Safe Attachments Protection is enabled for NHSmail accounts to protect and enhance the security of the platform. Safe Attachments is part of Microsoft Defender for Office 365 and provides a scanning tool to assess whether email attachments are malicious.
The below guidance is for NHSmail users and Local Administrators who wish to understand more about how this functionality works.
Safe Attachments will cover all emails from external to nhs.net accounts and nhs.net to nhs.net accounts.
Emails sent from nhs.net accounts to external accounts are not covered by Safe Attachments.
Currently application accounts created prior to 28th October 2022 are out of scope and will not have Safe Attachments protection applied.
How Safe Attachments works
Safe Attachments scans and checks attachments in emails before they are delivered to nhs.net recipients. This scan is carried out automatically and requires no action from the sender. If the Safe Attachments scan has found potentially malicious content, the email and the attachment are quarantined and not delivered to the recipient.
When an email is quarantined, the intended recipient will receive a Quarantine Notification email within 24 hours.
The recipient will be able to preview the quarantined email/s in the Microsoft Security Center via the link provided in the Quarantine Notification but will not be able to preview the attachment. The email will be held in the Microsoft Security Center for 30 days before it is automatically deleted.
How to review quarantined emails
1. Users can access the Microsoft Security Center directly by going to https://security.microsoft.com/ and logging in with their NHSmail credentials.
Alternatively, once you have received a Quarantine Notification, you can review the quarantined email by clicking the ‘Review Message’ button.
2. You will be taken to the Quarantine Page within the Microsoft Security Center. If you do not see this select Review > Quarantine.
Any emails which are suspected of being malicious by Safe Attachments will be listed as shown below.
3. Users can click on the email entry to see a summary of the status of the email and key information. A summary pane view will appear on the left-hand side of the screen as shown below.
4. If users select ‘Preview Message’ they will be able to preview the body of the email, but not the attachment/s.
How to release a quarantined email
NHSmail users can preview email contents but are unable to ‘release’ any messages which are being held in the Security Center and can be viewed on the Quarantine Page. The ‘Release’ and ‘Request release’ buttons should be disabled.
If an NHSmail user would like to release a quarantined email which they believe has been incorrectly quarantined they should contact email@example.com using the template below.
It is important the approved email subject and email body template are used when raising a ticket with the Helpdesk. This will allow the agent to locate your email and process onwards with Microsoft. Failure to do so may result in your ticket being closed.
Not sure if your attachment is malicious?
There are some simple steps you can follow before raising a ticket:
- Reach out to the sender via another means (not email) to validate the legitimacy of the attachment
- Seek and adhere to local phishing, spam, malware best practices when determining if you should request the release of the attachment
- Check the spelling and content of the email for obvious discrepancies
- Contact Local Administrator, or appropriate local security authority if unsure on the legitimacy of a release request
Still not sure? Contact the Helpdesk using the approved template and subject line and it will be submitted to Microsoft for review.
All existing email security features will remain active and in place. Safe Attachments has been added to your mailbox to build on and enhance existing security features.
You should continue to be aware of any malicious emails, links or attachments and only interact with content which you reasonably believe to be safe. For a further information on the email security best practices which all NHSmail users should be adhering to please see this section of the NHSmail Support Site.
The licences which enable Safe Attachments for each NHSmail user’s mailbox are applied centrally. Local Administrators are not required to apply these licences.
Only NHSmail Helpdesk central administrators can release emails from quarantine. This is because any emails which have been quarantined may contain malicious content and a careful assessment of the threat level posed by releasing quarantined content will need to be conducted prior to release.
If an NHSmail user would like to release a quarantined email which they believe has been incorrectly quarantined they should contact firstname.lastname@example.org using the template outlined above in this article.
There is no standard timeframe within which you can expect the review to be completed and to receive a reply / the release of the email. The time it will take will depend on the attachment being reviewed. Any request for review will however take a minimum of 24hrs.
Any emails with attachments which have been confirmed as false positives, will be released to the intended recipient’s mailbox by Helpdesk as soon as the review of the attachment is complete.
If you do not agree with the outcome of the classification of a quarantined email review, you can contact email@example.com.
If you believe you have received a suspicious email or attachment that has not been quarantined, please report this by following the guidance here.
As this feature is enabled and managed centrally, neither NHSmail Users nor Local Administrators can disable Safe Attachments.
If you believe that Safe Attachments is causing issues in your use of NHSmail, please raise a ticket with firstname.lastname@example.org.
If a shared mailbox has received a quarantine notification, any individual NHSmail user who has access to that shared mailbox will be able to follow the ‘Review Message’ link on the Quarantine Notification to preview the message. If prompted, users should log in with their individual NHSmail credentials and will then see the quarantined message sent to the shared mailbox in the quarantine page.
Newly created application accounts will have Safe Attachments applied to them from the 28th October 2022.
If your application sends out attachments, these will be scanned by Microsoft for malicious content prior to delivery to the recipient.
We recommend that application accounts are monitored regularly to ensure they are functioning as expected and no quarantine notifications are missed.
|Last Reviewed Date||01/11/2022|