Exchange Online Protection Improves Zero-Hour Auto Purge (ZAP)

ZAP and Quarantine

ZAP, or zero-hour auto-purge, is an Exchange Online Protection (EOP) feature that’s had some issues recently. To help, Microsoft is releasing improvements to support more granular control and better alignment with other hygiene controls. In a nutshell, apart from the current “malware ZAP” action to remove any and all attachments deemed unsafe, ZAP will now act upon messages identified as Spam or Phish and can quarantine the messages, if that option is enabled. And we are getting the option to disable phish or spam processing for ZAP, if needed.

Microsoft announced support for moving ZAP-ed messages to Quarantine as part of the Phish and spam Zero-hour Auto Purge move to Quarantine update in Microsoft 365 roadmap item 55432 (Figure 1):

Microsoft 365 roadmap item 55432 ZAP move to quarantine
Figure 1: Microsoft 365 roadmap item 55432 ZAP move to quarantine

Enabling ZAP for Spam and Phish

While the roadmap item doesn’t explicitly mention this, a quick glimpse at the documentation shows that we are also getting additional controls for toggling the spam and/or phish detection modes. Both new modes will be enabled by default and can be controlled via new parameters introduced for the Set-HostedContentFilterPolicy cmdlet: SpamZapEnabled and PhishZapEnabled.

The value for both these new parameters is currently inherited from the value of the ZapEnabled parameter, and this will remain the case until February 2020, when the ZapEnabled parameter will be deprecated. By default, both the SpamZapEnabled and the PhishZapEnabled parameters will be $true (enabled), if not explicitly changed. Coming soon, we will be able to toggle those two parameters to $false, thus disabling the processing of spam and phish messages by ZAP.

How ZAP Will Process Email

Going forward, ZAP will behave as follows. For any messages detected as malware, the current “remove attachment” action will remain in effect, while for messages identified as phish or spam, the corresponding action configured in the Content filter policy will be executed. If the action is set to Quarantine message, Delete message or Redirect message to email address, ZAP will move it to Quarantine. If the action is set to Move message to Junk email folder, the current behavior will apply, and messages will be moved to the Junk email folder. If the action is set to Add X-Header or Prepend subject line with text, or there is no action defined in the policy, then ZAP will not act upon the message. The same is true if the corresponding spam/phish processing has been toggled off by the controls listed above.

These improvements will also introduce another change in ZAP processing, based on the read status of the message. Malware messages will continue to be acted upon regardless of the read status. For messages identified as phish, the action will also be performed regardless of the read status. However, for messages marked as spam, the action will only be performed on messages marked as unread.


For more information about techniques to repel spam and malware, read the chapter about mail flow in the Office 365 for IT Pros eBook.

7 Replies to “Exchange Online Protection Improves Zero-Hour Auto Purge (ZAP)”

  1. Based on the Microsoft documentation is a precondition for ZAP to work that the spam-action moves message to “Junk” (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge)

    >ZAP is turned on by default, but the following conditions must be met:

    >Spam action is set to Move message to Junk Email folder. You can also create a new spam filter policy that applies only to a set of users if you don’t want all mailboxes to be screened by ZAP.

    How this this match with this new feature? Is the documentation simply outdated?

    1. The article above is based on the latest additions to the Roadmap, some of them are not yet reflected in the documentation. I’d expect that to happen as we near the actual feature release.

  2. Is there a way for an admin to trigger ZAP on a known phishing email? We often get notified about a suspicious email that is in fact a phishing attempt. It would be great to target that email before other users open the message and potentially fall prey to the phish.

  3. Does ZAP still observe mal flow rules and permitted senders? I find this weird if someone I know and trust is compromised and they send me malware unintentionally, ZAP will see they are a permitted sender and allow it through? I’d like to see ZAP disregard these rules and scan all messages for malware regardless of permitted senders.

    1. I don’t know and the guy I used to ask about these issues has gone to Amazon. I need to find a new contact!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.