Likely related to client caching, which can potentially cause delays with ZAP processing. If you have specific examples, best open a support case and work with the engineers to get additional details.
ZAP (Zero AutoPurge) quarantined emails - Long delays removing from user inboxes
We had a phishing attack recently.
Two large batches (587 emails in each) were received targeting 360 mailboxes.
On the day in question, all the emails in the first batch were delivered between 05:57 and 06:02 IST (Irish Summer Time). The second batch was delivered between 06:58 and 07:03 IST.
1163 of the emails were quarantined by ZAP (details not available after 30 days).
20 x "User accessed link in ZAP-quarantined email" alerts were received for these emails.
3 x of these alerts were received prior to 07:04 IST and the 4th did not occur until 07:36 IST.
The other 16 occurred between 33 minutes and 5 hours 36 minutes after the 1st alert.
My question is that while I know that many (if not all) of the users who received the phishing were logged into Outlook Mobile on Android or iOS and allowing for synchronization delays, why were the other 16 emails not quarantined away from users and still available in their inboxes up to 5.5 hours later? This seems an excessive amount of time to me.
Exchange Online
-
Vasil Michev 119.9K Reputation points MVP Volunteer Moderator
2023-09-10T15:38:43.5633333+00:00
2 additional answers
Sort by: Most helpful
-
Yuki Sun-MSFT 41,381 Reputation points Moderator
2023-09-11T03:28:33.5633333+00:00 Hi @Anonymous ,
My question is that while I know that many (if not all) of the users who received the phishing were logged into Outlook Mobile on Android or iOS and allowing for synchronization delays, why were the other 16 emails not quarantined away from users and still available in their inboxes up to 5.5 hours later? This seems an excessive amount of time to me.
According to the statement in the following official article, seems like it could be an expected behavior:
Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365
Given this, I'd suggest sending feedback via the official portal for Microsoft 365 Defender using:
https://feedbackportal.microsoft.com/feedback/forum/d7dd1275-f65e-ed11-9562-000d3a4e3f39Hopefully this experience can be improved in the future.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Anonymous
2023-09-11T12:07:54.8033333+00:00 Hello Yuki Sun-MSFT
I don't think that is what the sentence means.
I read it as saying that if an email is received which initially passes inspection and is delivered but at a later point the sources used by ZAP determine that it is malicious that ZAP can find and delete the emails as long as they were initially received less than 48 hours before the reclassification.
examples:
emails received Monday 18:00 - not malicious, delivered
ZAP sources updated Tuesday 20:00 - reclassified as malicious
Action: as within 48h of receipt, ZAP can find and remove the emails from user mailboxesbut if
emails received Monday 18:00 - not malicious, delivered
ZAP sources updated Wednesday 19:00 - reclassified as malicious
Action: as NOT within 48h (now 49h) of receipt, ZAP will not find and remove the emailsThis is not the same thing as saying that it can take 48 hours for ZAP to find and delete emails from user mailboxes.