ZAP and Quarantine
ZAP, or zero-hour auto-purge, is an Exchange Online Protection (EOP) feature that’s had some issues recently. To help, Microsoft is releasing improvements to support more granular control and better alignment with other hygiene controls. In a nutshell, apart from the current “malware ZAP” action to remove any and all attachments deemed unsafe, ZAP will now act upon messages identified as Spam or Phish and can quarantine the messages, if that option is enabled. And we are getting the option to disable phish or spam processing for ZAP, if needed.
Microsoft announced support for moving ZAP-ed messages to Quarantine as part of the Phish and spam Zero-hour Auto Purge move to Quarantine update in Microsoft 365 roadmap item 55432 (Figure 1):
Enabling ZAP for Spam and Phish
While the roadmap item doesn’t explicitly mention this, a quick glimpse at the documentation shows that we are also getting additional controls for toggling the spam and/or phish detection modes. Both new modes will be enabled by default and can be controlled via new parameters introduced for the Set-HostedContentFilterPolicy cmdlet: SpamZapEnabled and PhishZapEnabled.
The value for both these new parameters is currently inherited from the value of the ZapEnabled parameter, and this will remain the case until February 2020, when the ZapEnabled parameter will be deprecated. By default, both the SpamZapEnabled and the PhishZapEnabled parameters will be $true (enabled), if not explicitly changed. Coming soon, we will be able to toggle those two parameters to $false, thus disabling the processing of spam and phish messages by ZAP.
How ZAP Will Process Email
Going forward, ZAP will behave as follows. For any messages detected as malware, the current “remove attachment” action will remain in effect, while for messages identified as phish or spam, the corresponding action configured in the Content filter policy will be executed. If the action is set to Quarantine message, Delete message or Redirect message to email address, ZAP will move it to Quarantine. If the action is set to Move message to Junk email folder, the current behavior will apply, and messages will be moved to the Junk email folder. If the action is set to Add X-Header or Prepend subject line with text, or there is no action defined in the policy, then ZAP will not act upon the message. The same is true if the corresponding spam/phish processing has been toggled off by the controls listed above.
These improvements will also introduce another change in ZAP processing, based on the read status of the message. Malware messages will continue to be acted upon regardless of the read status. For messages identified as phish, the action will also be performed regardless of the read status. However, for messages marked as spam, the action will only be performed on messages marked as unread.
For more information about techniques to repel spam and malware, read the chapter about mail flow in the Office 365 for IT Pros eBook.