On Demand Clawback

What’s new – Aug 2, 2023

Early access to an exciting new feature, On Demand Clawback has been provided to all customers of Sophos Email. This feature is enabled for customers who have Post-Delivery Protection (PDP) configured in their accounts. As described later in this announcement, customers who have not enabled PDP must enable it in order to use On Demand Clawback.
In PDP, previously released, auto search and remediate automatically removes messages where the attachments and URLs are benign at time of delivery but later become active and malicious. Whereas, this new feature, On Demand Clawback, empowers admins to manually claw back any message from any user’s M365 inbox – for example a message containing sensitive information, though not malicious.
Note: On Demand Clawback does not apply to internal messages, as they are not passed through Sophos Central Email protection.

Applies to the following Sophos products
Sophos Email Advanced

In this post the following sections are covered:
 * How to enable clawback
 * How to clawback
 * How to manage clawed back messages
 * How clawback is reported
 * What lies ahead

How to enable clawback

On Demand Clawback is a part of PDP for M365. In order to benefit from it, you should have enabled the option as shown in the screenshot below.

Furthermore, the M365 domains should be connected for PDP as shown in the screenshot below. You will be able to claw back the messages only from mailboxes of those domains that are connected.

How to claw back

You can claw back any message delivered to M365 mailboxes of a PDP connected domain by clicking the button, Initiate clawback, in Message Details page of Message History. You can claw back the message from one or more mailboxes to which the message was delivered, as shown in the screenshot below.

How to manage clawed back messages

The messages clawed back from the M365 mailboxes are listed in the Post Delivery Quarantine. You view the details of the message by clicking into the subject of the message. You can also release or delete the message from this quarantine.

Note: A message that has been released from Post Delivery Quarantine cannot be clawed back again.

How clawback is reported

The messages clawed back are reported in post delivery summary report. The report shows you the latest status of all the messages that were clawed back – i.e. even if a message was deleted or released from post delivery quarantine, you can refer this report to get the status of the message.

What lies ahead

This feature is in early access. Currently, clawback can be triggered from Message Details page of the Message History. The capability to clawback multiple messages from the main page of Message History in under development. This capability will be the part of GA of this feature. Likewise, APIs to clawback are under development. The clawback APIs will be released sooner.
Watch this post for the updates.

August 31, 2023
: The on demand clawback API was released to all customers of Sophos Email, earlier this week. For more, please refer the following community post: