This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup of Phish Threat in Office365

Hello,

I started to setup Phish Threat for my company but I've trouble with Office 365 that they are opening the E-Mails and links so they distort the reports.

I completely copied the settings of this user community.sophos.com/.../501783 but E-Mails were still blocked, Defender active and so on.

After that I created my own rules and everything works but it seems as if Office365 is opening the E-Mails and links as soon as they come in.

Any solution or idea what I did wrong?

PS: My company is located in germany.

Edited TAGs
[edited by: emmosophos at 7:04 PM (GMT -8) on 16 Feb 2024]

0 Simon Woo over 1 year ago in reply to Michael Schneider
Michael Schneider Thank you, please keep me posted. Tom Foucha I was reading the Secure by Default article in your other post and Microsoft talks about exceptions:

Phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization. To prevent phishing simulation messages from being filtered, see Configure third-party phishing simulations in the advanced delivery policy.

However, we have already configured the Advanced delivery and added

54.240.51.52

54.240.51.53

amazonses.com

~eu-west-1.awstrack.me~

~sophos-phish-threat.go-vip.co~

We also created the transport rules, added the IPs and domains in the IP allow list and the Allowed senders and domains list and still not working. Just wanted to add more detail on what has been done already.

Hopefully we can find a solution soon.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tom Foucha over 1 year ago in reply to Simon Woo

Thanks Simon, I've been working with a customer or two where we've done the same configuration and it had no effect and then some customers it has worked. The only other thing I've tried is to adjust the Sophos Pre-Filter to say from any outside organization to inbound organization set the SCL -1. I have been digging into this for the last few weeks more and more which makes me think something has changed at M365. I find no reason why following their documented procedures doesn't work. In the past I had a support case open with Microsoft because of their 20 entry limit and they came back and advised using DKIM domain which is the amazonses.com entry in the above list. The other thing I had some success with in one of my personal instances was disabling Enhanced Connector Security - which prevents Microsoft from looking back in the headers for sending IP. Under Threat Policies look at Enhanced Filtering and turn off any that are enabled and test
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Schneider over 1 year ago in reply to Tom Foucha

Ok here i am, sorry for the late reponse. But my mate who wanted to test this needed off some days.

I will give you some more details. What i can says is that we did somehow get the mails working and safelinks not responding to the links. we did everything in the powershell script from linked here somewhere.

However we did test with Exchange Online OWA and the OWA for whatever reason ignored the safe links policy.

So far it is working in outlook but not owa. i will keep u updated and as soon as we get it work i will post a updated powershell script version.
Cancel
Vote Up 0 Vote Down

Cancel