Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

[Updated 3 February 2021]

The EAP for Sophos Email Advanced post-delivery protection for O365 mailboxes is now live and ready to join.

A lot can happen from the moment an email lands in your inbox. Once safe URLs can become weaponized for phishing, and threat intelligence continually evolves to identify new malware variants. The EAP for Search and Destroy, Sophos Email’s new post-delivery protection capabilities for O365 takes the detection of malicious links and malware used in phishing attacks to the next level.

Search and Destroy for Sophos Email Advanced uses O365 APIs to directly access O365 mailboxes, allowing Sophos to identify and automatically remove emails containing malicious links and malware before a user clicks on them – removing the threat automatically.

More info: 

How to Take Part

Available now, customers can join the Sophos Email Advanced Search and Destroy EAP by logging on to Sophos Central and following these simple steps:

  1. Select Early Access Programs > Select ‘Join’ > Accept the terms and get stated. 

  2. Once you have joined the EAP, select “Setup O365 security now” from the Sophos Email dashboard


  1. Select “Connect” on the “Domain settings/status” page


  1. Enter the credentials for your O365 account and click “Next”


  1. Grant Sophos Email the permissions required to establish the connection with the O365 APIs for you account by clicking “Accept”

  1. You’re connected, click "Close" and head to step 7 to activate the Search and Destroy feature

  2. From the “Domains settings/status” page, select “Configure O365 Security”


  1. Enable the Search and Destroy feature and click “Save”


  1. You can then view any emails identified by Search and Destroy in the “Post delivery quarantine” area of the “Quarantined Messages” report – don’t be alarmed if no emails are displayed (that’s a good thing)




  • Can Search and Destroy identify the same malicious link or attachment in different emails?
    Yes, Sophos Email will identify and remove all messages with matching links or attachments. The sender and wording of the message can be anything.
  • Will those emails identified by Search and Destroy be deleted?
    No, once removed they are held in the new “Post delivery quarantine” area of the “Quarantined Messages” report. The Sophos Email administrator can release the message(s) if required.

  • What email services will Search and Destroy be compatible with?
    Search and Destroy is available to O365 email deployments of Sophos Email Advanced. The ability to identify and remove messaging from a user’s inbox is only possible by integrating with O365 platform APIs.

  • What reporting will be provided from Sophos Central?
    • A new “Post-delivery” tab is available in the “quarantined messages” report to identify any messages automatically removed from mailboxes and placed in admin quarantine
    • A new “Post-delivery” report be later added to display message volumes and reasons for removal.

  • Does Search and Destroy replace Time-of-click?
    Time of click is a valuable feature for all email services protected by Sophos Email, re-writing URLs so these can be scanned for malicious attributes when clicked by a user. This guards users and the organization against stealthy tactics used in phishing campaigns. The capability will complement Search and Destroy, particularly in mixed-email estates.


Send Your Feedback

Please provide all feedback about this early access program in our Sophos Email Community Forum.


EAP Eligibility

  • Search and Destroy is available to Sophos Email Advanced license customers only.