We are having an issue with Attachment campaigns.
Because we have Protected View enabled for almost everything in Microsoft Word, the content of the attachments is getting blocked on Sophos Phish Threat attachment emails. This is causing Phish Threat to not register the user as "Caught" unless they click "Enable Editing" on the document.
Is there a way we can allow content from Sophos through the Protected View filter so that it registers the user as "Caught" as soon as they open the attachment?
Or is there any other setting we can change so that it registers the user as "Caught" without them having to Enable Editing on the Word attachment?
Thanks for reaching out!
Unfortunately this behavior is a result of the added layer of protection that Microsoft provides with their Protected View mode. I don't believe that Microsoft currently has a setting to configure what you are trying to setup:
Apologies for this inconvenience. However this behavior does also allow you to follow up and educate users about Protected View and why it's unsafe to enable editing on unrecognized documents.
Reference: Microsoft Protected View
is this product not going to work any more? Why are we paying for this if the users are not showing as cought. I need to start looking at other product I guess.
This is a major flaw in their software and should be addressed. I wonder if you tried adding the the Sophos addresses to the trusted zone in IE? and or made exceptions in Word/Excel? for the specific files if it would bypass the protected file aspect. Probably not, since it is safer to block something than allow it these days. The only other option would be to use the GPO to disable protected mode for a day or two, run your campaign, then enable it again. But this would expose your users to potential threats.
See Here: https://community.spiceworks.com/topic/1702203-how-to-add-exception-to-protected-mode-settings-in-excel-2013