Overview
Safe Attachments Protection is enabled for NHSmail accounts to protect and enhance the security of the platform. Safe Attachments is part of Microsoft Defender for Office 365 and provides a scanning tool to assess whether email attachments are malicious.
Important Note:
All NHSmail users should continue to adhere to email security best practice i.e., only interacting with content which they believe to be safe and reporting any suspicious emails.
For a further information on email security best practices, please see this section of the NHSmail Support Site.
Scope
Safe Attachments will cover all emails from external to nhs.net accounts and nhs.net to nhs.net accounts.
Emails sent from nhs.net accounts to external accounts are not covered by Safe Attachments.
Safe attachments is also applied for SharePoint, OneDrive and Microsoft Teams.
Important Note:
New application accounts created after 26th October 2023 will have Safe Attachments applied to them for Exchange and Teams/Office applications.
It is important that application owners read the appropriate Microsoft guidance to ensure their applications are configured to correctly work with these enhanced security features.
Currently application accounts created prior to 28th October 2022 are out of scope and will not have Safe Attachments protection applied.
How Safe Attachments works – Email
Safe Attachments scans and checks attachments in emails before they are delivered to nhs.net recipients. This scan is carried out automatically and requires no action from the sender. If the Safe Attachments scan has found potentially malicious content, the email and the attachment are quarantined and not delivered to the recipient.
When an email is quarantined, the intended recipient will receive a Quarantine Notification email within 24 hours.
The recipient will be able to preview the quarantined email/s in the Microsoft Security Center via the link provided in the Quarantine Notification but will not be able to preview the attachment. The email will be held in the Microsoft Security Center for 30 days before it is automatically deleted.
How to review quarantined emails
1. Users can access the Microsoft Security Center directly by going to https://security.microsoft.com/ and logging in with their NHSmail credentials.
If you are struggling to access the Microsoft Security Center, please copy and paste the link into an Incognito tab or another browser and ensure you are using your NHSmail credentials to log in
Alternatively, once you have received a Quarantine Notification, you can review the quarantined email by clicking the ‘Review Message’ button.
2. You will be taken to the Quarantine Page within the Microsoft Security Center. If you do not see this select Review > Quarantine.
Any emails which are suspected of being malicious by Safe Attachments will be listed as shown below.
3. Users can click on the email entry to see a summary of the status of the email and key information. A summary pane view will appear on the left-hand side of the screen as shown below.
4. If users select ‘Preview Message’ they will be able to preview the body of the email, but not the attachment/s.
How to release a quarantined email
NHSmail users can preview email contents but are unable to ‘release’ any messages which are being held in the Security Center and can be viewed on the Quarantine Page. The ‘Release’ and ‘Request release’ buttons should be disabled.
If an NHSmail user would like to release a quarantined email which they believe has been incorrectly quarantined they should contact helpdesk@nhs.net using the template below.
Important Note:
Please only raise a ticket requesting the release of a quarantined email if you have received a quarantine notification and/or you can see that there are emails in the quarantine section of the Security Center.
If you have been waiting for an email which has not been delivered to your Inbox, please check your Junk Email folder before raising a ticket.
It is important the approved email subject and email body template are used when raising a ticket with the Helpdesk. This will allow the agent to locate your email and process onwards with Microsoft. Failure to do so may result in your ticket being closed.
How Safe Attachments for SharePoint, OneDrive and Microsoft Teams works
When Safe Attachments identifies files as malicious, the file is locked using direct integration with the file stores.
Although the blocked file is still listed in the document library and in web, mobile or desktop applications, people can’t open, copy, move or share the file. But they can delete the blocked file.
SharePoint Online will prevent people from downloading malicious files.
When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to administrators.
- Note: Defender for Office 365 doesn’t scan every single file in SharePoint Online, OneDrive for Business, or Microsoft Teams. This behaviour is by design. Files are scanned asynchronously. The process uses sharing and guest activity events along with smart heuristics and threat signals to identify malicious files.
Not sure if your attachment is malicious?
There are some simple steps you can follow before raising a ticket:
- Reach out to the sender via another means (not email) to validate the legitimacy of the attachment
- Seek and adhere to local phishing, spam, malware best practices when determining if you should request the release of the attachment
- Check the spelling and content of the email for obvious discrepancies
- Contact Local Administrator, or appropriate local security authority if unsure on the legitimacy of a release request
Still not sure? Contact the Helpdesk using the approved template and subject line and it will be submitted to Microsoft for review.
To NHSmail Helpdesk,
I have received the Safe Attachment notification informing me of a quarantined email and attachment.
Upon review, I believe that this is a genuine and trusted email and/or one I have been expecting.
I have provided all the relevant details below:
Detailed information :
- SUBJECT: SAFE ATTACHMENTS EXCEPTION
- Recipients address:
- Sender’s address:
- Date/Time:
- Attachment name:
- Any other information:
- Business criticality/importance:
Please repeat if multiple requests are required:
Many thanks
[Name]
Important Note:
Emails which have been quarantined are permanently deleted by Microsoft from the Security Center after 30 days.
We recommend that any users who believe they have received an email/s which has been incorrectly classified as potentially malicious (and therefore has been quarantined) should raise a request to have the email/s released within 5 days of receiving the quarantined notification. This will allow plenty of time for the content to reviewed.
FAQs
All existing email security features will remain active and in place. Safe Attachments has been added to your mailbox to build on and enhance existing security features.
You should continue to be aware of any malicious emails, links or attachments and only interact with content which you reasonably believe to be safe. For a further information on the email security best practices which all NHSmail users should be adhering to please see this section of the NHSmail Support Site.
The licences which enable Safe Attachments for each NHSmail user’s mailbox are applied centrally. Local Administrators are not required to apply these licences.
Only NHSmail Helpdesk central administrators can release emails from quarantine. This is because any emails which have been quarantined may contain malicious content and a careful assessment of the threat level posed by releasing quarantined content will need to be conducted prior to release.
If an NHSmail user would like to release a quarantined email which they believe has been incorrectly quarantined they should contact helpdesk@nhs.net using the template outlined above in this article.
There is no standard timeframe within which you can expect the review to be completed and to receive a reply / the release of the email. The time it will take will depend on the attachment being reviewed. Any request for review will however take a minimum of 24hrs.
Any emails with attachments which have been confirmed as false positives, will be released to the intended recipient’s mailbox by Helpdesk as soon as the review of the attachment is complete.
If you do not agree with the outcome of the classification of a quarantined email review, you can contact feedback@nhs.net.
If you believe you have received a suspicious email or attachment that has not been quarantined, please report this by following the guidance here.
As this feature is enabled and managed centrally, neither NHSmail Users nor Local Administrators can disable Safe Attachments.
If you believe that Safe Attachments is causing issues in your use of NHSmail, please raise a ticket with helpdesk@nhs.net.
If a shared mailbox has received a quarantine notification, any individual NHSmail user who has access to that shared mailbox will be able to follow the ‘Review Message’ link on the Quarantine Notification to preview the message. If prompted, users should log in with their individual NHSmail credentials and will then see the quarantined message sent to the shared mailbox in the quarantine page.
Newly created application accounts will have Safe Attachments applied to them from the 28th October 2022.
If your application sends out attachments, these will be scanned by Microsoft for malicious content prior to delivery to the recipient.
We recommend that application accounts are monitored regularly to ensure they are functioning as expected and no quarantine notifications are missed.
| Last Reviewed Date | 23/10/2023 |
