In Microsoft Defender for Office 365, what method is used to check if an email was relocated by zero-hour auto purge (ZAP)?

The correct method to check if an email was relocated by zero-hour auto purge (ZAP) in Microsoft Defender for Office 365 is through the Threat Protection Status report. This report provides insights into various threat detections and the actions taken by Defender for Office 365, including details regarding emails that have been removed after being identified as malicious.

The Threat Protection Status report is specifically designed to summarize the threat protection measures in place, allowing administrators to review occurrences of email threats and the corresponding automatic responses, including ZAP. By using this report, security analysts can easily determine the effectiveness of the Zero-Hour Auto Purge feature in responding to threats that emerge after an email has been delivered.

Other methods, such as the mailbox audit log in Exchange or the mail flow report, do not provide this specific information about ZAP actions. Similarly, the Safe Attachments file types report focuses exclusively on file types and does not track relocated emails or the overarching threat management features that ZAP represents.