The issue we are seeing is when a spoofed email is sent for a user, for instance user email@example.com gets an from firstname.lastname@example.org for a fake voicemail message.
What is happening is Office 365 is accepting the message and marking it as spam, then it hits the transport rule to send it to Sophos to check it out. Sophos then deletes the message because it either sees it as spam OR the user has put a policy in place to already reject them.
The transport rule ends and doesn't deliver the message to the end user but THEN the end user gets a non delivery message from Office 365 telling them they couldn't send their message as if the message actually came from them and couldn't be delivered to them. The message clearly wasn't sent by them as I can see the IP is from another country but is from a fake outlook.com account.
If a message is deleted by Sophos and not delivered then how do I get Microsoft to NOT send an NDR to the end user that actually didn't send the spoofed message.
This thread was automatically locked due to age.