Sophos filtered Email to M365 - Microsoft then removing legit emails as High Confidence Phish

I have the same issue with multiple clients
We are seeing false positives from Microsoft Quarantine as "High Confidence Phish" 
Microsoft do not allow these to be whitelisted.

Sophos is there a way around this issue?

If you are using Time of Click in Sophos Email and the affected emails in M365 shows that there is a URL detected when you look at the Email Details. if it shows the URL below:

https://xgemail.protection.stn100syd.ctr.sophos.com 

Possible resolution is to put it in the whitelist for Safelinks re-writing. try the following:

1. Login to Microsoft 365 admin center
2. Click on Security. this will take you to Microsoft 365 Defender
3. Click on Policies & Rules
4. Click on Threat policies
5. Click on Safe Links
6. Click on Create
7. Add the URL into the "Do not rewrite following URLs" list. 

Thanks - We are going to try that as it looks logical

I gave sophos support the exact same question 
-Sophos have not understood the issue raised
-they are telling us to enable the stuff that's causing the issue
-and not "why is sophos url protection causing a false positive for phishing in Exchange Online Protection"

Have tried - I'm assuming this is a M365 "premium" defender feature we dont have access too.

Also my URL rewrites start as
https://us-west-2.protection.sophos.com?d=app  blah blah gobbldy gook

Dennis Jones Thanks for the update. If you did not see "xgemail.protection.stn100syd.ctr.sophos.com " URL then your issue might be caused by a different part of M365 protection. Do you happen to have the case number? 

RE: 06213121 / Sophos filtered Email to M365 - Microsoft then removing legit emails as High Confidence Phish / ref:_00D301GN6a._5003Z1XoXx5:ref

I see you are in Aus

My last reply to support

Hi Roshna

Please can we escalate this to the service team in Australia as they are only a couple of hours behind our time zone

Dennis Jones I have taken a look at the case but did not find any screenshots nor indicators as to what might be happening or causing this. I would like to set the expectation that this is not a Sophos issue but a Microsoft one. From the symptoms described, it looks like Microsoft did something in their product that basically classified emails that have URLs to be quarantined eventhough they were already inbox. As we did not create M365 our diagnosis/recommendations would not be on par with Microsoft's support on this matter. I would therefore recommend contacting them instead in order to resolve this faster.

Dennis Jones I have taken a look at the case but did not find any screenshots nor indicators as to what might be happening or causing this. I would like to set the expectation that this is not a Sophos issue but a Microsoft one. From the symptoms described, it looks like Microsoft did something in their product that basically classified emails that have URLs to be quarantined eventhough they were already inbox. As we did not create M365 our diagnosis/recommendations would not be on par with Microsoft's support on this matter. I would therefore recommend contacting them instead in order to resolve this faster.

Yes we have come to the same conclusion. 

Hi Dennis, did you happen to get to the bottom of this?

I presume we could add our Sophos Central Email IPs and Domain / URL as a Third Party Phishing SImulation to bypass this, however I am struggling to find the URL to use.

Hi Chris
We determined its a new Microsoft "feature"
We Disabled the Zero-Hour auto purge  (ZAP) "feature" in the 365 backend
(Given Sophos has already seen the email and considered it's safe)
Problem has gone away now
Not entirely comfortable with that solution, but its working for us