An interesting incident occurred yesterday in Microsoft land – Teams notification emails suddenly started appearing as containing malware. More specifically, few of the images embedded in the message body were being detected as malicious and replaced by the ZAP feature. A sample message is shown below:
As you can see, some of the images were removed from the message, and an attachment informing you about the actions performed by ZAP was added:
Malware was detected in one or more attachments included with this email message.
Action: All attachments have been deleted.
And because of the nature of the ZAP feature, it was actually doing the same for messages received in the past. In my mailbox, messages going back to Tuesday were being processed and images stripped off. Which yet again goes to show just how important is to test updates before pushing them into production, especially when it comes to features as powerful as ZAP. Luckily, only Teams notifications email were affected, which is something I can live with.
A quick look at the message headers and a message trace confirmed that the message is legitimate, then a quick check against the Office 365 communities showed that multiple people have reported the same issue already. Soon after a SIE appeared on the SHD, EX189242. As customary, the description of the SIE is vague at best:
Another, related SIE resulted in some messages being held in the Junk folder. Despite what the SIE descriptions suggest, I haven’t seen any other emails getting ZAPed as result of the bogus rule update, including other messages originating from Microsoft users or systems. Neither have I seen reports from others about anything other than Teams notification mails. A quick check against the ATP report confirms that:
Get-MailDetailATPReport -EventType ZAP | ft Date,Subject,SenderAddress,EventType,Action Date Subject SenderAddress EventType Action ---- ------- ------------- --------- ------ 27/08/2019 16:25:17 Kiran mentioned you in Elite100 Program (under NDA) noreply@email.teams.microsoft.com ZAP AttachmentReplaced 28/08/2019 11:55:55 Roberto posted a message noreply@email.teams.microsoft.com ZAP AttachmentReplaced 28/08/2019 18:13:07 Vesa posted a message noreply@email.teams.microsoft.com ZAP AttachmentReplaced 28/08/2019 18:51:38 Vesa posted a message noreply@email.teams.microsoft.com ZAP AttachmentReplaced 28/08/2019 19:28:50 Vesa posted a message noreply@email.teams.microsoft.com ZAP AttachmentReplaced 30/08/2019 11:02:28 josh mentioned Elite100 Program (under NDA) noreply@email.teams.microsoft.com ZAP AttachmentReplaced 30/08/2019 14:10:52 Lucie mentioned MVPs in CEE noreply@email.teams.microsoft.com ZAP AttachmentReplaced
Of course, we as end users have a limited view of the impact of any SIE, so chances are the SIEs did indeed affect more than just Teams notification emails. The important thing is that the issue was quickly resolved after reporting it to Microsoft. Now we wait for the PIR and any goodness it might contain 🙂