{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreighvabdm5s7rj5ka6gsb6h2mnasu56vrca7gufs5j6xonaby2eeim",
"uri": "at://did:plc:xxrzfynfiasdpbxteqxi4jgq/app.bsky.feed.post/3mms7apjpxmr2"
},
"description": "Zero-hour Auto Purge (ZAP) in Microsoft Defender for Office 365 will now scan and remediate malicious emails in users' Deleted Items folders, enhancing post-delivery protection without new policies. Rollout starts June 2026, affecting all tenants with ZAP enabled, with no user experience changes ...",
"path": "/m365-message-center/message/mc1323263/",
"publishedAt": "2026-05-27T00:00:06.000Z",
"site": "https://blog.tophhie.cloud",
"tags": [
"Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 | Microsoft Learn"
],
"textContent": "**[What and Why:]**\n\nWe are extending **Zero-hour Auto Purge (ZAP)** in Microsoft Defender for Office 365 to scan and remediate malicious messages located in users’ **Deleted Items** folders. This enhancement strengthens post-delivery protection by ensuring phishing, spam, and malware messages are removed even after a user deletes or reports them, improving overall tenant security without introducing new policies or configuration.\n\n**[Rollout Schedule:]**\n\n * General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out in **early June 2026** and expect to complete by **late July 2026**.\n\n\n\n**[Impact on Your Organization:]**\n\n**Who is affected:**\n\n * All tenants using Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 with ZAP enabled\n\n\n\n**Platforms/Services:**\n\n * Exchange Online\n * Microsoft Defender for Office 365\n * Outlook (desktop, web, mobile)\n\n\n\n**What will happen:**\n\n * ZAP will retroactively scan and take action on malicious messages found in the **Deleted Items** folder within the ZAP detection window.\n * This includes messages that were:\n * Reported by users as phishing\n * Automatically moved after accepting calendar invitations\n * Manually deleted by users\n * Messages identified as malicious will follow existing policy actions (for example, **move to Junk, quarantine**).\n * No new policies, actions, or configuration settings are introduced.\n * Admins will see additional ZAP activity in existing reports and alerts.\n * A new **SourceLocation** column will be added to the `EmailPostDeliveryEvents `table in Advanced Hunting to indicate the originating folder (for example, `DeletedItems`).\n * User experience remains unchanged.\n\n\n\n**[Action Required / Recommendations:]**\n\n**No action is required.**\n\nThis change is **enabled by default** and respects your existing anti‑spam, anti‑phishing, and anti‑malware policies.\n\n**Recommended actions for admins:**\n\n * Review existing ZAP-related reporting in**Mail flow** status and **Threat Explorer** to help your **Security Operations Center (SOC)** become familiar with the additional activity.\n * Update internal security documentation or helpdesk guidance to note that Deleted Items are now included in ZAP remediation.\n\n\n\n**Learn more:** Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 | Microsoft Learn\n\n**[Compliance Considerations:]**\n\n**Compliance Question**| **Explanation**\n---|---\nDoes the change alter how existing customer data is processed, stored, or accessed?| ZAP will now process and take action on emails located in the Deleted Items folder.\n\nDoes the change alter how admins can monitor, report on, or demonstrate compliance activities?| Additional ZAP actions will appear in existing reports, and a new **SourceLocation** field is added to Advanced Hunting to improve auditability and investigation accuracy.",
"title": "MC1323263: Microsoft Defender for Office 365: ZAP expands cleanup to Deleted Items",
"updatedAt": "2026-05-27T00:00:06.308Z"
}