes

Anonymous
2023-09-10T12:53:22.2433333+00:00

We had a phishing attack recently.

Two large batches (587 emails in each) were received targeting 360 mailboxes.

On the day in question, all the emails in the first batch were delivered between 05:57 and 06:02 IST (Irish Summer Time). The second batch was delivered between 06:58 and 07:03 IST.

1163 of the emails were quarantined by ZAP (details not available after 30 days).

20 x "User accessed link in ZAP-quarantined email" alerts were received for these emails.

3 x of these alerts were received prior to 07:04 IST and the 4th did not occur until 07:36 IST.

The other 16 occurred between 33 minutes and 5 hours 36 minutes after the 1st alert.

My question is that while I know that many (if not all) of the users who received the phishing were logged into Outlook Mobile on Android or iOS and allowing for synchronization delays, why were the other 16 emails not quarantined away from users and still available in their inboxes up to 5.5 hours later? This seems an excessive amount of time to me.

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,203 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 119.9K Reputation points MVP Volunteer Moderator
    2023-09-10T15:38:43.5633333+00:00

    Likely related to client caching, which can potentially cause delays with ZAP processing. If you have specific examples, best open a support case and work with the engineers to get additional details.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Yuki Sun-MSFT 41,381 Reputation points Moderator
    2023-09-11T03:28:33.5633333+00:00

    Hi @Anonymous ,

    My question is that while I know that many (if not all) of the users who received the phishing were logged into Outlook Mobile on Android or iOS and allowing for synchronization delays, why were the other 16 emails not quarantined away from users and still available in their inboxes up to 5.5 hours later? This seems an excessive amount of time to me.

    According to the statement in the following official article, seems like it could be an expected behavior:
    Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
    User's image

    Given this, I'd suggest sending feedback via the official portal for Microsoft 365 Defender using:
    https://feedbackportal.microsoft.com/feedback/forum/d7dd1275-f65e-ed11-9562-000d3a4e3f39

    Hopefully this experience can be improved in the future.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Anonymous
    2023-09-11T12:07:54.8033333+00:00

    Hello Yuki Sun-MSFT

    I don't think that is what the sentence means.

    I read it as saying that if an email is received which initially passes inspection and is delivered but at a later point the sources used by ZAP determine that it is malicious that ZAP can find and delete the emails as long as they were initially received less than 48 hours before the reclassification.

    examples:

    emails received Monday 18:00 - not malicious, delivered
    ZAP sources updated Tuesday 20:00 - reclassified as malicious
    Action: as within 48h of receipt, ZAP can find and remove the emails from user mailboxes

    but if

    emails received Monday 18:00 - not malicious, delivered
    ZAP sources updated Wednesday 19:00 - reclassified as malicious
    Action: as NOT within 48h (now 49h) of receipt, ZAP will not find and remove the emails

    This is not the same thing as saying that it can take 48 hours for ZAP to find and delete emails from user mailboxes.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.