My email just disappeared—does that mean I’ve been hacked?

A Perth SMB panicked when their “hacked” email disappeared—only to find it had been safely quarantined by Microsoft’s filters. See how Zero‑Hour Auto Purge works, why it’s included even on Business Standard, and how we hardened protection with Defender for Office 365 Plan 1.

Garry BloomGarry Bloom · Founder & Senior IT Manager
23 April 2026
5 min read
ITSupportPerth
PerthBusiness
MSPPerth
SmallBusinessIT
PhishingProtection
DefenderForOffice365

Last week, a client rang in a panic.

He’d received a phishing email and needed to forward it to an external IT team for review. Every time he tried, our spam filter blocked the message. At the same time, the original email seemed to have vanished from his inbox.

To him, it looked like three red flags at once:

  • The email won’t send

  • The original message is gone

  • His account must be compromised

From the outside, it’s an easy assumption to make. From the inside, it was actually a very good sign.


What we checked (and what we found)

We started by checking Microsoft 365 sign‑in logs.

  • No suspicious or risky logins

  • No evidence of compromise

  • Everything looked clean

Then we looked in message quarantine—and found the email sitting there, flagged as malicious.

What happened is this:
Microsoft’s filters let the message in, but later classified it as a phishing or spam threat. After that, its built‑in protection tools automatically moved it from the inbox to Quarantine or Junk, after delivery.

That’s why:

  • The client couldn’t see it in his inbox anymore

  • It kept getting blocked when he tried to forward it

  • And yet, his account hadn’t been hacked


How Microsoft “undelivers” malicious emails

Even on a standard Microsoft 365 Business Standard license, there are features that can retroactively act on risky emails:

  • Zero‑Hour Auto Purge (ZAP)

    • Scans emails that were already delivered.

    • If they’re later flagged as phishing or spam, ZAP can move or quarantine them automatically.

  • Anti‑spam and anti‑phishing policies

    • Work silently in the background for every Exchange Online mailbox.

    • Fine‑tune how aggressively quarantine or junk folders are used.

So “the email disappeared” isn’t always a sign of compromise—it can mean your filters are finally catching up.


How we hardened this user’s protection

Because this user was clearly in a high‑risk group (receiving and forwarding phishing emails), we went a step further and enabled Microsoft Defender for Office 365 Plan 1:

  • Link scanning – checks URLs in real time, even after the email is delivered.

  • Safe attachments – detonates suspicious files in a sandbox before they reach the user.

  • Time‑of‑click protection – blocks malicious links if the user decides to click later.

In plain terms: protection doesn’t stop when the inbox is hit. It keeps watching, even when the user interacts later.


What this means for SMBs

This incident is a great reminder for small‑to‑medium businesses:

  • Don’t assume “disappearing emails” automatically mean breach.

  • Default spam filters can move or quarantine messages after delivery, which can unsettle users.

  • With the right licensing and configuration (like Defender for Office 365 Plan 1), you significantly reduce the chance that a real phishing email ever reaches the user’s inbox.

If your team is regularly forwarding “probably phishing” emails to external IT or security teams, it’s worth asking:

Is your current setup using ZAP and advanced protection, or are you still relying on basic filtering alone?

If this sounds like your current environment, I’m happy to help you tighten it up and make sure your users see fewer mysteries and more peace of mind.

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
23 April 2026
5 min read
ITSupportPerth
PerthBusiness
MSPPerth
SmallBusinessIT
PhishingProtection
DefenderForOffice365

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
When a ‘Legit’ Support Call Steals Your Login Session
CyberSecurity
ITSupportPerth

When a ‘Legit’ Support Call Steals Your Login Session

MFA was enabled — but a fake Xero support call led to a stolen browser session, email takeover, and full lockout. Learn how to prevent it with least privilege, Conditional Access, and phishing-resistant policies.

5 min read
1/30/2026