Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Phishing Campaign emails being sent to MS Defender quarantine

I'm I the only customer using this Phishing Campaign.....

I been trying to configure this thing so we can use it.  However, even after configuring per the documentation.  The campaign email are still being caught be Microsoft's Defender and quarantining the emails.

Documentation indicates that I only need to whitelist 2 IP addresses but when looking at the message in quarantine, the message has senders IP that is not matching the two I was told to whitelist.......

I would have thought this to be an easy fix for support, but now on week 2 with several remote sessions and circling back to the beginning......

Open Case# 07016835

Somebody...anybody who has dealt with this please help me.......



This thread was automatically locked due to age.
  • Hello, 

    We regret that you have bumped into this inconvenience. I have checked your opened ticket and there's a Plan of action sent out to you by the engineer as next course moving forward. 

    I have also left a note referencing this community thread you have posted. 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • from the outside looking in, it appears the technician hasn't understood the problem.

    There shouldn't be any plan of action for the customer to do if the Sophos Phishing Simulation emails are coming from an incorrect IP address? Unless Sophos has started using a new source IP address and needs to update its online documentation accordingly?

  • Hello  ,

    This case currently being handled by Global Escalation Specialist and please be on the look out for an update via call or email regarding the status of your case. 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • We are trying to use Sophos Phish Threat too and I am in the same situation, received an email to say I have been enrolled into training for reading the email which I never received. Checked sophos and its showing as delivered, checked Defender and its showing quarantined for safe attachments policy. So everyone kind of knows what emails to look out for now, kind of pointless! 

  • We are working on a method called Direct Delivery which will use the Microsoft Graph API to place Phish Threat messages directly into the end users mailbox bypassing smtp and inspections for M365 customers. This will be delivered early 2024 is our plan at this time. 

  • To allow for the phishing campaign emails to reach the end user, additional exceptions were needed.

    Had to add the following to Exchange>Mailflow>Rules.

    This is not in any documentation that I was aware of and took several support calls and escalation to level 2 to resolve..... :P

  • Hello there,

    Thank you for the update.

    Just to clarify, what solved the issue was setting the Spam Confidence Level to -1?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  •   what you really mean to say is that you couldn't find the link.

    https://support.sophos.com/support/s/article/KB-000039921?language=en_US

    I agree that Sophos documentation is lacking in terms of structure. It is very hard to find all the information in one place. IMO there should be a section on the website with a step-by-step guide and all the info in one place. Even if you do find the right place, it gives you the instructions for one part and then has 6 links to other parts of the Sophos website so you have to navigate around everywhere to find the right information. This has been acknowledged by a product manager I have worked closely with.

    For my guys, I've had to collate all the different information from various areas of the Sophos website and create my own step-by-step document. It's as frustrating as hell. Maybe Sophos should pay me to write the docos for their websites CocktailSmiley

  • Thanks for your reply.....Still a newbie when it comes to Sophos...but support needs to step up their game.  This issue could've/should've been resolved in 5-10 minutes.

    I searched multiple of times for a solution.  Maybe the title of the article and what I was searching was why it did not come up.  Could also explain why support did not find it either.   As support usually sends me links to articles that have the solution.   

    The link you provided would have resolved the issue.  Though I have a question about the config you used in the Rule:

    "Configure the message header as X-MS-Exchange-Organization-SkipSafeLinksProcessing and the value as 1. "

    I choose this config in our environment instead:

    Set the spam confidence level (SCL) to '-1' 

    I'm guessing both options will take essentially do the same thing of bypassing the Microsoft filter.

    The other question I have is.....With this Mail Rule in place, would I be able to remove the other configuration under the Phishing Simulation? That configuration appears to have not effect.   I have not tried it yet but wonder if anybody has....

     

  • Yep, get your frustration, and I agree. Documentation is lacking with a scatter-gun approach and support don't appear to be well trained with Phising or Email Security.

    You actually need both of them. This is because Microsoft do checks on things like High Confidence Phishing checks BEFORE it even gets to the rules (this is a new 'feature' but I hate it because it removes control from admins as it bypasses any ability to allow ALL mail through), but the rules take care of bypassing normal spam filtering.