Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

O365 filtering out SPAM before it gets to Sophos

Since moving from another antispam provider to Sophos, I've started getting Microsoft Quarantine emails again. I've done a message trace and it clearly shows that the message was sent to Sophos, however Central has no record of that email ever arriving. However, if I go to Microsoft Quarantine and release the email, Sophos then blocks it and it shows up in Central as having been blocked for being SPAM.

I would have thought the prefilter rule and redirection would catch a message straight away. I've done all the domain and mailflow verifications in Central and they've all come back saying everything is correct.

What's going on and why is Microsoft suddenly collecting SPAM?

For any Sophos staff who happen to be watching, case 06513956 has been going on for almost a week and getting nowhere, despite 2 hours on the phone today.



This thread was automatically locked due to age.
Parents
  • Hi Stuart,

    Thank you for reaching out to Sophos Community and for sharing the case#.

    Will further check this and apologies for the experience. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • An update - it's now been two weeks.

    Microsoft say the email goes to Sophos first and Sophos say the email goes to Microsoft first.

    Sophos says log a call with Microsoft

    Microsoft says log a call with Sophos

    So now what?

  • Hi Stuart,

    Apologies for the experience. I have notified the Engineer handling your case 06513956.

    Also, upon checking, An assessment and recommendation were given/sent to your email. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • The last email from Sophos was to log a call with Microsoft, who said to log a call with Sophos.

  • Hi Stuart,

    Good day, email was sent to you around a few hours ago, I'll send the email content via DM. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Thanks. Given other users are having the same problem.......

    The email refers me to how to setup spam filter policies. When I logged the case a week ago, I sent screenshots showing the rules that SOPHOS CENTRAL created automatically as part of the deployment and then confirmed were correct during a test email following. Unless there is a bug with the sophos central deployment?

    Hopefully after a week and multiple remote sessions, we aren't at the stage where Sophos is referring me to setup documents and saying that Sophos Mailflow deployment does not work properly so we need to switch to Gateway deployment. If this is the case, when is Sophos going to fix the bug or remove mailflow deployment as an option all together?

  • Hello Stuart,

    Reviewing your case, I don't see any note saying that the "deployment doesn’t work properly."

    It looks like you want Sophos Email to catch the email first, do the anti-spam checks and send it to O365, the way Gateway mode works, rather than Email Flow, where the email arrives first to O365 and sends the mail to Sophos Email (Sophos Email does the spam checks) Sophos email then send it back to O365.

    Today you have a call with Support to go through this change so the email flow will now be Email > Sophos Email > o365.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • No, I do not want to use Gateway mode. The Sophos "recommended" deployment for O365 is Mailflow mode, and that's what I want to use. Sophos automatically connected to the O365 tenant and configured all the mailflow rules, and then did a test to confirm everything is working correctly, but it's not, emails are being filtered by Microsoft and all my users are getting quarantine emails from Microsoft AND Sophos. But after more than a week of investigation, Sophos' advice is they can't get it working so let's change to Gateway mode

    I would much rather Sophos find and fix the problem so that their "recommended" solution worked properly. I don't have much confidence in the support team if after more than a week they throw their hands in the air and say too hard try switching to gateway mode.

  • Are they showing as High Confidence Phish in the M365 quarantine?

  • Secure by Default is something that Microsoft implemented that cannot be bypassed. The Pre-Filter rule turn the Spam Confidence Level score (SCL) to -1 which tells M365 not to inspect for spam. We are in discussions with Microsoft Product Team about this topic among others. Do you see the SCL -1 in the headers of the messages? The Pre-Filter should be the first rule in the list of rules.

  • Thanks . It's disappointing that the support team didn't have this information a week and a half ago  - it would have saved a lot of time.

    It would have been good to know before we went and implemented the Sophos recommended deployment method that doesn't work. We just followed the Sophos recommendations. Probably a good idea for Sophos to not allow new customers to use Mailflow mode until this is fixed.

    There is no SCL score in the headers at all. The pre-filter is the first rule, as per screenshots above (priority 0). Microsoft lists the quarantine reason as "Spam"

Reply
  • Thanks . It's disappointing that the support team didn't have this information a week and a half ago  - it would have saved a lot of time.

    It would have been good to know before we went and implemented the Sophos recommended deployment method that doesn't work. We just followed the Sophos recommendations. Probably a good idea for Sophos to not allow new customers to use Mailflow mode until this is fixed.

    There is no SCL score in the headers at all. The pre-filter is the first rule, as per screenshots above (priority 0). Microsoft lists the quarantine reason as "Spam"

Children
  • Stuart, it does work, I personally have been using it for the last 16 months, Microsoft will if you make enough noise and provide business justification turn off the Secure by Default but I've only had a couple customers get that done. If there is no SCL in the headers I'd investigate a bit more. How long have you had this implementation? 

    Can you check a couple of things for me: Since each M365 plan has different levels of protection this may/may not apply

    In security.microsoft.com > policies & rules > threat policies > preset security policies are the Standard and Strict Protection turned on. Have you configured any Exclusions?

  • We implemented Sophos Mail about a month ago. The O365 tenant itself is about 10 years old.

    Have checked that area and nothing has been configured

  • Thanks, one last section to inspect, keeping in mind that Sophos is in talks with Microsoft we are dependent on their service no matter whether it is gateway mode or MFR. Now what is said that if the MX does not point to Microsoft that you can disable some things in Secure by Default: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide

    "Third-party filters: Secure by default only applies when the MX record for your domain is set to Exchange Online Protection (contoso.mail.protection.outlook.com). If it's set to another service or device, it's possible to override"

    It does become a trade off at this time between having the MX pointed to Sophos or M365. Even in my configurations I still end up with HCP (high confidence phish and a splattering of spam) ending up in the Microsoft Quarantine. 

    Policies > Rules > Anti-Spam policies - inspect each policy and edit to turn off anything you can

  • Before moving to Sophos, we used N-Able Mail Assure, and none of the users received a Microsoft Quarantine email ever, so there's no configuration issues with the tenant config. It is frustrating that Sophos knows of this issue (hence in talks with Microsoft) yet still recommends using Mailflow mode - otherwise I would have implemented with Gateway mode to begin with.

    What are the steps now to switch from Mailflow mode to Gateway mode?

  • And was your MX record pointing to someplace other than Microsoft? Microsoft has made changes recently since 2023 to combat bad actors creating connectors, dumping spam and tearing down things so they have become stricter on their partners. We are building a certificate based connector system because they are changing the way connectors work. 

    To switch to Gateway mode. You must disconnect the MFR configuration, configure in Domain Settings, change your MX, inspect/update SPF, DKIM, DMARC records. I would suggest your work with your partner or professional service org as your environment is likely different than others.

    Email Security - Domains settings/status

    1. Overview
    2.  Email Security Dashboard
    3. Global Settings
    4. Domains settings/status

    https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureM365/index.html#configure-a-secure-connector-between-microsoft-365-and-sophos-gateway

  • Thanks for your replies Tom. I am a Sophos partner. We have implemented this with a view to sell to our customers, however a big selling point was going to be not having to update MX, SPF, SKIM, DMARC and just being able to integrate seamlessly with O365. I'm assuming I'll need to tidy up all the rules Sophos created, which isn't listed anywhere in that document.

    It would appear that Mailflow mode currently does not work as designed, due to changes by Microsoft. I will follow the Sophos recommendation to go with Gateway mode. It would be helpful if Sophos Central and documentation was updated to reflect this until problems with Microsoft are resolved.

  • Stuart, when you disconnect the MFR we clean up the rules automatically and we are working directly with Microsoft on Mailflow rules. Microsoft propagating an exception list for us for the MFR issue. That doesn't necessarily have anything to do with the SCL -1 rule not working. We also have some discussion ongoing with them about this.  

  • I appreciated your help here Tom. At least I know the state of play and your responses have been helpful. Unfortunately I can say the same about the Support team.

    I was planning to schedule in a change to Gateway mode on the weekend. Instead, Sophos support rang in the middle of the work day, couldn’t get hold of me and instead spoke to one of my staff. They instructed them to change MX records, mail flow rules and SPF records. The first I knew about it was when I started getting complaints from people in our organisation started that they couldn’t send emails and that customers trying to email us were getting bounce backs.

    Our production email system was down for almost four hours with customers unable to email us and we couldn’t email out. I’m not sure what protocols Sophos support has, but instructing customers to change DNS records during business hours on a live production system is bizarre and completely unacceptable.

    This “trial” of Sophos Email internally with a view to selling it to our customers doesn’t look like being successful. We might have to leave our customers where they are and wait until these issues are fixed. Mailflow is a key feature. Not having a competent support team to lean on as an escalation point is concerning as well.