We've always gotten a lot of phishing attacks since we started on Sophos Email Protection. Maybe slightly less than when we just had the standard MS365 spam protection. I collect many of the blatant ones that get through, which is at least once a day. And our users use the Report Message button to report to Sophos. To implement Sophos we are supposed to have a rule in place to pass all mail (Sophos doc refers to it as "clean" mail) from Sophos to the user.
The last few weeks we have been getting alerts from MS 365: "Informational-severity alert: Phish delivered due to an ETR override". This is alerting us to the fact that the Sophos EOP override rule has forced MS 365 to pass along a phishing email to us. So with each phishing email, I get to go through a bunch of emails:
--2 or 3 people asking me if the message is OK
--1-3 people reporting via Sophos
-- And now, multiple alerts from MS telling me their basic email protection service can see it's a phish but the advanced Sophos tool can't--an alert for each user that gets the phish, which usually is several.
I don't want to turn off alerts from MS, but I also don't need alerts from MS telling me what I know (that a phishing email was let through by Sophos).
Anyone know why this started in last few weeks? Anyone know how to turn it off for just one ETR rule?
Sr. Director, IT, NDIA
Here is the response from Sophos Support Team.
The samples submitted are a part of new zero-day campaign and we have update our detection level to block them. This will help block the similar type of samples…
same as mine as well. I just deployed Sophos 3 weeks ago and it happened on the 2nd week of deployment. Even though I open the case, I haven't got any answer from Sophos support.