O365 filtering out SPAM before it gets to Sophos

Hi Stuart,

Thank you for reaching out to Sophos Community and for sharing the case#.

Will further check this and apologies for the experience. 

An update - it's now been two weeks.

Microsoft say the email goes to Sophos first and Sophos say the email goes to Microsoft first.

Sophos says log a call with Microsoft

Microsoft says log a call with Sophos

So now what?

Hi Stuart,

Apologies for the experience. I have notified the Engineer handling your case 06513956.

Also, upon checking, An assessment and recommendation were given/sent to your email. 

The last email from Sophos was to log a call with Microsoft, who said to log a call with Sophos.

Hi Stuart,

Good day, email was sent to you around a few hours ago, I'll send the email content via DM. 

Thanks. Given other users are having the same problem.......

The email refers me to how to setup spam filter policies. When I logged the case a week ago, I sent screenshots showing the rules that SOPHOS CENTRAL created automatically as part of the deployment and then confirmed were correct during a test email following. Unless there is a bug with the sophos central deployment?

Hopefully after a week and multiple remote sessions, we aren't at the stage where Sophos is referring me to setup documents and saying that Sophos Mailflow deployment does not work properly so we need to switch to Gateway deployment. If this is the case, when is Sophos going to fix the bug or remove mailflow deployment as an option all together?

Hello Stuart,

Reviewing your case, I don't see any note saying that the "deployment doesn’t work properly."

It looks like you want Sophos Email to catch the email first, do the anti-spam checks and send it to O365, the way Gateway mode works, rather than Email Flow, where the email arrives first to O365 and sends the mail to Sophos Email (Sophos Email does the spam checks) Sophos email then send it back to O365.

Today you have a call with Support to go through this change so the email flow will now be Email > Sophos Email > o365.

Regards,

No, I do not want to use Gateway mode. The Sophos "recommended" deployment for O365 is Mailflow mode, and that's what I want to use. Sophos automatically connected to the O365 tenant and configured all the mailflow rules, and then did a test to confirm everything is working correctly, but it's not, emails are being filtered by Microsoft and all my users are getting quarantine emails from Microsoft AND Sophos. But after more than a week of investigation, Sophos' advice is they can't get it working so let's change to Gateway mode

I would much rather Sophos find and fix the problem so that their "recommended" solution worked properly. I don't have much confidence in the support team if after more than a week they throw their hands in the air and say too hard try switching to gateway mode.

Are they showing as High Confidence Phish in the M365 quarantine?

Secure by Default is something that Microsoft implemented that cannot be bypassed. The Pre-Filter rule turn the Spam Confidence Level score (SCL) to -1 which tells M365 not to inspect for spam. We are in discussions with Microsoft Product Team about this topic among others. Do you see the SCL -1 in the headers of the messages? The Pre-Filter should be the first rule in the list of rules.