Exchange Online Protection Improves Zero-Hour Auto Purge (ZAP)



The fight against spam and malware goes on unabated. ZAP, or zero-hour auto purge, is an Exchange Online Protection (EOP) feature that’s getting some extra features to deal better with spam and phish malware. New policy controls are available to control the feature.

1 Reply
Hello. I was going to try to submit a new post for this but can't seem to do it. It may be because I am fairly new to this site. I was directed here by Microsoft Support for providing feedback\submitting a feature request. If this is not the proper place to do this, my apologies in advance, and please let me know where to go for submitting the following:

Microsoft ZAP Feature Request
We have ZAP enabled in our environment and I was just a victim of it... Oops! I mean, I just experienced the power of ZAP first hand and it is great! Except, I would like to request one thing. First, some background. Some of our users reported a suspected phishing email with the notification button that they have in Outlook. That button is configured to send the suspected email (as an attachment) to both Microsoft directly and also to our own internal suspected phishing notification mailbox.

I saw this particular phishing email had a number of user submissions already and I blocked it right away and reported it to Microsoft through the message trace window as it was obviously a malicious attempt. I then looked at our internal suspected phishing inbox to inspect the email and its header some more.

There were a good number of submissions (as attachments) of that malicious email in our inbox. At one point, I thought I saw a change in the list of emails. Then, a saw a couple disappear. I wondered "Did I just see a couple of those submissions disappear? I was up late working. I must be tired." Then, a few more disappeared. Then, a few more.

This is when I became a little uncomfortable. Then, more disappeared. I asked my boss and other admins if anyone was deleted submissions out of our reported phishing box. All said no. Then more disappeared. I told my boss that I thought Microsoft might be deleting them with their auto remove feature (I now know is called ZAP) and that I doubted it was a malicious actor. Then more of them disappeared. I looked in my mailbox for a notification from Microsoft that an auto-delete or ZAP had been initiated. There was no notification. Then more of them disappeared. I then created a support ticket with Microsoft and kicked off endpoint scans on all our workstations. Then more of them disappeared.

Then, they all disappeared.

I was sitting there staring at an empty "Suspected Phishing Submission" inbox. I told my boss I think it is Microsoft deleting them but don't have confirmation and I'm waiting to hear from Microsoft support. Microsoft Support did call soon after that and explained that MS ZAP did in fact auto delete the original emails in users inboxes and the emails in our reporting inbox that had the original email as an attachment.


I am sorry for the lengthy back story. But, I wanted to demonstrate the effect that ZAP can have on an Administrator when ZAP is initiated and no notification is provided by Microsoft that the ZAP is occurring.

So, that would be my request. Please provide (ASAP!!!) notification when ZAP is being executed by in our tenant environment. At a minimum a notification email. We received nothing. And please go even further than a notification email and put some sort of "Alert Message" feature in all of the 365 consoles\websites that provides the notification also.

Please don't get me wrong. ZAP is great! But, due to the fact that I had no notification of ZAP being executed, or any way to quickly confirm that ZAP was occurring (on these specific emails) the effect ZAP had on my biology just now was not that great.

Thank you for your consideration. Again, ZAP is great! Just some sort of notification and proactive confirmation would be very helpful.

Thank you!