Have been observing emails passing through Sophos Mailflow > Email Policies > Header Anomalies checks without issues where they really should be failing.
It seems that email policies are hierarchical and stop processing proceeding with the Header and Domain anomaly checks
This is a major security concern for us and hope to see Sophos make major change to how this system functions to close out this vulnerability.
For example, A bad actor performing Spear Phishing attacks is creating brand new trial azure exchange trial environments targeting named users via public sources such as Linked in.
SPF Checks against the emails in how they deliver past as they are sending from their infrastructure with valid SPF DNS Records for their domain.
How ever headers altering the reply to and display name to email@example.com, Sophos which should quarantine or at least Tag the email as per our policy does not, so the end user receives the email in their inbox.
Standard user behaviour that is slowly becoming used to seeing suspicious emails flagged, is thinking its not flagged there for under a false assumption it's not malicious and falls victim to the phishing scam, we need to then become proactive to block the domains/IPs ect but these actors tend to create new trial domains rapidly each day.
It does not make any sense to me why checks would stop after SPF Validation, we should always be doing more to verify the integrity of emails not less, if it passes SPF we should 100% be validating the header and the domain for any anomalies, then flag them as per user policies as a result to what was detected.
This should be standard and I am not aware of any other large security provider that operates email security this way.
If SPF/DKIM and DMARC Pass on a truly legitimate email, you should not expect any header or domain anomalies, so it would make sense to continue those checks to find the bad actors that slip past the previous authentication checks.
[edited by: Raphael Alganes at 10:46 AM (GMT -8) on 16 Nov 2023]