Have you ever experienced a malware attack even after multiple layers of email filtering? 🤯Yeah, that happens due to attackers weaponizing an URL after delivery, malware attachments, drive-by-downloads, etc. Sometimes, suspicious emails may escape various email filtering techniques and sneak into your Office 365 environment. Therefore, if you’re tired of playing a cat-and-mouse game with spam and malware in your Office 365 mailbox, then we’ve got a solution to save the day!
Well, it’s time to have the Zero-hour Auto Purge in Exchange Online: real-time email protection. The ZAP works for you even after the email has landed in your inbox! What does ZAP do? Confused? No worries, this blog will describe how zero-hour auto purge (ZAP) can help remove potential threats from Exchange Online.
Zero-hour Auto Purge (ZAP) in Exchange Online
The zero-hour auto purge (ZAP) in Microsoft 365 Defender offers real-time protection against malware, spam, and other security threats. Therefore, ZAP will detect and remove spam and malware messages, even if they are weaponized after delivery.
Overall, ZAP is not just another spam and malware filter! It helps Microsoft 365 organizations to proactively remove malware messages that may have slipped through various email filtering techniques. Eventually, assisting admins in safeguarding email communication channels.
Note: One important thing to remember is that the safe sender lists, mail flow rules, inbox rules, or any other additional filters always take precedence over ZAP. Despite appearing advantageous from one viewpoint, it’s not!
➤ Although the service may inform that the received message requires ZAP, the ZAP will not be initiated due to the safe sender configurations. So, before configuring messages to bypass filters, it is best to be cautious to avoid any potential issues.
License Requirements for Zero-hour Auto Purge
- And, here is the good news for you all! ZAP works on all mailboxes hosted on Exchange Online and there are no limitations on licenses. Plus, it’s enabled by default for all Office 365 users in your organization. No more manual configurations!
- The only environment where ZAP does not work is a standalone Exchange Online Protection (EOP) environment that protects on-premises Exchange mailboxes.
- Unfortunately, the ZAP reports available in Explorer are only available for Microsoft 365 Defender Plan 2 and Microsoft 365 E5.
Find the Zero-hour Auto Purge Status in Microsoft 365
To ease the process and operate securely & efficiently, Microsoft has enabled ZAP by default. So, to ensure whether zero-auto purge is enabled by default for your organization, you can use the Get-HostedContentFilterPolicy cmdlet like below and find the ZAP status within an Office 365 organization.
Moreover, the ZapEnabled has been completely deprecated and replaced with SpamZAPEnabled and PhishZAPEnabled parameters. Make sure to Connect to Exchange Online PowerShell and run the below cmdlet.
1 |
Get-HostedContentFilterPolicy Default | Format-List |
Zero-hour Auto Purge for Different Security Threats
ZAP can detect malware, spam, phishing, and high-confidence phishing emails within every Microsoft 365 mailbox based on content analysis, sender reputation check, and behavioral analysis. And here is where the most confusing part comes in! As zero-hour auto purge is enabled by default, Microsoft has configured response actions for various online security threats such as spam, malware, and phishing emails.
Typically, spam emails are less likely to harm the environment than malware attachments, which is why ZAP actions are configured according to priority and risk levels. Therefore, let’s see the security measures taken for various cyber threats in this section.
S.No | Online Threat Type | Default Security Measure Taken by Microsoft |
1. | Malware containing email. | When malware attachments are found in an email, ZAP quarantines the malware messages. NOTE: This setting is enabled by default in anti-malware in Microsoft 365 Defender. |
2. | High-confidence phishing email. | ZAP quarantines malware messages if they are identified as high-confidence phishing attempts. NOTE: This setting is managed by ‘Secure by Default’ in Microsoft 365. |
3. | Spam and phishing emails. | When the mail is identified as spam/phishing after delivery, ZAP will perform the appropriate actions as defined in their respective filter policies. Usually, there are 6 different filter options available for the spam filtering policy. ⮕ Add X Header, prepend subject line with text, redirect message to email address, delete the message: No action will be taken by ZAP. ⮕ Move messages to Junk Email folder: The identified mail will be moved to the Junk Email folder immediately. ⮕ Quarantine message: ZAP will proceed to quarantine the message. ➤The default action for spam filtering verdict is to Move messages to Junk Email folder, and for phishing mail verdict, it is to Quarantine the message. NOTE: This setting is enabled by default in anti-spam policies in Microsoft 365 Defender. |
Hope this table clarified your doubts regarding Microsoft’s safety measures for different threats! And when a message is zapped and moved to the Junk Email folder, you’ll see a header like the following:
1 |
X-Microsoft-Antispam-ZAP-Message-Info: <a long string of characters> |
Update Zero-hour Auto Purge Actions in Microsoft 365 Defender
What if you want to update the existing ZAP actions in the default anti-spam policies? It’s absolutely possible! If you want to modify the default ZAP actions, follow the below path.
Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies →Anti-spam (Under ‘policies’ section)
Then, select the default anti-spam inbound policy and proceed to click the Edit actions. From here, you can modify the default actions based on your needs.
Microsoft Secure Score recommends enabling Zero-hour auto purge for phishing and spam as one of the most effective spam protection settings.
Get Zero-hour Auto Purge Reports in Microsoft 365
Monitoring the zapped messages in Exchange Online is crucial for several reasons. So, let’s see what comes with monitoring ZAP reports in your organization.
- First, what if legitimate emails are moved and flagged as well, creating false positives? So, this is where keeping track of ZAP-removed email messages comes in! Reviewing ZAP reports will allow you to identify false positives and restore legitimate emails that may have been quarantined incorrectly. This particular case happens once in every ten real-time checks.
- Then, monitoring zapped messages allows organizations to maintain compliance with regulatory requirements.
- Keeping track of the ZAP reports aids in enhancing the efficiency of the organization’s email system by reducing the volume of emails that require processing, leading to a more streamlined and productive email system.
Different Ways to Monitor Zero-hour Auto Purge Actions in Office 365 Mailboxes
And overall, in all cases, there is no reason to say NO to keeping an eye on zapped messages. After having seen plenty of reasons WHY TO MONITOR ZAP REPORTS, let’s now look at HOW TO MONITOR ZAP REPORTS.
Usually, there are 3 different ways for admins to watch an eye out on ZAP-removed email messages.
Find ZAP Removed Messages in Mailflow Status Reports
The Mailflow status report provides an overview of all inbound and outbound emails, along with spam and malware detection statistics. Therefore, to view the mail flow status reports, you can quickly follow the path below.
Microsoft 365 Defender → Reports → Email & collaboration reports → Mailflow status summary → Mailflow
Here, the zero-hour auto purge report shows how many messages have been removed by your organization in the past 90 days. Upon clicking a row in the details table, an elaborate breakdown of the email counts is shown in the details flyout.
Check the ZAP Actions in Threat Explorer
The threat explorer helps the IT security team investigate and respond to threats efficiently in real-time. Lately, Microsoft has improved the reporting experience by including different post-delivery reports that include ZAP, manual remediation, dynamic delivery, etc. So, to view the ZAP reports, select “Explorer” in the Microsoft 365 Defender portal.
Then, set the query as Additional action equals to ZAP and finally run the query. Eventually, the list will include the zero-hour purge actions performed on different emails, as well as the original delivery and the latest delivery location.
The New ‘Post-delivery Activities Reports in Microsoft 365 Defender
🚀We’ve finally gotten to the major report! In the latest release MC522572, Microsoft has added a new report called Post-delivery Activities to Microsoft 365 Defender.
We all know that monitoring ZAP actions with the above reports was quite a challenge as we performed more tweak operations. So, to all your surprise, here comes a specifically dedicated dashboard for Post-delivery Activities reports.
This report provides out-of-the-box reports on post-delivery actions. i.e., it will display all the ZAP events that occurred in the organization. Also, if a verdict has been changed for a message, the new report will display the updated data, making investigation easier.
Therefore, you can swift through the path below to view the Post-delivery Activities reports.
Microsoft 365 Defender → Reports → Email & collaboration reports → Post-delivery activities
Therefore, make use of all the above reports and ensure that the organization’s valuable assets are protected from cyber threats.
So why wait? It’s time to say adieu to pesky email threats once and for all with zero-hour auto purge in Exchange Online! Even if an email threat manages to slip through the cracks, ZAP is here to swiftly eliminate it before it can do any harm.
So, go ahead and get off the email threats being a nightmare to you with ZAP now! 🤯Take control of your Exchange Online mailbox and protect your organization’s communication channels with ZAP.