Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommended Improvements to Email Policy Vulnerability - Header & Domain Anomaly checks

Have been observing emails passing through Sophos Mailflow > Email Policies > Header Anomalies checks without issues where they really should be failing.

It seems that email policies are hierarchical and stop processing proceeding with the Header and Domain anomaly checks

This is a major security concern for us and hope to see Sophos make major change to how this system functions to close out this vulnerability.

For example,  A bad actor performing Spear Phishing attacks is creating brand new trial azure exchange trial environments targeting named users via public sources such as Linked in.

SPF Checks against the emails in how they deliver past as they are sending from their infrastructure with valid SPF DNS Records for their domain.

How ever headers altering the reply to and display name to name@domainname.com, Sophos which should quarantine or at least Tag the email as per our policy does not, so the end user receives the email in their inbox.

Standard user behaviour that is slowly becoming used to seeing suspicious emails flagged, is thinking its not flagged there for under a false assumption it's not malicious and falls victim to the phishing scam, we need to then become proactive to block the domains/IPs ect but these actors tend to create new trial domains rapidly each day.

It does not make any sense to me why checks would stop after SPF Validation, we should always be doing more to verify the integrity of emails not less, if it passes SPF we should 100% be validating the header and the domain for any anomalies, then flag them as per user policies as a result to what was detected.

This should be standard and I am not aware of any other large security provider that operates email security this way.

If SPF/DKIM and DMARC Pass on a truly legitimate email, you should not expect any header or domain anomalies, so it would make sense to continue those checks to find the bad actors that slip past the previous authentication checks. 



This thread was automatically locked due to age.
Parents
  • Hello Justin,

    Thank you for contacting the Sophos Community.

    The scanning should only stop when an email is "caught" for an event. If the SPF check passes, the email is scanned further for other checks. 

    I would recommend you open a case to get this investigated; feel free to share the Case ID with us so we can follow-up.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • We have many examples of header checks not occurring, so did raise a job and was informed this was as per design.

    I believe that design decision is a vulnerability exposing clients to Spear Phishing attacks amongst other malicious emails, this post is to assure other users are informed of the behaviour so they can work to mitigate risk & hopefully see change to the email protection design.

    As explained to me by Sophos Support

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

    Sender checks on the Sophos Central configuration page are done in order, from top to bottom. If the action for a sender check is quarantine, reject, or deliver, and that check passes, no subsequent checks will be done.
     
    Example: A pass on the Sender Policy Framework (SPF) check will skip the header anomaly check.

    Header Anomaly will not check if SPF checks pass for the spoofed email. The email did not trigger the Header Anomaly check because the sender checks are hierarchical. If a higher check passes, this supersedes subsequent checks.

    This is a known behavior in Sophos side.

  • Hello Justin,

    Thank you for the follow-up. Do you have the Case ID where this was mentioned to you?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children