We should have been receiving emails from Sophos regarding an MTR incident, but we never did. I went into Email Gateway > Message Trace and looked for the email address on the dates expected and we can see entries for the missing emails that state:
'Last Status' > Deleted for email@example.com | 'Reason' > Customer block list
The only place I would assume this would be is the Allow / Block list Settings entry in Email Gateway, but in said portal there's no such entry for any email address/domain that we were expecting the email to come from (firstname.lastname@example.org). Curiously, the status suggesting it was 'Deleted for' as above would imply that it would only be deleted for that named person's mailbox, and yet there were a handful of us in the intended recipients.
Can someone please clarify for me what has happened here and how we can ensure this doesn't happen again?
Thank you for contacting the Sophos Community.
You might have been affected by XGE-20693, which basically would delete/quarantine (Depending on your settings) emails with file types that aren’t part of the DLP policy.
This might have happened if you configured your own Use custom list and switched back to "Use Sophos recommended list".
The workaround was to delete the DLP rule having "Use Sophos Recommended list" and create a new rule with "Use Sophos recommended list"
However, this was fixed on Aug 12, I would recommend to run the Work Around, and monitor if the issue happens again, and if so open a case with support to have it investigated, mention the XGE-20693, or if you need a RCA you can also open once, requesting for the same, (if emails aren’t more than 14 days long)