More Microsoft Woes and a Little Add Blocker Problem

Hi everyone,

We are running into a new problem with our Phishing emails and Office 365. All of the users are receiving the emails, however, in the case of the word documents that come as attachments, when our users open them, the documents open in safe mode because they come in an email. This prevents the script from running and no reporting occurs.

Would love to know how to get around this. From what I gather, this link: https://support.sophos.com/support/s/article/KB-000037983?language=en_US only describes how to stop Exchange Online from blocking the emails outright.

In the case of campaigns with links as the bait, those emails come through fine as well, however, our Add-Blocker is blocking the links when the users click them. We use Ublock Origin.

Has anyone had any experience tuning Ublock Origin and if so, is that something that can be done via Group Policy?

Phish Threat has really helped our company foster and develop a safer email community but there are an increasing number of hoops we are having to jump through between MS and Sophos which is making it more and more difficult to use.

Don't lose track of the Golder Rule of cyber... If it's too hard to use, nobody is going to use it.

Edited TAGs
[edited by: emmosophos at 7:57 PM (GMT -8) on 1 Mar 2024]

Top Replies

emmosophos 1 month ago in reply to emmosophos +3 verified

Hello Community, To close the loop in this thread, PM took the case to confirm with DEV that no changes have been made on the Phish Thread side of things. The product is working as expected. The limitations…

Parents

0 james hickey 2 months ago

Well we figured out how to get around the uBlock Origin add blocker blocking the links in the Link Phish Campaigns (see below) but we are not sure what to do about the docx files opening in safe mode and being blocked.

I started a ticket with Sophos and their official response was "It's not on Sophos' end." While I have to agree with them, I don't quite accept that as a full on answer. The attachments worked fine until about a month ago. We made no changes to our O365 settings, but somehow, the attachments all started defaulting to "open in safe mode."

If this was a MS update, I have to think that others will start to see this behavior as well. As it stands, the document phish campaigns are now useless to us. Are any of you experiencing this behavior?

The fix for the uBlock Origin add blocker was found on Reddit, posted by DefinitelyYou: https://www.reddit.com/r/uBlockOrigin/comments/o7q2ou/control_trusted_sites_with_gpo/
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 emmosophos 2 months ago in reply to james hickey

Hello James,

Thank you for contacting the Sophos Community.

I looked under your account but I couldn't find a case related to what you are mentioning about the "open in safe mode"? Could you please share it with us.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 james hickey 2 months ago in reply to emmosophos

This is regarding to the case 07231810.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Raphael Alganes 2 months ago in reply to james hickey

Hi James,

Thanks for taking the time to update and share with us the caseID.

Upon checking the case, you had a recent engagement with the engineer via call, and you are to verify the settings on your 0365 side of things. Once information has been gathered you shall be updating and then the engineer will be going over the next plan of action. I also left notes on your case referring to the details you have shared with us here on the Community.

Many thanks for your time and patience and thank you for choosing Sophos.

Regards,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 james hickey 2 months ago in reply to Raphael Alganes

I spoke with our Office 365 support group (AppRiver), and they said there was no way to set attachments from Outlook to open in Protected View for some locations but not others, and there are no settings within Office 365 Admin Center to control this behavior.

As it stands, in Office 365, you can set ALL attachments in Outlook to open in Protected View or NONE of the attachments from Outlook to open in Protected View.

I’m sure you can understand that we would want to keep the settings turned on for ALL attachments in Outlook to open in Protected View. I am not sure what has changed, but we did not have this issue up until about 2 months ago.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 emmosophos 2 months ago in reply to james hickey

Hello James,

As far as I know and enquiring internally, the option of Protected View has to be disabled, for the attachment to run the script properly.

I also reproduced the same, and PM confirmed this has been the behavior for Protected View since implementation. So in other words this option has to be disable for Phish Threat to work properly.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+2 emmosophos 1 month ago in reply to emmosophos

Hello Community,

To close the loop in this thread, PM took the case to confirm with DEV that no changes have been made on the Phish Thread side of things. The product is working as expected.

The limitations around the protected view are documented in the following Knowledge base article.

This behavior results from the added layer of protection that Microsoft provides with its Protected View mode.

The following Feature Request PT-I-94 has been created, requesting that with Protected View enabled, the report on opened attachments should work without disabling Protected View or users having to click "enable editing".

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up +3 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 james hickey 1 month ago in reply to emmosophos

Here was my final resolution with Sophos:

Hello,

Thank you for that information.

I appreciate you putting in this request, but I think that you can withdraw it. After much discussion and reading through documents and forums, I think that it is probably okay that the users must disable the feature in order for the event to trigger. There is protection from the attachment already in place via Sophos Email filtering, Sophos Anti-virus, Microsoft Defender, and the added layer of Protected View. If these don’t stop a malicious attachment, then I think we have bigger Phish to fry, so to speak. I think the training being focused on the user disabling protected view is adequate.

Thank you for your time and for helping me to come to this understanding. I do appreciate it.

Have a great day and week ahead.

Best,

James
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 james hickey 1 month ago in reply to emmosophos

Here was my final resolution with Sophos:

Hello,

Thank you for that information.

I appreciate you putting in this request, but I think that you can withdraw it. After much discussion and reading through documents and forums, I think that it is probably okay that the users must disable the feature in order for the event to trigger. There is protection from the attachment already in place via Sophos Email filtering, Sophos Anti-virus, Microsoft Defender, and the added layer of Protected View. If these don’t stop a malicious attachment, then I think we have bigger Phish to fry, so to speak. I think the training being focused on the user disabling protected view is adequate.

Thank you for your time and for helping me to come to this understanding. I do appreciate it.

Have a great day and week ahead.

Best,

James
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data