Sophos Phishing Campaign emails being sent to MS Defender quarantine

To allow for the phishing campaign emails to reach the end user, additional exceptions were needed.

Had to add the following to Exchange>Mailflow>Rules.

This is not in any documentation that I was aware of and took several support calls and escalation to level 2 to resolve..... :P

 Slappy what you really mean to say is that you couldn't find the link.

https://support.sophos.com/support/s/article/KB-000039921?language=en_US

I agree that Sophos documentation is lacking in terms of structure. It is very hard to find all the information in one place. IMO there should be a section on the website with a step-by-step guide and all the info in one place. Even if you do find the right place, it gives you the instructions for one part and then has 6 links to other parts of the Sophos website so you have to navigate around everywhere to find the right information. This has been acknowledged by a product manager I have worked closely with.

For my guys, I've had to collate all the different information from various areas of the Sophos website and create my own step-by-step document. It's as frustrating as hell. Maybe Sophos should pay me to write the docos for their websites 

Thanks for your reply.....Still a newbie when it comes to Sophos...but support needs to step up their game.  This issue could've/should've been resolved in 5-10 minutes.

I searched multiple of times for a solution.  Maybe the title of the article and what I was searching was why it did not come up.  Could also explain why support did not find it either.   As support usually sends me links to articles that have the solution.   

The link you provided would have resolved the issue.  Though I have a question about the config you used in the Rule:

"Configure the message header as X-MS-Exchange-Organization-SkipSafeLinksProcessing and the value as 1. "

I choose this config in our environment instead:

Set the spam confidence level (SCL) to '-1' 

I'm guessing both options will take essentially do the same thing of bypassing the Microsoft filter.

The other question I have is.....With this Mail Rule in place, would I be able to remove the other configuration under the Phishing Simulation? That configuration appears to have not effect.   I have not tried it yet but wonder if anybody has....

Yep, get your frustration, and I agree. Documentation is lacking with a scatter-gun approach and support don't appear to be well trained with Phising or Email Security.

You actually need both of them. This is because Microsoft do checks on things like High Confidence Phishing checks BEFORE it even gets to the rules (this is a new 'feature' but I hate it because it removes control from admins as it bypasses any ability to allow ALL mail through), but the rules take care of bypassing normal spam filtering.

Yep, get your frustration, and I agree. Documentation is lacking with a scatter-gun approach and support don't appear to be well trained with Phising or Email Security.

You actually need both of them. This is because Microsoft do checks on things like High Confidence Phishing checks BEFORE it even gets to the rules (this is a new 'feature' but I hate it because it removes control from admins as it bypasses any ability to allow ALL mail through), but the rules take care of bypassing normal spam filtering.