Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with Exchange Online mailboxes, zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.

ZAP doesn't work in standalone EOP environments that protect on-premises mailboxes.

Note

Currently in Preview, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams.

Spam and malware signatures in the service are updated in real-time on a daily basis. However, users can still receive malicious messages. For example:

  • Zero-day malware that was undetectable during mail flow.
  • Content that's weaponized after being delivered to users.

ZAP addresses these issues by continually monitoring spam and malware signature updates in the service, and is seamless for users. ZAP finds and takes automated action on messages that are already in a user's mailbox. ZAP's search is limited to the last 48 hours of delivered email. Users aren't notified if ZAP detects and moves a message.

Watch this short video to learn how ZAP in Microsoft Defender for Office 365 automatically detects and neutralizes threats in email.

Zero-hour auto purge (ZAP) for email messages

Zero-hour auto purge (ZAP) for malware

For read or unread messages that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. By default, only admins can view and manage quarantined malware messages. But, admins can create and use quarantine policies to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

Note

Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

ZAP for malware is enabled by default in anti-malware policies. For more information, see Configure anti-malware policies in EOP.

Zero-hour auto purge (ZAP) for phishing

For read or unread messages that are identified as phishing (not high confidence phishing) after delivery, the ZAP outcome depends on the action that's configured for a Phishing verdict in the applicable anti-spam policy. The available actions and the possible ZAP outcomes are described in the following list:

  • Add X-Header, Prepend subject line with text, Redirect message to email address, Delete message: ZAP takes no action on the message.

  • Move message to Junk Email: ZAP moves the message to the Junk Email folder.

    This is the default action for a Phishing verdict in the default anti-spam policy and custom anti-spam policies that you create in PowerShell.

  • Quarantine message: ZAP quarantines the message.

    This is the default action for a Phishing verdict in the Standard and Strict preset security policies, and in custom anti-spam policies that you create in the Defender portal.

By default, ZAP for phishing is enabled in anti-spam policies.

For more information about configuring spam filtering verdicts, see Configure anti-spam policies in Microsoft 365.

Zero-hour auto purge (ZAP) for high confidence phishing

For read or unread messages that are identified as high confidence phishing after delivery, ZAP quarantines the message. By default, only admins can view and manage quarantined high confidence phishing messages. But, admins can create and use quarantine policies to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

Note

Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined high confidence phishing messages.

ZAP for high confidence phishing is enabled by default. For more information, see Secure by Default in Office 365.

Zero-hour auto purge (ZAP) for spam

For unread messages that are identified as spam or high confidence spam after delivery, the ZAP outcome depends on the action that's configured for a Spam or High confidence spam verdict in the applicable anti-spam policy. The available actions and the possible ZAP outcomes are described in the following list:

  • Add X-Header, Prepend subject line with text, Redirect message to email address, Delete message: ZAP takes no action on the message.

  • Move message to Junk Email: ZAP moves the message to the Junk Email folder.

    For the Spam verdict, this is the default action in the default anti-spam policy, new custom anti-spam policies, and the Standard preset security policy.

    For the High confidence spam verdict, this is the default action in the default anti-spam policy and new custom anti-spam policies.

  • Quarantine message: ZAP quarantines the message.

    For the Spam verdict, this is the default action in the Strict preset security policy.

    For the High confidence spam verdict, this is the default action in the Standard and Strict preset security policies.

By default, users can view and manage messages that were quarantined as spam or high confidence spam where they're a recipient. But, admins can create and use quarantine policies to define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

By default, ZAP for spam is enabled in anti-spam policies.

For more information about configuring spam filtering verdicts, see Configure anti-spam policies in Microsoft 365.

How to see if ZAP moved your message

To determine if ZAP moved your message, you have the following options:

Note

ZAP is not logged in the Exchange mailbox audit logs as a system action.

Zero-hour auto purge (ZAP) considerations for Safe Attachments in Microsoft Defender for Office 365

ZAP doesn't quarantine messages that are in the process of Dynamic Delivery in Safe Attachments policy scanning. If a phishing or spam signal is received for messages in this state, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine), ZAP reverts to the 'Move to Junk' action.

Zero-hour auto purge (ZAP) in Microsoft Teams

Tip

ZAP for Microsoft Teams is available only to customers with Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 subscriptions. To configure ZAP for Teams protection, see Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams.

ZAP in Teams chats

ZAP is available for internal messages in Teams chats that are identified as malware or high confidence phishing. Currently, external messages aren't supported.

Teams is different than email, because everyone in a Teams chat receives the same copy of the message at the same time (there's no message bifurcation). When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery.

Exclusions for ZAP for Teams protection in Teams chats matter for message recipients, not message senders. To configure exceptions for Teams chats, see Configure ZAP for Teams protection in Defender for Office 365 Plan 2.

ZAP for Teams protection is able to take action on messages for all recipients in a chat if any recipients in the chat aren't excluded from ZAP for Teams protection. Only when all recipients in a chat are excluded from ZAP for Teams protection will ZAP not take action on a message. These scenarios are illustrated in the following table:

Scenario Result
Group chat with Recipients A, B, C, and D.

Recipients A, B, C, and D are excluded from ZAP for Teams protection.
ZAP won't block messages sent to the group chat.
Group chat with Recipients A, B, C, and D.

Only recipients A, B, and C are excluded from ZAP for Teams protection.
ZAP is able to block messages sent to the group chat for all recipients.
Group chat with Recipients A, B, C, and D.

Recipients A, B, C, and D aren't excluded from ZAP for Teams protection.

Sender X is excluded from ZAP for Teams protection and sends a message to the group chat.
ZAP is able to block messages sent to the group chat for all recipients.

Sender view:

Image showing how ZAP for Teams protection works for the sender.

Recipient view:

Image showing how ZAP for Teams protection works for the recipient.

ZAP in Teams channels

ZAP for Teams protection supports the following types of Teams channels:

  • Standard channels: ZAP is available for internal messages. Currently, external messages aren't supported.
  • Shared channels: ZAP is available for internal and external messages.

Currently, ZAP isn't available in private channels.

To configure exceptions for ZAP protection for Teams channels, you need the recipient email address. This address is different than the channel email address in the Teams client.

To get the recipient email address to use for exceptions for Teams channel protection, use the Name and email value from the Channel details section of the Teams message entity panel. For more information, see The Teams message entity panel in Microsoft Defender for Office 365.

The correct Teams channel email address from the Teams message entity panel.

To configure exceptions for Teams channels, see Configure ZAP for Teams protection in Defender for Office 365 Plan 2.

Zero-hour auto purge (ZAP) for high confidence phishing messages in Teams

For messages that are identified as high confidence phishing after delivery, ZAP for Teams protection blocks and quarantines the message. To set the quarantine policy that's used for high confidence phishing detections in ZAP for Teams, see Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams.

Zero-hour auto purge (ZAP) for malware in Teams messages

For messages that are identified as malware, ZAP for Teams protection blocks and quarantines the message. To set the quarantine policy that's used for malware detections in ZAP for Teams, see Microsoft Defender for Office 365 Plan 2 support for Microsoft Teams.

How to see if ZAP blocked a Teams message

Currently, only admins can view and manage messages that were quarantined by ZAP for Teams protection. For more information, see Use the Microsoft Defender portal to manage Microsoft Teams quarantined messages.

Zero-hour auto purge (ZAP) FAQ

What happens if ZAP moves legitimate messages to the Junk Email folder?

Follow the normal process for reporting false positives to Microsoft. ZAP moves the message from the Inbox folder to the Junk Email folder only if the service determines that the message is spam or malicious.

What if I use the Quarantine folder instead of the Junk Mail folder?

ZAP takes action on a message based on the configuration of anti-spam policies as described earlier in this article.

How is ZAP affected by the exceptions to protection features in EOP and Defender for Office 365?

ZAP actions might be overridden by Safe sender lists, Exchange mail flow rules (transport rules), and other organizational block and allow settings. However, for malware and high confidence phishing verdicts, there are very few scenarios where ZAP doesn't act on messages to protect users:

It's important for you to carefully consider the implications of bypassing filtering, as it could compromise the security posture of your organizatione.

What are the licensing requirements for ZAP?

There are no special licensing requirements for ZAP for malware, spam, and phishing. ZAP works on all mailboxes hosted in Exchange Online. ZAP doesn't work in on-premises mailboxes that are protected by standalone EOP.

ZAP for Teams protection requires Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 licenses.

Does ZAP work on messages in other folders in the mailbox (for example, messages moved by Inbox rules)?

ZAP still works as long as the message hasn't been deleted, or as long as the same or stronger action hasn't already been applied. For example, if the message is in the Junk Email folder, and the action in the applicable anti-phishing policy is quarantine, ZAP quarantines the message.

How does ZAP affect mailboxes on hold?

ZAP quarantines messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.

For more information about holds in Exchange Online, see In-Place Hold and Litigation Hold in Exchange Online.