CIS.M365.2.4.4 - (L1) Ensure Zero-hour auto purge for Microsoft Teams is on (Only Checks ZAP is enabled)
Overviewā
2.4.4 (L1) Ensure Zero-hour auto purge for Microsoft Teams is on
Zero-hour auto purge (ZAP) is a protection feature that retroactively detects and neutralizes malware and high confidence phishing. When ZAP for Teams protection blocks a message, the message is blocked for everyone in the chat. The initial block happens right after delivery, but ZAP occurs up to 48 hours after delivery.
Rationaleā
ZAP is intended to protect users that have received zero-day malware messages or content that is weaponized after being delivered to users. It does this by continually monitoring spam and malware signatures taking automated retroactive action on messages that have already been delivered.
Impactā
As with any anti-malware or anti-phishing product, false positives may occur
Remediation action:ā
To enable Zero-hour auto purge for Microsoft Teams:
- Navigate to Microsoft 365 Defender
- Click to expand System select Settings > Email & collaboration > Microsoft Teams protection
- Set Zero-hour auto purge (ZAP) to On (Default).
PowerShellā
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following cmdlet:
Set-TeamsProtectionPolicy -Identity "Teams Protection Policy" -ZapEnabled $true
Related linksā
- Microsoft 365 Admin Center
- Zero-hour auto purge (ZAP) in Microsoft Teams
- Configure ZAP for Teams protection in Defender for Office 365
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 145
Test Metadataā
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.4.4 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E5 Level 1 |
| PowerShell test | Test-MtCisZAP |
| Tags | CIS, CIS E5, CIS E5 Level 1, CIS M365 v6.0.1, CIS.M365.2.4.4, L1 |
Sourceā
- Pester test:
tests/cis/Test-MtCisZAP.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisZAP.ps1