Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
We have many clients on Sophos filtering of email before delivery to m365Yesterday we had several clients, where the email was "removed" (after delivery) from their inboxes and taken back to M365 quarantine as a "high confidence phish"Essentially it was very much (all) the emails that contained a URLI'm wondering if the Sophos modification of those URL's at the spam/virus filter end (safe links) prior to delivery, is upsetting "something" at M365 and what do we need to do to fix it?
Hello Dennis,
just to make sure, you are talking about Sophos Central Email, right?
In this case you should make sure you have activated Post delivery protection
https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/GlobalSettings/EmailM365Security/EmailSetupPostDelivery/index.html
this technic protects your mailboxes if, for example, a email is delivered to your users mailboxes which was not detected because of the urls are included in the received emails are not active. So this means nobody can scan the urls and tell if they are malicious or not. If the spammers, then start up the targeted webservers it is now possible to scan the targeted and if there is a url that points to malware the mails can be removed from the user’s mailboxes afterwards.
The second option is to turn on URL Protection
https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/EmailSecurityPolicy/EmailURLProtection/index.html
This will also protect against malicious urls.
HTH
Regards,
Sevensix
I have the same issue with multiple clientsWe are seeing false positives from Microsoft Quarantine as "High Confidence Phish" Microsoft do not allow these to be whitelisted.
Sophos is there a way around this issue?
If you are using Time of Click in Sophos Email and the affected emails in M365 shows that there is a URL detected when you look at the Email Details. if it shows the URL below:
https://xgemail.protection.stn100syd.ctr.sophos.com
Possible resolution is to put it in the whitelist for Safelinks re-writing. try the following:
Thanks - We are going to try that as it looks logicalI gave sophos support the exact same question -Sophos have not understood the issue raised-they are telling us to enable the stuff that's causing the issue-and not "why is sophos url protection causing a false positive for phishing in Exchange Online Protection"
Have tried - I'm assuming this is a M365 "premium" defender feature we dont have access too.Also my URL rewrites start ashttps://us-west-2.protection.sophos.com?d=app blah blah gobbldy gook
Dennis Jones Thanks for the update. If you did not see "xgemail.protection.stn100syd.ctr.sophos.com " URL then your issue might be caused by a different part of M365 protection. Do you happen to have the case number?
RE: 06213121 / Sophos filtered Email to M365 - Microsoft then removing legit emails as High Confidence Phish / ref:_00D301GN6a._5003Z1XoXx5:ref
I see you are in AusMy last reply to support
Hi Roshna Please can we escalate this to the service team in Australia as they are only a couple of hours behind our time zone
Dennis Jones I have taken a look at the case but did not find any screenshots nor indicators as to what might be happening or causing this. I would like to set the expectation that this is not a Sophos issue but a Microsoft one. From the symptoms described, it looks like Microsoft did something in their product that basically classified emails that have URLs to be quarantined eventhough they were already inbox. As we did not create M365 our diagnosis/recommendations would not be on par with Microsoft's support on this matter. I would therefore recommend contacting them instead in order to resolve this faster.
Yes we have come to the same conclusion.