Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email integration with MDR & Sophos Email Clawback API

What’s new – Aug 31, 2023

We are excited to announce that Sophos Email is now integrated with Sophos MDR. You will require both Sophos Email and Sophos MDR licenses to benefit from this integration. Once enabled, Sophos Email will start sending detections to Sophos MDR for the messages received by Sophos Email. Unlike integration of other Email products with Sophos MDR, the Sophos Email has a deeper integration with Sophos MDR, supporting a wide variety of detections such as account compromise, malware, malicious URL, impersonation, spam, data control, and post delivery protection.

We have also taken the next step towards the GA of the On Demand Clawback feature, which is slated for later this year. We have released the Clawback API. Using this API, you can clawback one or more messages from M365 inboxes of your users into the post delivery quarantine of Sophos Email. You should have Post-Delivery Protection (PDP) configured in your account. Customers who have not enabled PDP must enable it in order to use the Clawback API. The previously released, auto search and remediate, automatically removes messages where the attachments and URLs are benign at time of delivery but later become active and malicious. Whereas the Clawback API, empowers admins to clawback one or more messages from M365 inbox of one or more users.

Applies to the following Sophos products
  ● Sophos Email Advanced
  ● Sophos MDR

In this post the following sections are covered:
  ● Sophos Email integration with MDR
  ● Sophos Email Clawback API
  ● Watch the video


Sophos Email integration with MDR

Integration with MDR requires valid Sophos MDR and Sophos Email licenses. To enable the integration, you’ll have to navigate to Integrations under Threat Analysis Center, and then click on the Sophos Email card, as shown in the screenshot below.


Sophos Email Clawback API

Using the API, you can perform the following operations:
  1. Clawback any message from M365 mailbox of the user
  2. Fetch the status of any clawback request

These API(s) require that Post-Delivery Protection (PDP) be connected for M365 domain of the mailbox. To connect, the PDP must be enabled for the customer account.

 Refer the following resources for the API documentation:
  ● Clawback API documentation:
  ● Clawback request guide:
  ● Clawback status guide:
  ● Sophos Central API documentation:

Refer the Clawback API documentation screenshot below.
 Note: Clawback API does not apply to internal messages, as they are not passed through Sophos Central Email protection.


Watch the video