Sophos Phishing Campaign emails being sent to MS Defender quarantine

Hello, 

We regret that you have bumped into this inconvenience. I have checked your opened ticket and there's a Plan of action sent out to you by the engineer as next course moving forward. 

I have also left a note referencing this community thread you have posted. 

Many thanks for your time and patience and thank you for choosing Sophos.

Regards,

Raphael Alganes from the outside looking in, it appears the technician hasn't understood the problem.

There shouldn't be any plan of action for the customer to do if the Sophos Phishing Simulation emails are coming from an incorrect IP address? Unless Sophos has started using a new source IP address and needs to update its online documentation accordingly?

Hello Slappy ,

This case currently being handled by Global Escalation Specialist and please be on the look out for an update via call or email regarding the status of your case. 

Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,

We are trying to use Sophos Phish Threat too and I am in the same situation, received an email to say I have been enrolled into training for reading the email which I never received. Checked sophos and its showing as delivered, checked Defender and its showing quarantined for safe attachments policy. So everyone kind of knows what emails to look out for now, kind of pointless! 

We are working on a method called Direct Delivery which will use the Microsoft Graph API to place Phish Threat messages directly into the end users mailbox bypassing smtp and inspections for M365 customers. This will be delivered early 2024 is our plan at this time. 

To allow for the phishing campaign emails to reach the end user, additional exceptions were needed.

Had to add the following to Exchange>Mailflow>Rules.

This is not in any documentation that I was aware of and took several support calls and escalation to level 2 to resolve..... :P

Hello there,

Thank you for the update.

Just to clarify, what solved the issue was setting the Spam Confidence Level to -1?

Regards,

 Slappy what you really mean to say is that you couldn't find the link.

https://support.sophos.com/support/s/article/KB-000039921?language=en_US

I agree that Sophos documentation is lacking in terms of structure. It is very hard to find all the information in one place. IMO there should be a section on the website with a step-by-step guide and all the info in one place. Even if you do find the right place, it gives you the instructions for one part and then has 6 links to other parts of the Sophos website so you have to navigate around everywhere to find the right information. This has been acknowledged by a product manager I have worked closely with.

For my guys, I've had to collate all the different information from various areas of the Sophos website and create my own step-by-step document. It's as frustrating as hell. Maybe Sophos should pay me to write the docos for their websites 

Thanks for your reply.....Still a newbie when it comes to Sophos...but support needs to step up their game.  This issue could've/should've been resolved in 5-10 minutes.

I searched multiple of times for a solution.  Maybe the title of the article and what I was searching was why it did not come up.  Could also explain why support did not find it either.   As support usually sends me links to articles that have the solution.   

The link you provided would have resolved the issue.  Though I have a question about the config you used in the Rule:

"Configure the message header as X-MS-Exchange-Organization-SkipSafeLinksProcessing and the value as 1. "

I choose this config in our environment instead:

Set the spam confidence level (SCL) to '-1' 

I'm guessing both options will take essentially do the same thing of bypassing the Microsoft filter.

The other question I have is.....With this Mail Rule in place, would I be able to remove the other configuration under the Phishing Simulation? That configuration appears to have not effect.   I have not tried it yet but wonder if anybody has....

Yep, get your frustration, and I agree. Documentation is lacking with a scatter-gun approach and support don't appear to be well trained with Phising or Email Security.

You actually need both of them. This is because Microsoft do checks on things like High Confidence Phishing checks BEFORE it even gets to the rules (this is a new 'feature' but I hate it because it removes control from admins as it bypasses any ability to allow ALL mail through), but the rules take care of bypassing normal spam filtering.