Zero-hour auto purge - protection against spam and malware

Overview

Zero-hour auto purge (ZAP) is an email protection feature that detects messages with phish, spam, or malware that have already been delivered to your users' inboxes, and then renders the malicious content harmless. How ZAP does this depends on the type of malicious content detected; mail can be zapped due to mail content, URLs, or attachments.

ZAP is available with the default Exchange Online Protection that is included with any Office 365 subscription that contains Exchange Online mailboxes.

ZAP is turned on by default, but the following conditions must be met:

  • Spam action is set to Move message to Junk Email folder. You can also create a new spam filter policy that applies only to a set of users if you don't want all mailboxes to be screened by ZAP.

  • Users have kept their default junk mail settings, and have not turned off junk email protection. (See Change the level of protection in the Junk Email Filter for details about user options in Outlook.)

How ZAP works

Office 365 updates anti-spam engine and malware signatures in real-time on a daily basis. However, your users might still get malicious messages delivered to their inboxes for a variety of reasons, including if content is weaponized after being delivered to users. ZAP addresses this by continually monitoring updates to the Office 365 spam and malware signatures. ZAP can find and remove previously delivered messages that are already in users' inboxes.

The ZAP action is seamless for the mailbox user; they are not notified if an email message is moved. Message must not be older than 2 days.

Allow lists, mail flow rules, and end user rules or additional filters take precedence over ZAP.

Malware ZAP For newly detected malware, ZAP removes attachments from email messages, leaving the body of the message in the user's mailbox. Attachments are removed regardless of the read status of the mail.

Malware ZAP is enabled by default in the Malware Policy. Malware ZAP can be disabled using the ZapEnabled parameter of Set-MalwareFilterPolicy, an EOP cmdlet.

Phish ZAP For mail that is identified as phish after delivery, ZAP takes action according to the Spam policy that the user is covered by. If the policy Phish action is set to take action on a mail (Redirect, Delete, Quarantine, Move to Junk) then ZAP will move the message to the Junk mail folder of the user's inbox, regardless of the read status of the mail. If the policy Phish action is not set to take action (Add X-header, Modify subject, No action) then ZAP will not take action on the mail. Learn more about how to configure your spam filter policies here.

Phish ZAP is enabled by default in the Spam Policy. Phish ZAP can be disabled using the ZapEnabled parameter of Set-HostedContentFilterPolicy, an EOP cmdlet. Note: Disabling -ZapEnabled will disable both Phish ZAP and Spam ZAP

Spam ZAP For mail that is identified as spam after delivery, ZAP takes action according to the Spam policy that the user is covered by. If the policy Spam action is set to take action on a mail (Redirect, Delete, Quarantine, Move to Junk) then ZAP will move the message to the Junk mail folder of the user's inbox, if the message is unread. If the policy Spam action is not set to take action (Add X-header, Modify subject, No action) then ZAP will not take action on the mail. Learn more about how to configure your spam filter policies here.

Spam ZAP is enabled by default in the Spam Policy. Spam ZAP can be disabled using the ZapEnabled parameter of Set-HostedContentFilterPolicy, an EOP cmdlet. Note: Disabling -ZapEnabled will disable both Phish ZAP and Spam ZAP

To see if ZAP moved your message

If you want to see if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).

To disable ZAP

Disabling Malware ZAP To disable Malware ZAP for your O365 tenant, or a set of users, use the ZapEnabled parameter of Set-MalwareFilterPolicy, an EOP cmdlet.

In the following example, ZAP is disabled for a content filter policy named "Test".

  Set-HostedContentFilterPolicy -Identity Test -ZapEnabled $false

Disabling Phish and Spam ZAP To disable both Phish and Spam ZAP for your O365 tenant, or a set of users, use the ZapEnabled parameter of Set-HostedContentFilterPolicy, an EOP cmdlet.

In the following example, ZAP is disabled for a content filter policy named "Test".

  Set-HostedContentFilterPolicy -Identity Test -ZapEnabled $false

FAQ

What happens if a legitimate message is moved to the junk mail folder?

You should follow the normal reporting process for false-positives. The only reason the message would be moved from the inbox to the junk mail folder would be because the service has determined that the message was spam or malicious.

What if I use the Office 365 quarantine instead of the junk mail folder?

ZAP doesn't move messages into quarantine from the Inbox at this time.

What if I have a custom mail flow rule (Block/ Allow Rule)?

Rules created by admins (mail flow rules) or Block and Allow rules take precedence. Such messages are excluded from the feature criteria so the mail flow will follow the rule action (Block/Allow Rule).

What if a message is moved to another folder (e.g. Inbox rule)?

ZAP still works in this case, unless the message has been deleted or is in Junk.

Office 365 Email Anti-Spam Protection

Block email spam with the Office 365 spam filter to prevent false negative issues