ZAP, or zero-hour auto-purge, is an Exchange Online Protection (EOP) feature that’s had some issues recently. To help, Microsoft is releasing improvements to support more granular control and better alignment with other hygiene controls. In a nutshell, apart from the current “malware ZAP” action to remove any and all attachments deemed unsafe, ZAP will now act upon messages identified as Spam or Phish and can quarantine the messages, if that option is enabled. And we are getting the option to disable phish or spam processing for ZAP, if needed.
Microsoft announced support for moving ZAP-ed messages to Quarantine as part of the Phish and spam Zero-hour Auto Purge move to Quarantine update in Microsoft 365 roadmap item 55432 (Figure 1):
Figure 1: Microsoft 365 roadmap item 55432 ZAP move to quarantine
Enabling ZAP for Spam and Phish
While the roadmap item doesn’t explicitly mention this, a quick glimpse at the documentation shows that we are also getting additional controls for toggling the spam and/or phish detection modes. Both new modes will be enabled by default and can be controlled via new parameters introduced for the Set-HostedContentFilterPolicy cmdlet: SpamZapEnabled and PhishZapEnabled.
The value for both these new parameters is currently inherited from the value of the ZapEnabled parameter, and this will remain the case until February 2020, when the ZapEnabled parameter will be deprecated. By default, both the SpamZapEnabled and the PhishZapEnabled parameters will be $true (enabled), if not explicitly changed. Coming soon, we will be able to toggle those two parameters to $false, thus disabling the processing of spam and phish messages by ZAP.
How ZAP Will Process Email
Going forward, ZAP will behave as follows. For any messages detected as malware, the current “remove attachment” action will remain in effect, while for messages identified as phish or spam, the corresponding action configured in the Content filter policy will be executed. If the action is set to Quarantine message, Delete message or Redirect message to email address, ZAP will move it to Quarantine. If the action is set to Move message to Junk email folder, the current behavior will apply, and messages will be moved to the Junk email folder. If the action is set to Add X-Header or Prepend subject line with text, or there is no action defined in the policy, then ZAP will not act upon the message. The same is true if the corresponding spam/phish processing has been toggled off by the controls listed above.
These improvements will also introduce another change in ZAP processing, based on the read status of the message. Malware messages will continue to be acted upon regardless of the read status. For messages identified as phish, the action will also be performed regardless of the read status. However, for messages marked as spam, the action will only be performed on messages marked as unread.
For more information about techniques to repel spam and malware, read the chapter about mail flow in the Office 365 for IT Pros eBook.
>ZAP is turned on by default, but the following conditions must be met:
>Spam action is set to Move message to Junk Email folder. You can also create a new spam filter policy that applies only to a set of users if you don’t want all mailboxes to be screened by ZAP.
How this this match with this new feature? Is the documentation simply outdated?
The article above is based on the latest additions to the Roadmap, some of them are not yet reflected in the documentation. I’d expect that to happen as we near the actual feature release.
Is there a way for an admin to trigger ZAP on a known phishing email? We often get notified about a suspicious email that is in fact a phishing attempt. It would be great to target that email before other users open the message and potentially fall prey to the phish.
Does ZAP still observe mal flow rules and permitted senders? I find this weird if someone I know and trust is compromised and they send me malware unintentionally, ZAP will see they are a permitted sender and allow it through? I’d like to see ZAP disregard these rules and scan all messages for malware regardless of permitted senders.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Based on the Microsoft documentation is a precondition for ZAP to work that the spam-action moves message to “Junk” (https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge)
>ZAP is turned on by default, but the following conditions must be met:
>Spam action is set to Move message to Junk Email folder. You can also create a new spam filter policy that applies only to a set of users if you don’t want all mailboxes to be screened by ZAP.
How this this match with this new feature? Is the documentation simply outdated?
The article above is based on the latest additions to the Roadmap, some of them are not yet reflected in the documentation. I’d expect that to happen as we near the actual feature release.
Is there a way for an admin to trigger ZAP on a known phishing email? We often get notified about a suspicious email that is in fact a phishing attempt. It would be great to target that email before other users open the message and potentially fall prey to the phish.
Does ZAP still observe mal flow rules and permitted senders? I find this weird if someone I know and trust is compromised and they send me malware unintentionally, ZAP will see they are a permitted sender and allow it through? I’d like to see ZAP disregard these rules and scan all messages for malware regardless of permitted senders.
I don’t know and the guy I used to ask about these issues has gone to Amazon. I need to find a new contact!
it is usully happening to me when I send to outlook or hotmail