Last week, a client rang in a panic.
He’d received a phishing email and needed to forward it to an external IT team for review. Every time he tried, our spam filter blocked the message. At the same time, the original email seemed to have vanished from his inbox.
To him, it looked like three red flags at once:
The email won’t send
The original message is gone
His account must be compromised
From the outside, it’s an easy assumption to make. From the inside, it was actually a very good sign.
What we checked (and what we found)
We started by checking Microsoft 365 sign‑in logs.
No suspicious or risky logins
No evidence of compromise
Everything looked clean
Then we looked in message quarantine—and found the email sitting there, flagged as malicious.
What happened is this:
Microsoft’s filters let the message in, but later classified it as a phishing or spam threat. After that, its built‑in protection tools automatically moved it from the inbox to Quarantine or Junk, after delivery.
That’s why:
The client couldn’t see it in his inbox anymore
It kept getting blocked when he tried to forward it
And yet, his account hadn’t been hacked
How Microsoft “undelivers” malicious emails
Even on a standard Microsoft 365 Business Standard license, there are features that can retroactively act on risky emails:
Zero‑Hour Auto Purge (ZAP)
Scans emails that were already delivered.
If they’re later flagged as phishing or spam, ZAP can move or quarantine them automatically.
Anti‑spam and anti‑phishing policies
Work silently in the background for every Exchange Online mailbox.
Fine‑tune how aggressively quarantine or junk folders are used.
So “the email disappeared” isn’t always a sign of compromise—it can mean your filters are finally catching up.
How we hardened this user’s protection
Because this user was clearly in a high‑risk group (receiving and forwarding phishing emails), we went a step further and enabled Microsoft Defender for Office 365 Plan 1:
Link scanning – checks URLs in real time, even after the email is delivered.
Safe attachments – detonates suspicious files in a sandbox before they reach the user.
Time‑of‑click protection – blocks malicious links if the user decides to click later.
In plain terms: protection doesn’t stop when the inbox is hit. It keeps watching, even when the user interacts later.
What this means for SMBs
This incident is a great reminder for small‑to‑medium businesses:
Don’t assume “disappearing emails” automatically mean breach.
Default spam filters can move or quarantine messages after delivery, which can unsettle users.
With the right licensing and configuration (like Defender for Office 365 Plan 1), you significantly reduce the chance that a real phishing email ever reaches the user’s inbox.
If your team is regularly forwarding “probably phishing” emails to external IT or security teams, it’s worth asking:
Is your current setup using ZAP and advanced protection, or are you still relying on basic filtering alone?
If this sounds like your current environment, I’m happy to help you tighten it up and make sure your users see fewer mysteries and more peace of mind.



