Detect messages with spam or malware using Zero-hour auto purge

4 minutes

Zero-hour auto purge (ZAP) is an email protection feature in Exchange Online Protection (EOP). It retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. ZAP's ability to detect infected messages is due to:

evolving heuristic and delivery patterns.
content that's weaponized after being delivered to users.

Note

ZAP provides email protection in Microsoft 365 organizations with mailboxes in Exchange Online. ZAP doesn't work in standalone EOP environments that protect on-premises Exchange mailboxes.

Spam and malware signatures are updated in EOP on a real-time, daily basis. However, users can still receive malicious messages for various reasons. For example, if content is weaponized after being delivered to users. ZAP addresses this issue by continually monitoring updates to the spam and malware signatures in the service. ZAP can find and remove messages that are already in a user's mailbox.

The ZAP action is seamless for the user; they aren't notified if a message is detected and moved.

Safe sender lists, mail flow rules (also known as transport rules), Inbox rules, or other filters take precedence over ZAP. This process is similar to what happens in mail flow. For example, let's assume an organization configured a safe senders list. Even if EOP determines a delivered message from a safe sender needs ZAP, the message isn't acted on because the safe sender list takes precedence over ZAP. For this reason, organizations should be careful about configuring messages to bypass filtering.

ZAP mitigates malicious email by continually monitoring updates to the Microsoft 365 spam and malware signatures. It can also identify malicious messages that previously went undetected and are already in users' Inboxes. If the recipients haven't read the messages and ZAP has identified the mail as spam, then ZAP moves the messages to the users' Junk email folders. For newly detected malware, ZAP removes the attachments from the email message, even if the mail wasn't read. The reverse is true for messages that were incorrectly classified as malicious (in other words, false negatives). For example, if a message was flagged as spam and delivered to the user's Junk mail folder, ZAP would move the message to the user's Inbox.

Zero-hour auto purge for malware

For read or unread messages that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. By default, only admins can view and manage quarantined malware messages. However, admins can create and use quarantine policies to define what users are allowed to do to messages that were quarantined as malware.

ZAP for malware is enabled by default in anti-malware policies.

Zero-hour auto purge for phishing

For read or unread messages that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a Phishing email filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for phishing and their possible ZAP outcomes are described in the following list:

Add X-Header, Prepend subject line with text, Redirect message to email address, Delete message. ZAP takes no action on the message.
Move message to Junk Email. ZAP moves the message to the Junk Email folder.
Quarantine message. ZAP quarantines the message.

ZAP for phishing is enabled by default in anti-spam policies. The default action for the Phishing email filtering verdict is Quarantine message.

Zero-hour auto purge for high confidence phishing

For read or unread messages that are identified as high confidence phishing after delivery, ZAP quarantines the message. By default, only administrators can view and manage quarantined high confidence phish messages. However, admins can create and use quarantine policies to define what users are allowed to do to messages that were quarantined as high confidence phishing.

ZAP for high confidence phish is enabled by default.

Zero-hour auto purge for spam

For unread messages that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for spam and their possible ZAP outcomes are described in the following list:

Add X-Header, Prepend subject line with text, Redirect message to email address, Delete message. ZAP takes no action on the message.
Move message to Junk Email. ZAP moves the message to the Junk Email folder.
Quarantine message. ZAP quarantines the message. By default, end-users can view and manage spam quarantined messages when they're a recipient. However, admins can create and use quarantine policies to define what users are allowed to do to messages that were quarantined as spam.

ZAP is enabled in anti-spam policies by default. The default action for the Spam filtering verdict is Move message to Junk Email folder.

Zero-hour auto purge considerations for Microsoft Defender for Office 365

ZAP won't quarantine any message in the following scenarios:

The message is in the process of Dynamic Delivery in Safe Attachments policy scanning.
EOP malware filtering has already replaced the attachment with the Malware Alert Text.txt file.

If a phishing or spam signal is received for these types of messages, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine), then ZAP will default to a Move to Junk action.

How to see if zero-hour auto purge moved your message

To determine if ZAP moved your message, you have the following options:

Number of messages. Use the Mail flow view in the Mail flow status report to see the number of ZAP-affected messages for the specified date range.
Message details. Use Threat Explorer (and real-time detections) to filter All email events by the value ZAP for the Additional action column.