Sophos Phishing Campaign emails being sent to MS Defender quarantine

Question

I'm I the only customer using this Phishing Campaign..... 
 I been trying to configure this thing so we can use it. However, even after configuring per the documentation. The campaign email are still being caught be Microsoft's Defender and quarantining the emails. 
 Documentation indicates that I only need to whitelist 2 IP addresses but when looking at the message in quarantine, the message has senders IP that is not matching the two I was told to whitelist....... 
 
 I would have thought this to be an easy fix for support, but now on week 2 with several remote sessions and circling back to the beginning...... 
 
 Open Case# 07016835 
 Somebody...anybody who has dealt with this please help me.......

Tom Foucha · Accepted Answer

We are working on a method called Direct Delivery which will use the Microsoft Graph API to place Phish Threat messages directly into the end users mailbox bypassing smtp and inspections for M365 customers. This will be delivered early 2024 is our plan at this time.

Stuart James · Answer

Slappy what you really mean to say is that you couldn't find the link. 
 
 https://support.sophos.com/support/s/article/KB-000039921?language=en_US 
 
 I agree that Sophos documentation is lacking in terms of structure. It is very hard to find all the information in one place. IMO there should be a section on the website with a step-by-step guide and all the info in one place. Even if you do find the right place, it gives you the instructions for one part and then has 6 links to other parts of the Sophos website so you have to navigate around everywhere to find the right information. This has been acknowledged by a product manager I have worked closely with. 
 
 For my guys, I've had to collate all the different information from various areas of the Sophos website and create my own step-by-step document. It's as frustrating as hell. Maybe Sophos should pay me to write the docos for their websites

Stuart James · Answer

Yep, get your frustration, and I agree. Documentation is lacking with a scatter-gun approach and support don't appear to be well trained with Phising or Email Security. 
 
 You actually need both of them. This is because Microsoft do checks on things like High Confidence Phishing checks BEFORE it even gets to the rules (this is a new 'feature' but I hate it because it removes control from admins as it bypasses any ability to allow ALL mail through), but the rules take care of bypassing normal spam filtering.

Tom Foucha · Answer

We are on target for a Q1CY2024 release. It will require additional authorization in M365 so it will guide you through logging into M365 and approving the additional auth. The new Direct Delivery feature will be much simpler in that you will no longer have to create the Phishing exceptions in M365 or add to Allow Lists in M365 etc. Since we won't be sending the messages via smtp but via the Graph API. For new customers this will be the preferred way, I expect partners and MSP to take their time migrating and clean up old rules, as long as it is working as you say.

Slappy · Answer

To allow for the phishing campaign emails to reach the end user, additional exceptions were needed. 
 Had to add the following to Exchange>Mailflow>Rules. 
 This is not in any documentation that I was aware of and took several support calls and escalation to level 2 to resolve..... :P

Sophos Phishing Campaign emails being sent to MS Defender quarantine

Top Replies