SEA Sandstorm breaks knowbe4 training.


Not sure if this is the correct place to ask - We currently use training service to send test phishing email to end users with various attachments/links to monitor their actions when potentially dangerous emails get to their inbox. A web interface allows us to see if the user has opened/clicked/opened attachments/replied.

This has been working without problem for the last 6 months. 

The emails pass in to our users via the Virtual Sophos SEA appliance ( and a globally allow rule lets then through. 

Last week the SEA has started to "Sandstorm" test the attachments! This causes major problems for example - BEFORE the email is delivered Sandstorm checks the attachment (.pdf) and test clicks/opens any links/downloads within them. This Flags the user as a "Clicker!" before they even receive the email! The test results are useless!! Even worse the users are auto enrolled for additional training! 

How can I fix this problem? Is a workaround possible? I do not want to turn the entire feature off but it is destroying our training program!



  • Hi Tony

    You will need to find out the envelope sender and add them to the exclusions in sandstorm rule under threat protection / senders.  Unfortunately any samples that are sent to sandstorm have every link activated.. so this would cause it to look like your user pressed the links and in turn sign them all up for training.  

    ** or enter the entire address or just depending on what tab your modifying.


    you should be able to get this information from viewing the message source.. it is generally the first received by: above the subject .