Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

Microsoft Defender for Office 365: ZAP expands cleanup to Deleted Items

Message ID
MC1323263
View in Message Center
Services
Exchange OnlineMicrosoft Defender XDR
Category
Stay Informed
Tags
Feature updateUser impactAdmin impact
Rollout
June 2026July 2026

Summary

Zero-hour Auto Purge (ZAP) in Microsoft Defender for Office 365 will now scan and remediate malicious emails in users' Deleted Items folders, enhancing post-delivery protection without new policies. Rollout starts June 2026, affecting all tenants with ZAP enabled, with no user experience changes or required actions.

Details

[What and Why:]

We are extending Zero-hour Auto Purge (ZAP) in Microsoft Defender for Office 365 to scan and remediate malicious messages located in users’ Deleted Items folders. This enhancement strengthens post-delivery protection by ensuring phishing, spam, and malware messages are removed even after a user deletes or reports them, improving overall tenant security without introducing new policies or configuration.

[Rollout Schedule:]

  • General Availability (Worldwide, GCC, GCC High, DoD): We will begin rolling out in early June 2026 and expect to complete by late July 2026.

[Impact on Your Organization:]

Who is affected:

  • All tenants using Exchange Online Protection or Microsoft Defender for Office 365 Plan 1 or Plan 2 with ZAP enabled

Platforms/Services:

  • Exchange Online
  • Microsoft Defender for Office 365
  • Outlook (desktop, web, mobile)

What will happen:

  • ZAP will retroactively scan and take action on malicious messages found in the Deleted Items folder within the ZAP detection window.
  • This includes messages that were:
    • Reported by users as phishing
    • Automatically moved after accepting calendar invitations
    • Manually deleted by users
  • Messages identified as malicious will follow existing policy actions (for example, move to Junk, quarantine).
  • No new policies, actions, or configuration settings are introduced.
  • Admins will see additional ZAP activity in existing reports and alerts.
  • A new SourceLocation column will be added to the EmailPostDeliveryEvents table in Advanced Hunting to indicate the originating folder (for example, DeletedItems).
  • User experience remains unchanged.

[Action Required / Recommendations:]

No action is required.

This change is enabled by default and respects your existing anti‑spam, anti‑phishing, and anti‑malware policies.

Recommended actions for admins:

  • Review existing ZAP-related reporting in Mail flow status and Threat Explorer to help your Security Operations Center (SOC) become familiar with the additional activity.
  • Update internal security documentation or helpdesk guidance to note that Deleted Items are now included in ZAP remediation.

Learn more: Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 | Microsoft Learn

[Compliance Considerations:]

Compliance QuestionExplanation
Does the change alter how existing customer data is processed, stored, or accessed?ZAP will now process and take action on emails located in the Deleted Items folder.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities?Additional ZAP actions will appear in existing reports, and a new SourceLocation field is added to Advanced Hunting to improve auditability and investigation accuracy.

Change History

Show
Published: May 26, 2026
Last Updated: May 26, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free