Zero-hour auto purge (ZAP) is an email protection feature that detects messages with spam or malware that have already been delivered to your users' inboxes, and then renders the malicious content harmless. How ZAP does this depends on the type of malicious content detected.
ZAP is available with the default Exchange Online Protection that is included with any Office 365 subscription that contains Exchange Online mailboxes.
How does ZAP work?
Office 365 updates anti-spam engine and malware signatures in real-time on a daily basis. However, your users might still get malicious messages delivered to their inboxes for a variety of reasons, including when the content was weaponized at a time after it was first delivered to users. ZAP addresses this by continually monitoring updates to the Office 365 spam and malware signatures, and can therefore find and remove previously delivered messages already in inboxes. For mail that was already identified as spam, ZAP moves unread messages to the user's Junk mail folder. For newly detected malware, ZAP removes the attachments from the email message, regardless of whether the mail was read or not. The reverse is true for messages that were incorrectly classified as malicious.
The ZAP action is seamless for the mailbox user, he or she is not notified the mail has been moved.
Allow lists, mail flow rules, and end user rules or additional filters take precedence over ZAP.
In this article:
Working with ZAP
ZAP is turned on by default, but you do have to make sure a couple of conditions are met:
Spam filter policy is set to Move message to Junk Email folder.
You can also create a new spam filter policy that applies only to a set of users if you don't want all mailboxes to be screened by ZAP.
The user's Junk folder is enabled.
If you want to see if ZAP moved your message, you can use the Exchange Online message trace tool.
Admins can also disable ZAP by using PowerShell.
To set spam filter policy
Sign in to the Exchange admin center and choose protection > spam filter.
Either choose the filter policy you want to adjust, or choose add to create a new one.
In the previous screen shot, the policy is named "Default", but if you create additional spam filter policies you can give them a different name. You can also apply the policy to only a limited set of users.
In the policy window, choose spam and bulk actions, and make sure that Spam is set to Move message to Junk Email folder.
If you choose Save at this point, the policy applies to your Office 365 tenant.
If you created a new policy, and you want to apply the policy to only a set of users, scroll to the Applied To section in the policy filter window, and in the menu controls choose the recipients, domain, or group memberships you want to apply the policy to. You can also set additional conditions and exceptions.
Choose Save to apply the policy to the selected users.
To see if ZAP moved your message
You can use the Exchange Online message trace tool to determine if the message was moved by ZAP:
Look for the text “Zero-Hour Auto Purge (ZAP)" in your trace details to identify a message that was moved by ZAP.
To disable ZAP
If you want to disable ZAP for your Office 365 tenant, or a set of users, use the ZapEnabled parameter of Set-HostedContentFilterPolicy, an EOP cmdlet.
In the following example, ZAP is disabled for a content filter policy named "Test".
Set-HostedContentFilterPolicy -Identity Test –ZapEnabled $false
What happens if a legitimate message is moved to the junk mail folder?
You should follow the normal reporting process for false-positives. The only reason the message would be moved from the inbox to the junk mail folder would be because the service has determined that the message was spam or malicious.
What if I use the Office 365 quarantine instead of the junk mail folder?
ZAP doesn't move messages into quarantine from the Inbox at this time.
What If I have a custom mail flow rule (Block/ Allow Rule)?
Rules created by admins (mail flow rules) or Block and Allow rules take precedence. Such messages are excluded from the feature criteria.