What’s new – Nov 21, 2023
In the endeavor of Sophos Email to equip you with the best-in-class tools to meet your email security needs, an exciting new feature, On Demand Clawback has been released to all customers today. This feature is enabled for customers who have Post-Delivery Protection (PDP) configured in their accounts. As described later in this announcement, customers who have not enabled PDP must enable it in order to use the feature.
On Demand Clawback equips you with the ability to manually claw back one or more messages from M365 inboxes of your users – for example a message that is not only designed to deceive your users but also evades detection. This On Demand Clawback feature is different from the previously released feature, Auto Search and Remediate that automatically removes messages where the attachments and URLs in the message were benign at time of delivery but turned malicious later.
Applies to the following Sophos products
Sophos Email Advanced
In this post the following sections are covered:
● How to clawback
● How to enable clawback
● Manage clawed back messages in PDP quarantine
● View status of clawed back messages in PDP report
● Watch the video
How to clawback
There are two ways in which you can claw back any message delivered to M365 mailboxes of a PDP connected domain:
1. In Message History main page select one or more messages and click the button, Initiate clawback as indicated in the screenshot below. This method of claw back is suited when multiple users have been targeted, each by a separate email. You can use Advanced Search to filter for such messages if feasible by a common attribute – such as sender, subject, etc. – then use select all checkbox in the header. In a single attempt you can clawback up to 100 messages, each of which may have been delivered to one or more recipients.
2. In Message Details page of Message History, select one or more recipients of the message and click the button, Initiate clawback as indicated in the screenshot below. This method is more suited when you do not want to clawback the message from every recipient, rather from select few recipients – for example, if a message containing sensitive information was sent to an unintended recipient because of a typo in the email address.
How to enable clawback
On Demand Clawback is a part of PDP for M365. In order to benefit from it, you should have enabled the option as shown in the screenshot below.
Furthermore, the M365 domains should be connected for PDP. You will be able to claw back the messages only from mailboxes of those domains that are connected. The following screenshot highlights the PDP connected domain in the gateway mode.
The following screenshot highlights the PDP connected domain in the M365 Mailflow mode.
Manage clawed back messages in PDP quarantine
The messages clawed back from the M365 mailboxes are listed in the Post Delivery Quarantine. You can view the details of the message by clicking into the subject of the message. You can also release or delete the message from this quarantine.
Note: A message that has been released from Post Delivery Quarantine cannot be clawed back again.
View status of clawed back messages in PDP report
The messages clawed back are reported in post delivery summary report. The report shows you the latest status of all the messages that were clawed back – i.e. even if a message was deleted or released from post delivery quarantine, you can refer this report to get the latest status of the message.
Note: On Demand Clawback does not apply to internal messages, as they are not passed through Sophos Central Email protection. The API(s) for On Demand Clawback were released on August 31, 2023, as announced in this community post. Refer the following resources for the API documentation:
- Clawback API documentation: https://developer.sophos.com/docs/email-v1/1/overview
- Clawback request guide: https://developer.sophos.com/docs/email-v1/1/routes/messages/%7Bid%7D/clawback/post
- Clawback status guide: https://developer.sophos.com/docs/email-v1/1/routes/messages/%7Bid%7D/status/get
- Sophos Central API documentation: https://developer.sophos.com/apis