Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Phish Threat - Attachment Campaign False Positive Results

We configured a Phish Threat attachment campaign and sent it to all mail-enabled users. This process worked as expected.

After the emails went out, support tickets began rolling in. Our end users said they never opened the email, much less the attachment. 

At first, we were skeptical of the reports and directed our employees to complete the training. Then we got so many comments that we investigated further.

  • One employee received the phishing email while they were away from their computer. The email was immediately swipe-left deleted on their iPhone without opening. This employee was flagged as caught and required to take the training.
  • A second employee received the email on their iPhone and tapped on it to view the email. The iPhone automatically opened a preview of the attachment at the bottom of the message. This employee was also flagged as caught and required to take the training.
  • The third employee received the email in Outlook on their Windows machine. It was immediately deleted without previewing or opening the message/attachment. This employee was NOT flagged as caught.
  • We do have a sandboxing tool that is used to scan all inbound emails. If the scanning tool were the culprit, we would expect a 100% catch rate instead of the 42% currently shown in the campaign.

This chain of events leads us to believe there is something with how Apple iPhones manage/handle the receipt and deletion of emails and their attachments.

Has anyone else experienced this issue? Is there anything we can do to reduce the number of false positives?

This thread was automatically locked due to age.
  • Hi Bonnie,

    Thanks for reaching out to the Sophos Community Forum. 

    I'd suggest raising a case with our support team if you have not already, as this sounds quite unusual. To ensure your email filtering tools aren’t affecting the results reported back, I'd suggest trying to white-list the sender domains from your email filter.

    On your end-users iPhones is the default mail app being used?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal,

    Yes, a support request has been raised and I’m awaiting their response (#05715918).

    On the suggestion to white list the domains, we did this when we began using the product. If we hadn’t done it correctly, none of our users would have received the emails to begin with. In this campaign, all 200 messages were delivered and 84 people were reported as having opened the attachment. 

    And we have a mixed bag of default mail app as well as the Microsoft Outlook app. Both apps are providing false positive reports.