This chapter covers two critical Microsoft Defender for Office 365 technologies: Safe Attachments and Zero-Hour Auto Purge (ZAP). Safe Attachments prevents malicious attachments from ever reaching users by detonating them in a sandbox, while ZAP retroactively removes messages that are discovered to be malicious after delivery. For the SC-200 exam, questions on these topics appear in approximately 15-20% of exam questions, especially in the Defender XDR domain (Objective 1.3). Understanding their mechanisms, configuration, and interaction with other threat protection features is essential for both the exam and real-world security operations.
Jump to a section
Imagine a corporate mailroom that processes all incoming packages. The mailroom has two layers of protection. First, a scanning station (Safe Attachments) that opens every package in a sealed glass chamber before delivery. If the package contains a ticking bomb, the chamber detonates safely, and the mailroom logs the incident and alerts security. The package never reaches the recipient. Second, a recall system (ZAP) that works after delivery. Suppose a package was mislabeled as 'safe' and delivered, but later the mailroom receives an intelligence update that the package actually contains a slow-acting poison. The recall system sends a courier to every recipient to retrieve the package, replacing it with a harmless substitute (a quarantine message). The recall is automatic and happens within minutes. The mailroom also logs every recall for audit. Without these systems, dangerous packages would be delivered, and once opened, the damage is done. Safe Attachments prevents delivery; ZAP undoes delivery after the fact. Both rely on real-time threat intelligence feeds (like the mailroom's watchlist) and can be customized with policies (e.g., 'always scan attachments from external senders' or 'never recall packages from the CEO').
What Safe Attachments Is and Why It Exists
Safe Attachments is a feature of Microsoft Defender for Office 365 that provides time-of-delivery protection against unknown malware in email attachments. Traditional antivirus relies on signature-based detection, which fails against zero-day malware. Safe Attachments uses a detonation chamber—a virtualized sandbox environment—to open and analyze attachments in real time before they reach the user's inbox. If the attachment exhibits malicious behavior, it is blocked, and the email is either quarantined or the attachment is replaced with a warning placeholder.
The feature exists because modern malware often uses polymorphic code, encryption, or delayed execution to evade signature-based scanners. By executing the attachment in a safe environment, Defender can observe its behavior (e.g., writing to disk, spawning processes, making network connections) and determine malicious intent.
How Safe Attachments Works Internally
When an email with an attachment arrives at Microsoft 365, the following sequence occurs:
Message Routing: The email is received by Exchange Online Protection (EOP). EOP performs initial checks: sender reputation, IP allow/block lists, and signature-based antivirus scanning. If the email passes these checks, it is handed to Safe Attachments if the policy applies.
Policy Evaluation: Safe Attachments policies (defined in the Microsoft 365 Defender portal) determine which messages are subject to detonation. Policies can be scoped by recipient domain, sender domain, or specific users/groups. The policy also defines the action: Block, Replace, Dynamic Delivery, or Allow (with caveats).
Detonation in Sandbox: The attachment is extracted and sent to a detonation cluster. The sandbox is a full Windows 10 environment with common applications (Office, PDF reader, etc.). The attachment is opened, and the sandbox monitors system calls, network traffic, file system changes, and registry modifications. The detonation typically takes about 2-3 minutes, but can be up to 30 seconds for simple files. The sandbox uses machine learning models to detect malicious behavior in real time.
4. Verdict and Action: The detonation produces a verdict: Malicious, Suspicious, or Clean. Depending on the policy action: - Block: The email is quarantined before delivery. The user never sees it. - Replace: The email is delivered, but the attachment is replaced with a file called "Malware Alert Text.txt" that warns the user. The original attachment is held for investigation. - Dynamic Delivery: The email body is delivered immediately, but the attachment is held until the detonation completes. Once the verdict is clean, the attachment is made available. This avoids delays for time-sensitive messages. - Allow: The email is delivered immediately, and detonation happens in the background. If later found malicious, ZAP may take action.
Logging and Alerts: Results are logged in Threat Explorer, and alerts can be configured for malicious detonations.
Key Components, Values, Defaults, and Timers
Detonation Timeout: Default is 2 minutes. If the sandbox analysis takes longer, the policy action is applied based on the configured timeout action (usually "Block" or "Replace").
File Types Detonated: By default, Safe Attachments detonates common executable and document types: .exe, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .zip, .rar, etc. Administrators can extend the list via custom file type settings.
Max Attachment Size: 10 MB per attachment. Larger attachments are skipped and delivered (or handled by other filters).
Dynamic Delivery: This is the recommended action for most users because it balances security with user experience. It requires that the recipient's mailbox is hosted in Exchange Online (not on-premises).
Policy Priority: Policies are processed in order of priority (highest priority first). The first matching policy is applied.
Configuration and Verification Commands
Safe Attachments policies are configured in the Microsoft 365 Defender portal at Email & collaboration > Policies & rules > Threat policies > Safe Attachments. You can also use PowerShell via Exchange Online PowerShell:
# Create a new Safe Attachments policy
New-SafeAttachmentPolicy -Name "BlockExecutables" -Enable $true -Action Block -Redirect $true -RedirectAddress admin@contoso.com
# Create a rule to apply the policy to all users
New-SafeAttachmentRule -Name "BlockExecutables Rule" -Policy "BlockExecutables" -RecipientDomainIs contoso.com
# View existing policies
Get-SafeAttachmentPolicy | Format-List Name, Action, Enable
# Check detonation results in Threat Explorer
Get-ThreatSubmission -SubmittedBy Microsoft -ThreatType Malware -Days 7Zero-Hour Auto Purge (ZAP)
ZAP is a retroactive protection feature that automatically moves messages discovered to be malicious or phishing after delivery. It works by scanning messages that have already been delivered to user mailboxes and, if a threat is confirmed, moving the message to the Junk Email folder (for spam) or Quarantine (for malware/phishing).
#### How ZAP Works
Threat Intelligence Update: Microsoft's threat intelligence systems (including Safe Attachments detonations, machine learning, and human analysts) identify a new malware variant or phishing campaign.
Retroactive Scan: ZAP scans messages already delivered within the last 30 days. It checks the message's attachment hash, URL reputation, and other indicators.
Action: If a match is found, ZAP moves the message to quarantine (for malware/phishing) or Junk Email (for spam). The user receives a notification if configured.
Timing: ZAP typically takes effect within 2-3 minutes of the threat being identified, but can take up to 30 minutes for large volumes.
#### Configuration
ZAP is enabled by default for malware and phishing. You can disable it or configure exceptions via policies in the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Threat policies > Anti-spam policies.
#### Key Points for Exam
ZAP does not work on messages that are already in the user's Junk Email folder (they are already there).
ZAP does not work on encrypted messages or messages from internal senders (by default).
ZAP can be configured to apply to phishing (including impersonation), malware, and spam.
ZAP uses the same threat signals as Safe Attachments and other Defender features.
ZAP actions are logged in Threat Explorer and can be viewed via the ZAP filter.
Interaction with Related Technologies
Safe Attachments and ZAP work closely with: - Safe Links: Protects URLs in emails and Office documents. Safe Links checks URLs at time of click. - Anti-Phishing Policies: Protects against impersonation attacks. - Anti-Spam Policies: Filters bulk and spam messages. - Quarantine: Both features can send messages to quarantine for manual review. - Threat Explorer: Centralized investigation tool for all threats.
For example, if Safe Attachments detonates an attachment and finds it malicious, the email is blocked. However, if the email was delivered before the detonation (e.g., due to a delay), ZAP can retroactively remove it. Similarly, if a URL in an email is later found malicious by Safe Links, ZAP can move the email to quarantine.
Common Exam Traps
Safe Attachments vs. Safe Links: Safe Attachments is for attachments; Safe Links is for URLs. They are separate features but often tested together.
Dynamic Delivery: Candidates often confuse this with "Replace." Dynamic Delivery delivers the email body first and holds the attachment; Replace delivers a warning file instead of the attachment.
ZAP and MFA: ZAP does not require MFA; it's a server-side action.
ZAP Time Window: ZAP can retroactively act on messages up to 30 days old.
Safe Attachments for SharePoint/OneDrive/Teams: Safe Attachments also protects files in SharePoint, OneDrive, and Teams by scanning files at rest and at download. This is a separate configuration.
Email Received by EOP
An email with an attachment arrives at Exchange Online Protection (EOP). EOP performs initial checks: connection filtering (IP reputation), sender filtering (allow/block lists), and signature-based antivirus. If the email fails these checks, it is rejected or quarantined. If it passes, it proceeds to Safe Attachments policy evaluation.
Safe Attachments Policy Matched
The system evaluates Safe Attachments policies in priority order. The first policy that matches the recipient (by domain, user, or group) is applied. The policy defines the action (Block, Replace, Dynamic Delivery, or Allow). If no policy matches, the email is delivered without detonation.
Attachment Detonation in Sandbox
The attachment is extracted and sent to a detonation cluster. A full Windows 10 sandbox environment opens the attachment using the associated application (e.g., Word for .docx). The sandbox monitors all system calls, network connections, file writes, and process creations for suspicious behavior. The detonation typically takes 2-3 minutes.
Verdict and Action Applied
After detonation, a verdict is returned: Malicious, Suspicious, or Clean. Based on the policy action, the email is either blocked (quarantined), delivered with a replacement attachment, delivered with the attachment held (Dynamic Delivery), or delivered immediately (Allow). If the detonation times out, the configured timeout action is applied.
ZAP Retroactive Scan and Action
After delivery, if new threat intelligence identifies the attachment as malicious, ZAP scans messages delivered in the last 30 days. It matches the attachment hash or other indicators. If a match is found, ZAP moves the message to quarantine (malware/phishing) or Junk Email (spam). This happens automatically within minutes of the threat being identified.
Enterprise Scenario 1: Blocking Zero-Day Malware in a Financial Institution
A large bank uses Microsoft 365 with Defender for Office 365. The security team configures Safe Attachments with the "Block" action for all external emails. An employee receives an email with an invoice PDF that contains a zero-day exploit. The PDF is detonated in the sandbox, where it attempts to download a payload from a malicious domain. The sandbox flags it as malicious, and the email is quarantined before any user sees it. The security team receives an alert and investigates in Threat Explorer, finding that the same attachment was sent to 50 other users. They use the ZAP feature to ensure no copies exist (none were delivered due to blocking). The bank's policy also enables Dynamic Delivery for internal senders to avoid delays for legitimate attachments.
Enterprise Scenario 2: Phishing Campaign with Delayed Malware
A marketing firm receives a phishing email with a malicious macro-enabled Word document. The attachment passes initial antivirus and Safe Attachments detonation because the macro is obfuscated and only triggers after 24 hours. The email is delivered with the attachment (Allow action). The next day, Microsoft's threat intelligence updates recognize the macro's behavior as malicious. ZAP scans the user's mailbox and finds the delivered email. It moves the email to quarantine and notifies the user. The security team investigates and finds that the attachment had a low reputation score. They adjust the Safe Attachments policy to use "Dynamic Delivery" for all external emails, which would have held the attachment until detonation completed (even if delayed).
Common Misconfigurations and Pitfalls
Disabling ZAP: Some organizations disable ZAP thinking it causes false positives. This leaves users exposed to retroactive threats. Best practice is to enable ZAP for malware and phishing, and configure exceptions only for specific internal senders.
Incorrect Policy Priority: If a low-priority policy with "Allow" action is matched before a high-priority "Block" policy, malicious attachments may be delivered. Always order policies from most restrictive to least restrictive.
Not Using Dynamic Delivery: Many admins choose "Replace" because it seems safer, but this breaks legitimate attachments for users. Dynamic Delivery provides a better user experience while maintaining security.
Large Attachment Size: Attachments over 10 MB are skipped. Admins should use other methods (e.g., file upload portals) for large files.
Performance Considerations
Safe Attachments detonation introduces latency of 2-3 minutes per email. For high-volume environments, this can cause mail flow delays. Dynamic Delivery mitigates this by delivering the email body immediately. The detonation cluster scales automatically based on load. ZAP has minimal performance impact as it runs as a background process.
SC-200 Exam Focus: Safe Attachments and ZAP
Objective Code: Domain 1 (Defender XDR) – Objective 1.3: Configure and manage Microsoft Defender for Office 365. Specifically, subtopics: "Configure Safe Attachments policies" and "Manage Zero-Hour Auto Purge."
Common Wrong Answers and Why Candidates Choose Them:
"Safe Attachments scans all email attachments using signature-based antivirus." – Wrong. Safe Attachments uses detonation (sandbox), not signatures. Candidates confuse it with EOP's built-in antivirus.
"ZAP can remove messages from a user's mailbox even if they have already read the email." – True, but candidates often think ZAP only works on unread messages. ZAP works on any delivered message (read or unread) within the 30-day window.
"Dynamic Delivery replaces the attachment with a warning file." – Wrong. That's the "Replace" action. Dynamic Delivery holds the attachment and delivers the body.
"Safe Attachments protects against malicious URLs in emails." – Wrong. That's Safe Links. Candidates mix up the two features.
Specific Numbers and Terms That Appear on the Exam:
Default detonation timeout: 2 minutes.
Maximum attachment size for Safe Attachments: 10 MB.
ZAP retroactive window: 30 days.
ZAP actions: Move to Junk Email (spam) or Quarantine (malware/phishing).
Safe Attachments policy actions: Block, Replace, Dynamic Delivery, Allow.
Edge Cases and Exceptions:
Safe Attachments does not detonate attachments that are encrypted or password-protected (they are skipped and delivered based on policy).
ZAP does not apply to messages in the user's Junk Email folder (they are already there).
ZAP does not apply to messages from internal senders by default (can be configured via policy).
Safe Attachments for SharePoint/OneDrive/Teams uses a different scanning mechanism (file at rest scanning, not detonation).
How to Eliminate Wrong Answers:
If the question mentions "sandbox" or "detonation," it's Safe Attachments.
If the question mentions "retroactive" or "after delivery," it's ZAP.
If the question mentions "replaces attachment with a warning," it's the Replace action.
If the question mentions "delivers email body first," it's Dynamic Delivery.
If the question mentions "URL scanning at time of click," it's Safe Links.
Safe Attachments detonates attachments in a sandbox; it does not use signature-based detection.
Default detonation timeout is 2 minutes; attachments over 10 MB are skipped.
Dynamic Delivery delivers email body immediately and holds the attachment until verdict.
ZAP retroactively moves malicious/phishing messages to quarantine (30-day window).
ZAP does not work on messages already in Junk Email folder or from internal senders by default.
Safe Attachments and ZAP are configured in Microsoft 365 Defender portal under Threat policies.
Common exam trap: Confusing Safe Attachments (attachments) with Safe Links (URLs).
ZAP actions are logged in Threat Explorer; use the ZAP filter to view them.
These come up on the exam all the time. Here's how to tell them apart.
Safe Attachments
Scans email attachments via detonation in a sandbox.
Applies at time of delivery (before user sees the email).
Actions: Block, Replace, Dynamic Delivery, Allow.
Protects against malware in attachments (.exe, .doc, .pdf, etc.).
Can also protect files in SharePoint, OneDrive, and Teams.
Safe Links
Scans URLs in emails and Office documents.
Applies at time of click (when user clicks the link).
Actions: Block, Replace (rewrite URL), Allow.
Protects against phishing and malware URLs.
Integrates with Microsoft Defender for Endpoint for blocking malicious IPs.
Mistake
Safe Attachments uses signature-based antivirus to detect malware.
Correct
Safe Attachments uses detonation in a sandbox (behavioral analysis), not signature matching. Signature-based scanning is done earlier in the mail flow by EOP.
Mistake
ZAP can only remove unread messages from a user's mailbox.
Correct
ZAP can remove any delivered message (read or unread) within the 30-day retroactive window. It moves the message to quarantine or Junk Email regardless of read status.
Mistake
Dynamic Delivery delivers the email with a replacement attachment.
Correct
Dynamic Delivery delivers the email body immediately but holds the attachment until detonation completes. The 'Replace' action delivers a warning file instead of the attachment.
Mistake
Safe Attachments protects against malicious URLs in emails.
Correct
Safe Attachments only handles attachments. Malicious URLs are protected by Safe Links, which scans URLs at time of click.
Mistake
ZAP works on all messages regardless of sender type.
Correct
By default, ZAP does not apply to messages from internal senders. This can be configured via policy, but the default is external only.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Safe Attachments prevents malicious attachments from reaching users by detonating them in a sandbox before delivery. ZAP retroactively removes messages that are discovered to be malicious after delivery. Safe Attachments is proactive (pre-delivery), ZAP is reactive (post-delivery). Both work together to provide layered protection.
Safe Attachments is a cloud-based feature that requires Exchange Online. If you have a hybrid deployment, only mailboxes hosted in Exchange Online are protected. On-premises mailboxes can be protected by routing mail through Exchange Online Protection (EOP) first.
ZAP moves messages to quarantine or Junk Email folder. If a user has already deleted the message, ZAP cannot recover it because the message no longer exists in the mailbox. However, the message may still be recoverable from the Deleted Items folder (if not purged) and then ZAP can act on it.
If the detonation takes longer than the timeout (default 2 minutes), the policy's timeout action is applied. By default, this is 'Block' (quarantine). Administrators can configure a different timeout action in the policy settings.
In Threat Explorer, you can filter by 'ZAP' in the delivery action column. Alternatively, use the 'Zero-hour auto purge' filter under 'Threat type'. You can also run a PowerShell command: Get-PhishFilterPolicy -Detailed | Format-List ZAPEnabled.
Yes, Safe Attachments for SharePoint, OneDrive, and Microsoft Teams scans files at rest and at download. It uses a different mechanism than email Safe Attachments (file scanning, not detonation). It is enabled separately in the Safe Attachments settings.
Yes, you can create exceptions in the anti-spam policy that controls ZAP. For example, you can exclude specific users or domains from ZAP actions. This is configured in the 'Zero-hour auto purge' section of the anti-spam policy.
You've just covered Safe Attachments and ZAP in Defender — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?