Safe Documents


Safe Documents is a premium F5 Security & Compliance licence feature enabled for the benefit of NHSmail Enhanced Service users across the NHSmail platform. It is part of the Safe Attachments policy in Microsoft Defender for Office 365.

Safe Documents works by opening documents in Protected View, scanning them and if they are deemed malicious, keeping threats contained in Protected View where users will be blocked from leaving Protected View.

Access to legitimate files will be unaffected. When a scan is completed and no threat is detected, the file is deemed to be safe, and users can then turn on editing and leave Protected View.

Important Note:

All NHSmail users should continue to adhere to security best practices i.e., only interacting with content which they believe to be safe and reporting any suspicious documents.

For information on security best practices, please see this section of the NHSmail Support Site.


  • This feature will be available to all users covered by the NHSmail Enhanced Service licence provision.
  • Users do not need Defender for Endpoint installed on their local devices to get Safe Documents protection.
  • Safe Documents will cover all files and documents sent from external and internal accounts (from accounts that are and all other email accounts that are not ) to accounts.
  • Files sent from accounts to external (non accounts are not covered by Safe Documents.
  • Safe Documents is applied in any document opened in Office 365 (O365) applications.

What are the benefits of Safe Documents?

Enabling this feature unlocks an additional layer of security on documents opened within an Office 365 application, thereby protecting all NHSmail users and their devices.

How does Safe Documents work?

Safe Documents leverages the cloud back-end of Defender for Endpoint to scan opened Office documents in Protected View. While a scan is in progress, Safe Documents will prevent users from exiting the Protected View container until results of the scan have been determined. Users can still read the document at this stage but cannot make any edits.

Below are the expected results from Safe Documents verification.

1. File currently being scanned by Microsoft Defender Advanced Threat Protection (MDATP). Shown while Safe Documents scans the file against MDATP. Maximum file upload size is 60 MBs.

2. Error in file verification. This error is shown if there are issues verifying the file, such as timeout and network connectivity issues. Users can still turn on editing, but caution is advised.

3. File found to be safe. This is shown if the scan does not detect any threats, so users can turn on editing and leave Protected View.

4. File found to be malicious. This is shown if the scan determines the file to be malicious. Users won’t be able to leave Protected View.

Please Note:

Please refer to the Safe Links and Safe Attachments articles for further guidance on identifying malicious email attachments and web addresses.

What happens if a document is malicious?

If a file is found to be malicious by the scan, users will not be able to leave Protected View and will be unable to edit the file or document. As such, these threats will be contained in Protected View and users will be blocked from leaving this container

Not sure if your document is malicious?

If an NHSmail user would like to release a blocked document or file which they believe has been incorrectly deemed malicious, they should contact the Helpdesk at using the template outlined below. Your ticket will then be submitted to Microsoft for review.

It is important the approved email subject and email body template are used when raising a ticket with the Helpdesk. This will allow the agent to locate your email and process onwards with Microsoft. Failure to do so may result in your ticket being closed.

To NHSmail Helpdesk,

I have received the Safe Document notification informing me of a blocked file.

Upon review, I believe that this is a genuine and trusted document and/or one I have been expecting.

I have provided all the relevant details below:

Detailed information :

  • Recipients address:
  • Sender’s address:
  • Date/Time:
  • File name:
  • Any other information:
  • Business criticality/importance:

Please repeat if multiple requests are required:

Many thanks

Important Note:

Please only raise a ticket requesting the release of a blocked document if you have received a blocked file notification and/or you can see that there are files in the blocked section of the Security Centre.


Are other email security features being replaced by Safe Documents?

All existing email security features will remain active and in place. Safe Documents has been enabled for NHSmail Enhanced Service users (only) to protect documents opened within Office applications to build on and enhance existing security features.

How can I report a blocked document, which I believe is a safe and legitimate file (a false positive)?

If an NHSmail user would like to release a blocked document which they believe has been incorrectly blocked, they should contact using the process and template outlined above in this article.

What is the support process to follow if I am unsure if a file is malicious?

If you are uncertain if a file is malicious, please contact using the approved template.

How does the licencing for Safe Documents work?

The F5 licence delivering Safe Documents functionality is applied to all users within Enhanced Organisation owned user policies and managed via the NHSmail Portal.

Who can release files that have been blocked?

Only NHSmail Helpdesk central administrators can release files that have been blocked. This is because any files which have been blocked may contain malicious content and a careful assessment of the threat level posed by releasing blocked content will need to be conducted prior to release. All files identified as malicious will be shared with Microsoft for analysis.

Can I disable Safe Documents for individual users / all users in my organisation?

As this feature is enabled and managed centrally, neither NHSmail users nor Local Administrators can disable Safe Documents.

If you believe that Safe Documents is causing issues in your use of NHSmail, please raise a ticket with

Last Reviewed Date 30/01/2024
Updated on 30/01/2024

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top