Yesterday, Microsoft’s Shobhit Sahay announced some new and interesting features that will soon start rolling out for Exchange Online (Protection) customers. Dynamic delivery of safe attachments will surely be welcomed by organizations that have enrolled Advanced Threat Protection, as one of the biggest complains they have is the delay in message delivery (or the occasional timeouts). The Safety Tips, Phishing reporting and the option to block file attachments directly on the EOP level are also nice. The most interesting feature we have seen in a while however is the Zero-hour Auto Purge, or ZAP.
ZAP basically extends the malware scanning process to cover messages that have already made it through the EOP pipeline. It’s no secret that no Malware or anti-spam engine is perfect – with the amount of new threats generated daily, false negatives (and positives) are bound to happen every now and then. Even the most advanced heuristics cannot keep up with all the different new types, and even though Microsoft uses several different engines to increase the chances of detection bad mail can still reach the end user. Enter Zero-Hour Auto Purge. Once EOP identifies a new threat, it will now have the power to ‘creep back in’ to the user’s mailbox and change the status of the bad message that made it through the scans the first time around.
So how exactly does it work? Imagine the following scenario: your company suddenly gets targeted by some phishing campaign. Using the latest and greatest techniques, some bad person crafted up a very convincing message that is bypassing all the built-in protections in the service and hitting up the mailboxes of your users. Being the smart guy he is, one of the users (Johny) detects something phishy about that message and reports it to your service desk or the administrative staff. While there are some action you can take to try and stop this attack, in this case you are simply being outwitted by the baddies. You use the new feature to report the phishing messages, and few hours later all the bright lads at Microsoft come up with a certain way to detect and correctly mark those messages as spam/malware. At this point ZAP will be able to re-act upon the message, taking the appropriate action and putting it away from the user’s reach. We are yet to see which actions will be available in production, but when Microsoft first spoke about the feature they were considering not only the “Move to Junk”, but also Soft and Hard Delete actions.
The actions are the part where things get interesting. While Microsoft can and does delete huge amounts of spam and malware messages before they even hit the transport pipeline, taking similar actions on items that have already made it to user’s mailboxes is not that simple. Yes, one can argue that it’s as simple as finding the correct query to run the Search-Mailbox cmdlet against all mailboxes, as many admins do nowadays in order to get rid of spam/malware that made it past the filters. The difference here is that Search-Mailbox and any other admin/user actions are covered by the extensive auditing we have already in place in Exchange (Online). If something similar is done by the system however, that might not be the case, and you get a one-way ticket to compliance hell. With this in mind, literally the first question I asked when we were first briefed about this feature was – “will we be able to trace those actions”? The answer is, yes. We will also be able to select the action that ZAP will perform on such items, or turn off the feature completely. Whatever they decide to provide in the final product, rest assured that there will be admin control and proper audit trace.
That still doesn’t solve all the issues though. What happens if we have the mailbox on hold? How will this tie in with the controls we have to ensure immutability of the mailbox data, while at the same time providing increased security to the end user? Will this mean that ZAPed messages will be moved to the Purges folder of the Recoverable items subtree, or purged completely? Even worse, what happens if a false positive is detected and ZAP ends up deleting a bunch of random messages, which the user might not even notice until it’s too late? Even if you have the mailbox on hold, and thus a copy of the message under Purges, it might end up putting the user in a bad position as he can be falsely suspected for deliberately trying to get rid of some messages. It’s a very thin ice and I’m very curious to find out what kind of solution Microsoft has come up with in regards to the compliance aspects of ZAP.
In any case, ZAP a great example of a feature made possible by the cloud, and will certainly be a valuable addition to the service. And no, having ZAP on doesn’t mean Microsoft will be scanning your mailbox 24/7.
2 thoughts on “ZAP and other enhancements in Exchange Online Protection”
Nice article, but how to add exception in ZAP? Is there is a way to add exception for some domains?
Depends on what you mean by domains. On the receiving end, you can configure a new policy for any of your domains and toggle ZAP off. If it’s for messages sent from some domain, use transport rules to whitelist/blacklist the domain – they take precedence over ZAP. More info in the official documentation: https://docs.microsoft.com/en-us/office365/securitycompliance/zero-hour-auto-purge