Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 8 replies
  • Subscribers 7 subscribers
  • Views 2349 views
  • Users 0 members are here
Options
Suggested

More Microsoft Woes and a Little Add Blocker Problem

james hickey

Hi everyone, 

We are running into a new problem with our Phishing emails and Office 365. All of the users are receiving the emails, however, in the case of the word documents that come as attachments, when our users open them, the documents open in safe mode because they come in an email. This prevents the script from running and no reporting occurs. 

Would love to know how to get around this. From what I gather, this link: https://support.sophos.com/support/s/article/KB-000037983?language=en_US only describes how to stop Exchange Online from blocking the emails outright. 

In the case of campaigns with links as the bait, those emails come through fine as well, however, our Add-Blocker is blocking the links when the users click them. We use Ublock Origin. 

Has anyone had any experience tuning Ublock Origin and if so, is that something that can be done via Group Policy? 

Phish Threat has really helped our company foster and develop a safer email community but there are an increasing number of hoops we are having to jump through between MS and Sophos which is making it more and more difficult to use.

Don't lose track of the Golder Rule of cyber... If it's too hard to use, nobody is going to use it.



Edited TAGs
[edited by: emmosophos at 7:57 PM (GMT -8) on 1 Mar 2024]
Parents Reply Children
  • 0 in reply to james hickey

    Hi James,

    Thanks for taking the time to update and share with us the caseID.

    Upon checking the case, you had a recent engagement with the engineer via call, and you are to verify the settings on your 0365 side of things. Once information has been gathered you shall be updating and then the engineer will be going over the next plan of action. I also left notes on your case referring to the details you have shared with us here on the Community.

    Many thanks for your time and patience and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    I spoke with our Office 365 support group (AppRiver), and they said there was no way to set attachments from Outlook to open in Protected View for some locations but not others, and there are no settings within Office 365 Admin Center to control this behavior. 


    As it stands, in Office 365, you can set ALL attachments in Outlook to open in Protected View or NONE of the attachments from Outlook to open in Protected View.

     

    I’m sure you can understand that we would want to keep the settings turned on for ALL attachments in Outlook to open in Protected View. I am not sure what has changed, but we did not have this issue up until about 2 months ago.

  • 0 in reply to james hickey

    Hello James,

    As far as I know and enquiring internally, the option of Protected View has to be disabled, for the attachment to run the script properly.

    I also reproduced the same, and PM confirmed this has been the behavior for Protected View since implementation. So in other words this option has to be disable for Phish Threat to work properly.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • +2 in reply to emmosophos

    Hello Community,

    To close the loop in this thread, PM took the case to confirm with DEV that no changes have been made on the Phish Thread side of things. The product is working as expected.

    The limitations around the protected view are documented in the following Knowledge base article.

    This behavior results from the added layer of protection that Microsoft provides with its Protected View mode.

    The following Feature Request PT-I-94 has been created, requesting that with Protected View enabled, the report on opened attachments should work without disabling Protected View or users having to click "enable editing".

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Here was my final resolution with Sophos:

    Hello,

    Thank you for that information.

    I appreciate you putting in this request, but I think that you can withdraw it. After much discussion and reading through documents and forums, I think that it is probably okay that the users must disable the feature in order for the event to trigger. There is protection from the attachment already in place via Sophos Email filtering, Sophos Anti-virus, Microsoft Defender, and the added layer of Protected View. If these don’t stop a malicious attachment, then I think we have bigger Phish to fry, so to speak. I think the training being focused on the user disabling protected view is adequate. 

    Thank you for your time and for helping me to come to this understanding. I do appreciate it.

    Have a great day and week ahead.

    Best,

    James

Unfiltered HTML