Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 28091 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup of Phish Threat in Office365

Bjarne Thielsen

Hello,

I started to setup Phish Threat for my company but I've trouble with Office 365 that they are opening the E-Mails and links so they distort the reports.

I completely copied the settings of this user community.sophos.com/.../501783 but E-Mails were still blocked, Defender active and so on.

After that I created my own rules and everything works but it seems as if Office365 is opening the E-Mails and links as soon as they come in.

Any solution or idea what I did wrong?

PS: My company is located in germany.



Edited TAGs
[edited by: emmosophos at 7:04 PM (GMT -8) on 16 Feb 2024]
Parents
  • 0

    Hello Bjarne,

    i am trying to Setup Phish Threat on an Office365 Tenant aswell.

    As far as i can tell, none of the Sophos described methods did actually unblock the Defender ATP Safe Links Feature.

    If i setup the Rules in this link:

    https://support.sophos.com/support/s/article/KB-000037983?language=en_US

    i do receive the mails but the Safe Links Defender Features blocks every click from the user.

    I tried setup this rules described from Sophos:

    https://support.sophos.com/support/s/article/KB-000039921?language=en_US

    But no luck.

    @Sophos Why is there not a single document on how to actually setup this up with Office 365 and enabled Defender. This is a common problem in the forum, but Sophos... well Slight smile

    I am looking for the "minimal" needed configuration and do not want to blow IPs and URLs in every Safety Dialog i see.

    Do you or anyone have working good solution?

  • 0 in reply to Michael Schneider

    Hey Michael,

    we have another Spamfilter in front of Office365. Means the Sender IP-Adresses of the Attack E-Mails aren't the one from Sophos. I had to edit them in the rules and since then it seems to work perfectly. I edited the IP-Adresses for the Phishing Simulation as well as the two rules for the attachments and url links. 

    I hope that helps you.

  • 0 in reply to Bjarne Thielsen

    Hello Bjarne,

    thank you for your insight. But in our case the mx records are directed directly to Exchange Online / Office 365 / Whatever they call it right now :)

  • 0 in reply to Michael Schneider

    MFR (Mail Flow Rules) and the configuration isn't any different in terms of exclusions. The only difference I can see is that Microsoft itself in it's documentation says that it does NOT do Secure by Default (high confidence phish detection) IF the MX does not point at M365.

    Because Microsoft wants to keep our customers secure by default, some tenants overrides are not applied for malware or high confidence phishing. These overrides include:

    • Allowed sender lists or allowed domain lists (anti-spam policies)
    • Outlook Safe Senders
    • IP Allow List (connection filtering)
    • Exchange mail flow rules (also known as transport rules)

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide

    Secure by default is not a setting that can be turned on or off,

    Exceptions:

    • Third-party filters: Secure by default only applies when the MX record for your domain is set to Exchange Online Protection (contoso.mail.protection.outlook.com). If it's set to another service or device, it is possible to override Secure by default with a Transport Rule to bypass all spam filtering. When Microsoft detects messages as High Confidence Phish with this rule in place, they still deliver to the Inbox.

    Saved you the trouble of clicking on the link, paraphrasing, there are more exceptions.

     

Reply
  • 0 in reply to Michael Schneider

    MFR (Mail Flow Rules) and the configuration isn't any different in terms of exclusions. The only difference I can see is that Microsoft itself in it's documentation says that it does NOT do Secure by Default (high confidence phish detection) IF the MX does not point at M365.

    Because Microsoft wants to keep our customers secure by default, some tenants overrides are not applied for malware or high confidence phishing. These overrides include:

    • Allowed sender lists or allowed domain lists (anti-spam policies)
    • Outlook Safe Senders
    • IP Allow List (connection filtering)
    • Exchange mail flow rules (also known as transport rules)

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide

    Secure by default is not a setting that can be turned on or off,

    Exceptions:

    • Third-party filters: Secure by default only applies when the MX record for your domain is set to Exchange Online Protection (contoso.mail.protection.outlook.com). If it's set to another service or device, it is possible to override Secure by default with a Transport Rule to bypass all spam filtering. When Microsoft detects messages as High Confidence Phish with this rule in place, they still deliver to the Inbox.

    Saved you the trouble of clicking on the link, paraphrasing, there are more exceptions.

     

Children
  • 0 in reply to Tom Foucha

    Hello Tom, thanks for your detailed answer.

    To be honest, i am just not sure what it does tell me in my scenario, which we already cleared.
    For now we still have the situation that we have a tenant with mx records pointing to micrsofft.

    We did all the exception from the script. Even the links does not get "rewritten" and seems "nomal" when hovering over them, but somehow OWA still redirects every click on those links to the Safe Link Engine and blocks the clicks. 

Unfiltered HTML