ZAP - Baseline Scan The ZAP Baseline scan is a script that is available in the ZAP Docker images. It runs the ZAP spider against the specified target for (by default) 1 minute and then waits for the passive scanning to complete before reporting the results. Zip Line Fails Compilation.
-->Applies to
Important
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Basic features of ZAP
In Microsoft 365 organizations with mailboxes in Exchange Online, zero-hour auto purge (ZAP) is an email protection feature that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.
ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that protect on-premises Exchange mailboxes.
How ZAP works
Spam and malware signatures are updated in the service real-time on a daily basis. However, users can still receive malicious messages for a variety of reasons, including if content is weaponized after being delivered to users. ZAP addresses this issue by continually monitoring updates to the spam and malware signatures in the service. ZAP can find and remove messages that are already in a user's mailbox.
The ZAP action is seamless for the user; they aren't notified if a message is detected and moved.
Safe sender lists, mail flow rules (also known as transport rules), Inbox rules, or additional filters take precedence over ZAP. Similar to what happens in mail flow, this means that even if the service determines the delivered message needs ZAP, the message is not acted on because of the the safe senders configuration. This is another reason to be careful about configuring messages to bypass filtering.
Malware ZAP
For read or unread messages that are found to contain malware after delivery, ZAP quarantines the message that contains the malware attachment. Only admins can view and manage malware messages from quarantine.
Malware ZAP is enabled by default in anti-malware policies. For more information, see Configure anti-malware policies in EOP.
Phish ZAP
For read or unread messages that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a Phishing email filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for phishing and their possible ZAP outcomes are described in the following list:
Add X-Header, Prepend subject line with text, Redirect message to email address, Delete message: ZAP takes no action on the message.
Move message to Junk Email: ZAP moves the message to the Junk Email folder, as long as the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see Configure junk email settings on Exchange Online mailboxes in Microsoft 365.
Quarantine message: ZAP quarantines the message.
By default, phish ZAP is enabled in anti-spam policies, and the default action for the Phishing email filtering verdict is Quarantine message, which means phish ZAP quarantines the message by default.
For more information about configuring spam filtering verdicts, see Configure anti-spam policies in Microsoft 365.
Spam ZAP
For unread messages that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy. The available filtering verdict actions for spam and their possible ZAP outcomes are described in the following list:
Add X-Header, Prepend subject line with text, Redirect message to email address, Delete message: ZAP takes no action on the message.
Move message to Junk Email: ZAP moves the message to the Junk Email folder, as long as the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see Configure junk email settings on Exchange Online mailboxes in Microsoft 365.
Quarantine message: ZAP quarantines the message. End-users can view and manage their own spam quarantined messages.
Mighty Zap Linear Servo
By default, spam ZAP is enabled in anti-spam policies, and the default action for the Spam filtering verdict is Move message to Junk Email folder, which means spam ZAP moves unread messages to the Junk Email folder by default.
For more information about configuring spam filtering verdicts, see Configure anti-spam policies in Microsoft 365.
ZAP considerations for Microsoft Defender for Office 365
ZAP will not quarantine any message that's in the process of Dynamic Delivery in Safe Attachments scanning, or where EOP malware filtering has already replaced the attachment with the Malware Alert Text.txt file. If a phishing or spam signal is received for these types of messages, and the filtering verdict in the anti-spam policy is set to take some action on the message (Move to Junk, Redirect, Delete, or Quarantine) then ZAP will default to a 'Move to Junk' action.
How to see if ZAP moved your message
To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections). Note that as a system action, ZAP is not logged in the Exchange mailbox audit logs.
ZAP FAQ
What happens if a legitimate message is moved to the Junk Email folder?
You should follow the normal reporting process for false positives. The only reason the message would be moved from the Inbox to the Junk Email folder would be because the service has determined that the message was spam or malicious.
What if I use the Quarantine folder instead of the Junk Mail folder?
ZAP will take action on a message based on the configuration your anti-spam policies as described earlier in this article.
What if I'm using safe senders, mail flow rules, or allowed/blocked sender lists?
Safe senders, mail flow rules, or block and allow organizational settings take precedence. These messages are excluded from ZAP since the service is doing what you configured it to do. This is another reason to be careful about configuring messages to bypass filtering.
What are the licensing Requirements for ZAP to work?
There are no limitations on licenses. ZAP works on all mailboxes hosted on Exchange online. ZAP doesn't work in standalone Exchange Online Protection (EOP) environments that protect on-premises Exchange mailboxes.
What if a message is moved to another folder (e.g. Inbox rules)?
ZAP still works as long as the message has not been deleted, or as long as the same, or stronger, action has not already been applied. For example, if the anti-phishing policy is set to quarantine and message is already in the Junk Email, then ZAP will take action to quarantine the message.
How does ZAP affect mailboxes on hold?
Zap Linear Accelerator
ZAP won't quarantine messages from mailboxes on hold. ZAP can move messages to the Junk Email folder based on the action that's configured for a spam or phishing verdict in anti-spam policies.
For more information about holds in Exchange Online, see In-Place Hold and Litigation Hold in Exchange Online.
A .ZAP File (Zero Administration Package) is a text file, which allows the publishing of an application to a user on a Microsoft Windows system (Windows 2000, XP Professional, Windows Vista, or Windows 7 Professional), for applications for which a .MSI file does not exist.[1] It is used in Active DirectoryDomains and is installed using a Group Policy.
A basic .ZAP file[edit]
A .ZAP file can be as simple or as complicated as the System Administrator wishes to make it. There are only two required fields in a .ZAP file, an Application Name (called a Friendly Name) and a Setup Command line. Other information is optional.
The .ZAP File begins with a title line consisting of the word Application inside single Square Brackets ([ ]). Underneath this come the entry fields, the two Required fields being FriendlyName = 'Name' and SetupCommand = 'Serversharesetupfile'. You can also add Optional entries, such as DisplayVersion = and Publisher =. Note that DisplayVersion and Publisher do not require Quotation Marks around the variables.
Mighty Zap Linear Actuators
Below is a very simple example of a .ZAP file.
Restrictions to a .ZAP file[edit]
Mighty Zap Linear Actuator
The .ZAP file is more restricted than a .MSI file in that it cannot be rolled back if the application fails to install correctly, cannot use elevated privileges to install itself (i.e. the User needs to have the rights to install the software - usually given by Group Policy) and cannot install on first use, or install a separate feature on first use.
Many .ZAP Files require user intervention. This can be overcome if the Systems Administrator creates a Batch file and runs a quiet or silent install from a Batch File command. However, running an Executable file (such as setup.exe) often bypasses quiet, passive or silent installation switches, even if specified in the SetupCommand.
In addition, .ZAP files are not run automatically prior to, or during a User Logon. Instead, the User must access Add/Remove Programs from within the Windows Control Panel, Select Add New Programs and select the Installation from here. The User must have access to the location where the .ZAP file is located and have access to the location of the Setup files (if these locations are different), otherwise they will not be able to install the Application.
.ZAP Files cannot be Assigned to Computers and must be published to Users. Therefore when a User moves to another computer (even only temporarily) they can install this application on that machine whether the program should be there or not.
Finally, .ZAP Files do not automatically uninstall when a User no longer requires the software. Instead, the software remains installed on the machine permanently, unlike a .MSI installation which can be set to uninstall when the Computer is removed from the relevant OU.
Zap Lines
Publishing a .ZAP file[edit]
After creating a .ZAP file and placing it in an accessible share - usually creating an Active Directory Group with access to this location - the Systems Administrator needs to create a Group Policy Object, open the editing screen, select User Configuration, Software Settings and Software Installation and create a New Package to the location of the .ZAP file. Since GPOs default to .MSI, the System Admin needs to ensure that they search for .ZAP files, instead of .MSI files.
Accepting the new package and assigning the GPO to the relevant Organizational Unit (OU) will publish the application. The user(s) will then need to reload the group policy from the server which manages GPO. This can be done either through logging off and then on again, or by running 'gpupdate' through a command line.
References[edit]