Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Phishing Campaign emails being sent to MS Defender quarantine

I'm I the only customer using this Phishing Campaign.....

I been trying to configure this thing so we can use it.  However, even after configuring per the documentation.  The campaign email are still being caught be Microsoft's Defender and quarantining the emails.

Documentation indicates that I only need to whitelist 2 IP addresses but when looking at the message in quarantine, the message has senders IP that is not matching the two I was told to whitelist.......

I would have thought this to be an easy fix for support, but now on week 2 with several remote sessions and circling back to the beginning......

Open Case# 07016835

Somebody...anybody who has dealt with this please help me.......



This thread was automatically locked due to age.
Parents
  • To allow for the phishing campaign emails to reach the end user, additional exceptions were needed.

    Had to add the following to Exchange>Mailflow>Rules.

    This is not in any documentation that I was aware of and took several support calls and escalation to level 2 to resolve..... :P

  •   what you really mean to say is that you couldn't find the link.

    https://support.sophos.com/support/s/article/KB-000039921?language=en_US

    I agree that Sophos documentation is lacking in terms of structure. It is very hard to find all the information in one place. IMO there should be a section on the website with a step-by-step guide and all the info in one place. Even if you do find the right place, it gives you the instructions for one part and then has 6 links to other parts of the Sophos website so you have to navigate around everywhere to find the right information. This has been acknowledged by a product manager I have worked closely with.

    For my guys, I've had to collate all the different information from various areas of the Sophos website and create my own step-by-step document. It's as frustrating as hell. Maybe Sophos should pay me to write the docos for their websites CocktailSmiley

  • Thanks for your reply.....Still a newbie when it comes to Sophos...but support needs to step up their game.  This issue could've/should've been resolved in 5-10 minutes.

    I searched multiple of times for a solution.  Maybe the title of the article and what I was searching was why it did not come up.  Could also explain why support did not find it either.   As support usually sends me links to articles that have the solution.   

    The link you provided would have resolved the issue.  Though I have a question about the config you used in the Rule:

    "Configure the message header as X-MS-Exchange-Organization-SkipSafeLinksProcessing and the value as 1. "

    I choose this config in our environment instead:

    Set the spam confidence level (SCL) to '-1' 

    I'm guessing both options will take essentially do the same thing of bypassing the Microsoft filter.

    The other question I have is.....With this Mail Rule in place, would I be able to remove the other configuration under the Phishing Simulation? That configuration appears to have not effect.   I have not tried it yet but wonder if anybody has....

     

  • Yep, get your frustration, and I agree. Documentation is lacking with a scatter-gun approach and support don't appear to be well trained with Phising or Email Security.

    You actually need both of them. This is because Microsoft do checks on things like High Confidence Phishing checks BEFORE it even gets to the rules (this is a new 'feature' but I hate it because it removes control from admins as it bypasses any ability to allow ALL mail through), but the rules take care of bypassing normal spam filtering.

  • Hello Stuart/Slappy,

    Thank you for the feedback, the SCL part is documented (https://doc.sophos.com/central/customer/help/en-us/ManageYourProducts/EmailSecurity/SophosGateway/ExternalServices/ConfigureM365/index.html#bypass-exchange-online-protection-in-microsoft-365) by agree that this also should be in the Phish Threat side of things. 

    I will work with documentation to add this info in the Phish Threat documentation.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data