This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MS 365 Alerts ETR override as Sophos passes along phishing attacks

We've always gotten a lot of phishing attacks since we started on Sophos Email Protection. Maybe slightly less than when we just had the standard MS365 spam protection. I collect many of the blatant ones that get through, which is at least once a day. And our users use the Report Message button to report to Sophos. To implement Sophos we are supposed to have a rule in place to pass all mail (Sophos doc refers to it as "clean" mail) from Sophos to the user.

The last few weeks we have been getting alerts from MS 365: "Informational-severity alert: Phish delivered due to an ETR override". This is alerting us to the fact that the Sophos EOP override rule has forced MS 365 to pass along a phishing email to us. So with each phishing email, I get to go through a bunch of emails:

--2 or 3 people asking me if the message is OK

--1-3 people reporting via Sophos

-- And now, multiple alerts from MS telling me their basic email protection service can see it's a phish but the advanced Sophos tool can't--an alert for each user that gets the phish, which usually is several.

I don't want to turn off alerts from MS, but I also don't need alerts from MS telling me what I know (that a phishing email was let through by Sophos).

Anyone know why this started in last few weeks? Anyone know how to turn it off for just one ETR rule?

Mitch Turner

Sr. Director, IT, NDIA



This thread was automatically locked due to age.
  • Hello there,

    Thank you for contacting the Sophos Community.

    I would recommend you to get a case open with support, and submit the email samples directly to the engineer, so they can pass them down directly to our Labs Team.

    Checking internally I noticed an open case for the same, on Sep 1 after the samples were submitted to Labs,  they mentioned they aren’t Phish but rather Spam.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I am having the same issue lately I am seeing a lot of these emails coming thru but MS is able to identify it is a phishing email. Sophos is suppose to be better in regards to detecting this what gives? .. Mitch the other thing I notice on the phishing email we receive is the smart banners are not being shown. Is that the same for you.? This kinda freaks me out.. . Not sure if you are using that feature though. TY

  • Thanks! No, these are Phishes. And now it's suddenly gotten worse--when users see the phish and report it, MS is reporting the copies of the emails sent to me as ETR Overrides!

  • Hello Mitch,

    Thank you for the follow-up.

    In that case, I would recommend you to open a case with support to get this investigated, feel free to share the Case ID with me once you have it.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Case 04386649 ... I uploaded 30 of hundreds of examples.

  • Ninja, I do get the banners and subject line tags for emails that Sophos sees as a problem. The issue is most are not flagged, as you are also seeing.

  • Hello Mitch,

    Thank you for the Case ID. 

    I can see one Engineer has already started to analyze the sample provided.

    I have left a note on the case as well for the engineer to check.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Mitch,

    same as mine as well. I just deployed Sophos 3 weeks ago and it happened on the 2nd week of deployment. Even though I open the case, I haven't got any answer from Sophos support.

    Regards,

    Arthur

  • I got an answer from the engineer within a day that our system was configured correctly and they would be looking at the submitted samples. A week later I got an update asking if we had any updates on the issue. We were waiting for some answer on why the samples got through. Yesterday we got a response to my response saying they were looking at the samples. We continue to have fresh examples of clear phishing attacks almost every day. Hoping we get a specific response on these, this really goes to the heart of the email protection product.

  • Here is the response from Sophos Support Team.

    The samples submitted are a part of new zero-day campaign and we have update our detection level to block them. This will help block the similar type of samples and will not come again.

    My confidence in this product just went down a couple of notches. For a product that is suppose to be more superior than the built in MS Tools. Why am I even paying for this...