More Microsoft Woes and a Little Add Blocker Problem

Well we figured out how to get around the uBlock Origin add blocker blocking the links in the Link Phish Campaigns (see below) but we are not sure what to do about the docx files opening in safe mode and being blocked. 

I started a ticket with Sophos and their official response was "It's not on Sophos' end." While I have to agree with them, I don't quite accept that as a full on answer. The attachments worked fine until about a month ago. We made no changes to our O365 settings, but somehow, the attachments all started defaulting to "open in safe mode."

If this was a MS update, I have to think that others will start to see this behavior as well. As it stands, the document phish campaigns are now useless to us. Are any of you experiencing this behavior? 

The fix for the uBlock Origin add blocker was found on Reddit, posted by DefinitelyYou: https://www.reddit.com/r/uBlockOrigin/comments/o7q2ou/control_trusted_sites_with_gpo/

Well we figured out how to get around the uBlock Origin add blocker blocking the links in the Link Phish Campaigns (see below) but we are not sure what to do about the docx files opening in safe mode and being blocked. 

I started a ticket with Sophos and their official response was "It's not on Sophos' end." While I have to agree with them, I don't quite accept that as a full on answer. The attachments worked fine until about a month ago. We made no changes to our O365 settings, but somehow, the attachments all started defaulting to "open in safe mode."

If this was a MS update, I have to think that others will start to see this behavior as well. As it stands, the document phish campaigns are now useless to us. Are any of you experiencing this behavior? 

The fix for the uBlock Origin add blocker was found on Reddit, posted by DefinitelyYou: https://www.reddit.com/r/uBlockOrigin/comments/o7q2ou/control_trusted_sites_with_gpo/

Hello James,

Thank you for contacting the Sophos Community.

I looked under your account but I couldn't find a case related to what you are mentioning about the "open in safe mode"? Could you please share it with us.

Regards,

This is regarding to the case 07231810.

Hi James,

Thanks for taking the time to update and share with us the caseID.

Upon checking the case, you had a recent engagement with the engineer via call, and you are to verify the settings on your 0365 side of things. Once information has been gathered you shall be updating and then the engineer will be going over the next plan of action. I also left notes on your case referring to the details you have shared with us here on the Community.

Many thanks for your time and patience and thank you for choosing Sophos.

Regards,

I spoke with our Office 365 support group (AppRiver), and they said there was no way to set attachments from Outlook to open in Protected View for some locations but not others, and there are no settings within Office 365 Admin Center to control this behavior. 

As it stands, in Office 365, you can set ALL attachments in Outlook to open in Protected View or NONE of the attachments from Outlook to open in Protected View.

I’m sure you can understand that we would want to keep the settings turned on for ALL attachments in Outlook to open in Protected View. I am not sure what has changed, but we did not have this issue up until about 2 months ago.

Hello James,

As far as I know and enquiring internally, the option of Protected View has to be disabled, for the attachment to run the script properly.

I also reproduced the same, and PM confirmed this has been the behavior for Protected View since implementation. So in other words this option has to be disable for Phish Threat to work properly.

Regards,

Hello Community,

To close the loop in this thread, PM took the case to confirm with DEV that no changes have been made on the Phish Thread side of things. The product is working as expected.

The limitations around the protected view are documented in the following Knowledge base article.

This behavior results from the added layer of protection that Microsoft provides with its Protected View mode.

The following Feature Request PT-I-94 has been created, requesting that with Protected View enabled, the report on opened attachments should work without disabling Protected View or users having to click "enable editing".

Regards,

Here was my final resolution with Sophos:

Hello,

Thank you for that information.

I appreciate you putting in this request, but I think that you can withdraw it. After much discussion and reading through documents and forums, I think that it is probably okay that the users must disable the feature in order for the event to trigger. There is protection from the attachment already in place via Sophos Email filtering, Sophos Anti-virus, Microsoft Defender, and the added layer of Protected View. If these don’t stop a malicious attachment, then I think we have bigger Phish to fry, so to speak. I think the training being focused on the user disabling protected view is adequate. 

Thank you for your time and for helping me to come to this understanding. I do appreciate it.

Have a great day and week ahead.

Best,

James