Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 13 replies
  • Subscribers 19 subscribers
  • Views 21837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MS 365 Alerts ETR override as Sophos passes along phishing attacks

Mitch Turner

We've always gotten a lot of phishing attacks since we started on Sophos Email Protection. Maybe slightly less than when we just had the standard MS365 spam protection. I collect many of the blatant ones that get through, which is at least once a day. And our users use the Report Message button to report to Sophos. To implement Sophos we are supposed to have a rule in place to pass all mail (Sophos doc refers to it as "clean" mail) from Sophos to the user.

The last few weeks we have been getting alerts from MS 365: "Informational-severity alert: Phish delivered due to an ETR override". This is alerting us to the fact that the Sophos EOP override rule has forced MS 365 to pass along a phishing email to us. So with each phishing email, I get to go through a bunch of emails:

--2 or 3 people asking me if the message is OK

--1-3 people reporting via Sophos

-- And now, multiple alerts from MS telling me their basic email protection service can see it's a phish but the advanced Sophos tool can't--an alert for each user that gets the phish, which usually is several.

I don't want to turn off alerts from MS, but I also don't need alerts from MS telling me what I know (that a phishing email was let through by Sophos).

Anyone know why this started in last few weeks? Anyone know how to turn it off for just one ETR rule?

Mitch Turner

Sr. Director, IT, NDIA



Edited tags
[edited by: Raphael Alganes at 6:31 AM (GMT -7) on 7 Jun 2023]
  • 0 in reply to Ninjatech1969

    Wow. I've given 30 samples, can give hundreds more. They are mostly the standard "invoice due", "voicemails waiting", "your account will be deleted" type things. If I get an answer like that it's time to move to a different service. Obviously Microsoft can catch at least some of them--and that is with their basic protection. I'm guessing the advanced protection will be even better.

  • 0 in reply to Mitch Turner

    Hello Mitch,

    Thank for the feedback, I have asked the engineer to check the rest of the emails, as a couple of them seem to be released by the user from their quarantine.

    In any case for the ones that weren’t caught the engineer will be checking with our Senior Internal team.

    If you receive any new "phish" email from your users, would it be possible for you to send me a couple to me directly via PM. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0

    Sophos tech replied: "This is to update you that we have received an internal update from the Sophos Labs team that shared Samples with them have been blocked now." Other than instructions to report new phishing emails, that is it. I replied back that the response is not helpful since I have no idea if they actually found something wrong and fixed it, if they changed config of my system, or there were some unique characteristics of the emails that got them past the Sophos filter. Hard to have any confidence it's fixed when you get not even the slightest info on the cause. We shall see how it works.

    

    

    

    
				                    
    
                
    
            
    
        	
    

		
		
		
		
	
    
	
    
		
    
			
		
    
	
    
	
    
		
						
				
				
				
				
				
		
		
    
			
		
    
	
    

    

    • 

	





	
			





















































			











Unfiltered HTML