Emails Delivered without EOP scanning

Copper Contributor

We recently switched our Office 365 email security provider from Mimecast to Defender plan 1.  We have our Defender policy settings set as strict as possible, but we are still seeing a large increase in the amount of malicious emails (and bulk email) that makes it into our inboxes.  Specifically, we have one mailbox that forwards all email to 3rd party ticketing system.  That ticketing system went from malicious emails a few times a year to several per week.  We reviewed some of the emails and I can't understand why they are being delivered (no SPF, failed DMARC, failed composite auth, no DKIMM)  I opened a ticket with Microsoft and their explanation was that when Microsoft servers are busy, they delivered the email without Exchange Online Protection scanning.  Then they use a feature called ZAP (zero hour purge) to scan and remove the emails after delivery.  Last month we had 173 emails removed by ZAP.  This happens after email forwarding to our ticketing system and without notification, so we don't have a way to act on them.


Is this accurate?  Is Microsoft really delivering emails without security scanning?  If so, what can we do to stop the emails?  Create a bunch of manual mail flow rules?  Switching back to Mimecast would be a significant undertaking and cost, so I would like to make Defender work if possible.

3 Replies

Any feedback would be appreciated.  We are even finding emails that spoof our domain getting through, something we've never seen.  They all seem to be getting pulled by ZAP about 2 minutes after delivery.

Microsoft has basically told us this is by design and not something we can change. It seems like a very big security hole to delay scanning until after delivery when the workload is too high. I wish this is something we had known about prior to switching email security providers.
This is very common in our organisation as well, despite having defender policy. Email spoof is quite popular whereby, we simply ask users to report it immediately and if they clicked any link they'd change their password immediately.

Another issues that I found is encrypted emails, and encrypted email contains an email itself (if that makes sense) with an attached html bogus link to trick user to sign in and give away their password. Funny part the email does come through from original source.