Zero-hour auto purge - protection against spam and malware

Zero-hour auto purge (ZAP) is an email protection feature that detects messages with spam or malware that have already been delivered to your users' inboxes, and then moves them to the Junk mail folder as long as the messages are unread.

ZAP is available with the default Exchange Online Protection that is included with any Office 365 subscription that contains Exchange Online mailboxes.

How does ZAP work?

Office 365 updates anti-spam engine and malware signatures in real time on a daily basis. However, your users might still get malicious messages in their inboxes, because the daily scan might not have detected a new spam or malware campaign. ZAP gets around this by continually monitoring updates to the Office 365 spam and malware signatures, and can therefore identify previously undetected malicious messages already in inboxes. If the recipients have not read the messages, then ZAP moves the messages to their Junk mail folder. The reverse is true for messages that were incorrectly classified as malicious.

The ZAP action is seamless for the mailbox user, he or she is not notified the mail has been moved.

Allow lists, Exchange transport rules, and end user rules or additional filters take precedence over the ZAP.

In this article:   

Set spam filter policy

See if ZAP moved your message

Disable ZAP

FAQ

Working with ZAP

ZAP is turned on by default, but you do have to make sure a couple of conditions are met:

If you want to see if ZAP moved your message, you can use the Exchange Online message trace tool.

Admins can also disable ZAP by using PowerShell.

To set spam filter policy
  1. In the Exchange admin center, choose protection > spam filter.

    In the EAC choose protection and then spam filter
  2. Either choose the filter policy you want to adjust, or choose add Add icon to create a new one.

    In the previous screen shot, the policy is named "Default", but if you create additional spam filter policies you can give them a different name. You can also apply the policy to only a limited set of users.

  3. In the policy window, choose spam and bulk actions, and make sure that Spam is set to Move message to Junk Email folder.

    If you choose Save at this point, the policy applies to your Office 365 tenant.

    Set spam and bulk actions to Mpve message to Junk Email folder
  4. If you created a new policy, and you want to apply the policy to only a set of users, scroll to the Applied To section in the policy filter window, and in the menu controls choose the recipients, domain, or group memberships you want to apply the policy to. You can also set additional conditions and exceptions.

    In the Applied To section choose the recipients

    Choose Save to apply the policy to the selected users.

To see if ZAP moved your message
  • You can use the Exchange Online message trace tool to determine if the message was moved by ZAP:

    Look for the text “Zero-Hour Auto Purge (ZAP)" in your trace details to identify a message that was moved by ZAP.

To disable ZAP
  • If you want to disable ZAP for your Office 365 tenant, or a set of users, use the ZapEnabled parameter of Set-HostedContentFilterPolicy, an EOP cmdlet.

    In the following example, ZAP is disabled for a content filter policy named "Test".

    Set-HostedContentFilterPolicy -Identity Test –ZapEnabled $false

FAQ

What happens if a legitimate message is moved to the junk mail folder?   

You should follow the normal reporting process for false-positives. The only reason the message would be moved from the inbox to the junk mail folder would be because the service has determined that the message was spam or malicious.

What if I use the Office 365 Quarantine instead of the junk mail folder?   

ZAP doesn't move messages into quarantine from the Inbox at this time.

What If I have a custom transport rule (ETR/ Block/ Allow Rule)?   

Rules created by admins (ETRs) or Block and Allow rules will take precedence. Such message are excluded from the feature criteria.

See Also

Office 365 Email Anti-Spam Protection

Block email spam with the Office 365 spam filter to prevent false negative issues

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×