Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 24084 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup of Phish Threat in Office365

Bjarne Thielsen

Hello,

I started to setup Phish Threat for my company but I've trouble with Office 365 that they are opening the E-Mails and links so they distort the reports.

I completely copied the settings of this user community.sophos.com/.../501783 but E-Mails were still blocked, Defender active and so on.

After that I created my own rules and everything works but it seems as if Office365 is opening the E-Mails and links as soon as they come in.

Any solution or idea what I did wrong?

PS: My company is located in germany.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Michael Schneider

    Hey Michael,

    We have the exact same problem where the phishing emails are still getting the safelinks 'malicious' warning. Sophos analyzed the headers of the phishing emails and they said that it was not attaching the X-MS-Exchange-Organization-SkipSafeLinksProcessing lines. They told me to call Microsoft. I am not very pleased with how they diverted the problem to Microsoft since it seems as though we are not the only organization having this issue. The only workaround was to disable safe links completely (wait 24-48hrs to propagate) and start the campaign. NOT ideal at all but many of our clients are on a deadline to get their cybersecurity insurance and they are required to have a campaign ran. 

  • 0 in reply to Simon Woo

    Yeah i am still waiting.

    As we can see - This thread is soon as 10k views and Sophos reacts as always on these problems Slight smile We are in contact with our channel partner who did not get any more information that this. 

    In my opinion it is time that Sophos Phish Threat specialist tell us exactly what to do in one simple to follow knowledgebase article and not linking a lot of microsoft pages and other articles, which does not help at all.

  • 0 in reply to Michael Schneider

    Hey Michael,

    we have another Spamfilter in front of Office365. Means the Sender IP-Adresses of the Attack E-Mails aren't the one from Sophos. I had to edit them in the rules and since then it seems to work perfectly. I edited the IP-Adresses for the Phishing Simulation as well as the two rules for the attachments and url links. 

    I hope that helps you.

  • 0 in reply to Bjarne Thielsen

    Hello Bjarne,

    thank you for your insight. But in our case the mx records are directed directly to Exchange Online / Office 365 / Whatever they call it right now :)

  • 0 in reply to Michael Schneider

    Michael et al, we have been working to figure out exactly why it works in some environments and doesn't work in others. There is no technical reason that if you follow the documented procedure that it should not work. I can tell you I personally have two instances in M365, one over a year old, and one a month old and following the configuration it does work for me. Then again I've worked directly with customers where the exact same configuration does not work. We have had one partner who was successful with getting M365 to turn of Secure by Default after providing business justification and whether I believe it or not Microsoft says if the MX record doesn't point to outlook.protection.com that Secure by Default is not enabled. We continue to troubleshoot and work to come up with a solution. 

  • 0 in reply to Michael Schneider

    MFR (Mail Flow Rules) and the configuration isn't any different in terms of exclusions. The only difference I can see is that Microsoft itself in it's documentation says that it does NOT do Secure by Default (high confidence phish detection) IF the MX does not point at M365.

    Because Microsoft wants to keep our customers secure by default, some tenants overrides are not applied for malware or high confidence phishing. These overrides include:

    • Allowed sender lists or allowed domain lists (anti-spam policies)
    • Outlook Safe Senders
    • IP Allow List (connection filtering)
    • Exchange mail flow rules (also known as transport rules)

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide

    Secure by default is not a setting that can be turned on or off,

    Exceptions:

    • Third-party filters: Secure by default only applies when the MX record for your domain is set to Exchange Online Protection (contoso.mail.protection.outlook.com). If it's set to another service or device, it is possible to override Secure by default with a Transport Rule to bypass all spam filtering. When Microsoft detects messages as High Confidence Phish with this rule in place, they still deliver to the Inbox.

    Saved you the trouble of clicking on the link, paraphrasing, there are more exceptions.

     

  • 0 in reply to Tom Foucha

    Hello Tom, thanks for your detailed answer.

    To be honest, i am just not sure what it does tell me in my scenario, which we already cleared.
    For now we still have the situation that we have a tenant with mx records pointing to micrsofft.

    We did all the exception from the script. Even the links does not get "rewritten" and seems "nomal" when hovering over them, but somehow OWA still redirects every click on those links to the Safe Link Engine and blocks the clicks. 

  • 0 in reply to Tom Foucha

    I will report next week what we found out with out little waiting time ;)

  • 0 in reply to Michael Schneider

      Thank you, please keep me posted.  I was reading the Secure by Default article in your other post and Microsoft talks about exceptions: 

    However, we have already configured the Advanced delivery and added 

    • 54.240.51.52
    • 54.240.51.53
    • amazonses.com
    • ~eu-west-1.awstrack.me~
    • ~sophos-phish-threat.go-vip.co~

    We also created the transport rules, added the IPs and domains in the IP allow list and the Allowed senders and domains list and still not working. Just wanted to add more detail on what has been done already.

    Hopefully we can find a solution soon. 

  • 0 in reply to Simon Woo

    Thanks Simon, I've been working with a customer or two where we've done the same configuration and it had no effect and then some customers it has worked. The only other thing I've tried is to adjust the Sophos Pre-Filter to say from any outside organization to inbound organization set the SCL -1. I have been digging into this for the last few weeks more and more which makes me think something has changed at M365. I find no reason why following their documented procedures doesn't work. In the past I had a support case open with Microsoft because of their 20 entry limit and they came back and advised using DKIM domain which is the amazonses.com entry in the above list. The other thing I had some success with in one of my personal instances was disabling Enhanced Connector Security - which prevents Microsoft from looking back in the headers for sending IP. Under Threat Policies look at Enhanced Filtering and turn off any that are enabled and test

Unfiltered HTML