Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos filtered Email to M365 - Microsoft then removing legit emails as High Confidence Phish

We have many clients on Sophos filtering of email before delivery to m365

Yesterday we had several clients, where the email was "removed" (after delivery) from their inboxes and taken back to M365 quarantine as a "high confidence phish"

Essentially it was very much (all) the emails that contained a URL

I'm wondering if the Sophos modification of those URL's at the spam/virus filter end (safe links) prior to delivery, is upsetting "something" at M365 and what do we need to do to fix it?




This thread was automatically locked due to age.
Parents
  • I have the same issue with multiple clients
    We are seeing false positives from Microsoft Quarantine as "High Confidence Phish" 
    Microsoft do not allow these to be whitelisted.

    Sophos is there a way around this issue?

  • If you are using Time of Click in Sophos Email and the affected emails in M365 shows that there is a URL detected when you look at the Email Details. if it shows the URL below:

    https://xgemail.protection.stn100syd.ctr.sophos.com 

    Possible resolution is to put it in the whitelist for Safelinks re-writing. try the following:

    1. Login to Microsoft 365 admin center
    2. Click on Security. this will take you to Microsoft 365 Defender
    3. Click on Policies & Rules
    4. Click on Threat policies
    5. Click on Safe Links
    6. Click on Create
    7. Add the URL into the "Do not rewrite following URLs" list. 
  • Thanks - We are going to try that as it looks logical

    I gave sophos support the exact same question 
    -Sophos have not understood the issue raised
    -they are telling us to enable the stuff that's causing the issue
    -and not "why is sophos url protection causing a false positive for phishing in Exchange Online Protection"

Reply
  • Thanks - We are going to try that as it looks logical

    I gave sophos support the exact same question 
    -Sophos have not understood the issue raised
    -they are telling us to enable the stuff that's causing the issue
    -and not "why is sophos url protection causing a false positive for phishing in Exchange Online Protection"

Children
No Data