Did I get zapped by ZAP?
ZAP, also known as Zero-hour Auto Purge, is a protection feature in Exchange Online that can move spam, phish, or malware messages from users’ inbox to their junk folder. This feature works in the background and can often be forgotten about. If a message is delivered to a mailbox, and then at a later time it is determined to be junk, ZAP can reactively move the message to the users' junk folder. For more information about ZAP, check out Zero-hour auto purge – protection against spam and malware.
I recently worked with an organization that was seeing some messages from a particular sender appearing in their recipients' inbox, but others were appearing in their recipients' junk mail folder. The strange part here was that the headers of the messages that landed in the junk folder showed that EOP had marked the messages as not spam (SFV:NSPM, SCL:1). If you suspect that a device might be the culprit, then pulling mailbox audit logs is the best place to start. But if you suspect that ZAP may be at play, then take a look at the message headers of a message in the junk folder. When looking at the headers for a message in the junk folder, look at the very bottom. If ZAP moved the message to the junk folder you’ll see a header like the following.
X-Microsoft-Antispam-ZAP-Message-Info: <a long string of characters>
If this header is present, then ZAP was the reason for the message residing in the junk folder.
What if I don’t want ZAP to move messages from my inbox to my junk folder?
Well, there are two options here. If you don’t want ZAP to do anything, then it can be turned off on your content filter. If you only want ZAP to be disabled on a subset of your users, you can create a new content filter which is scoped to only those users, and then disable ZAP on that content filter. The PowerShell to turn ZAP on and off is very simple.
PS C:\> Set-HostedContentFilterPolicy Default -ZapEnabled $false
PS C:\> Get-HostedContentFilterPolicy Default | fl *zap*
ZapEnabled : False
Another option is to whitelist the message. This can be done either with a transport rule, or by using the Allow lists in the spam filter. If a message arrives at your inbox with an SCL of -1 from EOP, then ZAP should not be able to touch it.
Above I mentioned mailbox audit logs. These logs contain actions that have been performed by either the owner, delegate, or admin. ZAP moves will not appear in the mailbox audit logs because this move is performed by Transport. But as mentioned above, just look at the headers for a quick way of seeing if ZAP was at play.
That’s your quick December tip from me. If I don’t post again before the holidays, I hope you have a wonderful holiday season!!