Microsoft 365 Defender grabbing too many emails

Kayzee Taylor I have the same problem. What was your fix?

Stuart James  I finally had to put in a ticket with SOPHOS and they are still working on it. The logs seem to be showing something odd

Sophia are still looking at it? After more than 3 weeks?  

Yeah apparently its not a common issue, when they get back to me ill post the solution here!

Hello Stuart,

I can see your case (06513956) was opened on May 10, and GES has left a note to share with you; it seems the emails were tagged as SPAM before they reached Sophos. 

The engineer should be sharing the next steps in the following email.

Regards,

It’s happening for me as well, and I assume there’s other cases open that aren’t posting in these forums. It would be good for Sophos to find a solution ASAP and post it here publicly so people know how to fix it. At the moment, Microsoft is filtering SPAM, not Sophos, so we’re paying for something that’s not doing anything.

Sophos is the only SPAM provider that I’ve used that uses MS rules. Every other provider has the MX records point at them directly before forwarding to Microsoft. If the issue here is Microsoft related, it would make more sense for Sophos to co-ordinate with Microsoft directly to identify the issue and come up with a solution rather than every Sophos customer logging calls behind the scene individually.

Hello Kayzee,

I don't see a case attached to your account for this issue. Can you share the Case ID?

Regards,

Please make sure you see SCL -1 in the headers - for example: 

X-Forefront-Antispam-Report: CIP:198.154.181.194;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mfid-

Can you post the following line from one of the headers of the emails: 

X-Forefront-Antispam-Report: CIP:198.154.181.194;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mfid-

Can you post the following line from one of the headers of the emails: 

X-Forefront-Antispam-Report: CIP:198.154.181.194;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mfid-