bypassing quarantine based on email headers?

Product: Sophos Central Adv Email Gateway

GOAL: Not reduce security

PROBLEM: Company A acquires Company B and sets up email forwarding for newly acquired users in its own (Company A) tenant.

DETAILS: Company B retains its Sophos Email Gateway and Microsoft Hosted Exchange tenant. Company A creates domainA.com

accounts for Company B users in its own tenant. Company A sets up email forwarding to for those users so that emails sent to userB@domainA.com forward to userB@domainB.com. The problem we are seeing is that the forwarded emails are clearly being interpreted as spoofed emails because the from address is domainB.com. 

BEHAVIOR: Emails go to quarantine. 

WHAT WE HAVE TRIED: modified the SPF record to include the remote sending host. Anyone not on the VIP list will receive the email. VIP users' email will go to the quarantine this time based on VIP impersonation. Whitelisting the email host (approved domain) does not help.

WHAT WE ARE WONDERING: Does the email gateway have a control to bypass the quarantine if there is specific information in the header....such as the domain name domainA.com??



Added TAGs
[edited by: Raphael Alganes at 1:07 PM (GMT -8) on 18 Jan 2024]
Parents
  • Hi Tim,

    Thank you for posting into the Community!
    I think the problem is that the VIP management list is currently applied globally so it encompasses all of the domains protected by Sophos Email. This falls into the realm of Feature Request.
    Another thought is perhaps another inbound Email security policy can be created that has External and Internal specified where Impersonation Protection is not applied? Basically it will only trigger IF the external (sender) and Internal address matches where it is coming from domainA and is going to domainB?  And if the sender is not from DomainA then it will match the base policy instead?
    Something like this below perhaps?

  • This was a great suggestion and afforded us a solution within both the Email Security Policy and the Data Control policy. I learned that they are processed in a top down fashion much like UTM/XG/XGS. We actually allowed failed SPF to continue processing at the Email Security Policy. Then at the Data Control Policy (the next policy processed) we created 2 rules scoped on header information. If there was a match (such as finding Company A attributes in the header), then it would log the email (deliver). 

    The critical piece was the 'Catch all" in that Data Control Policy. This last rule would grab and failed SPF emails and send to quarantine.

    Thankyou for sending us on the correct course.

Reply
  • This was a great suggestion and afforded us a solution within both the Email Security Policy and the Data Control policy. I learned that they are processed in a top down fashion much like UTM/XG/XGS. We actually allowed failed SPF to continue processing at the Email Security Policy. Then at the Data Control Policy (the next policy processed) we created 2 rules scoped on header information. If there was a match (such as finding Company A attributes in the header), then it would log the email (deliver). 

    The critical piece was the 'Catch all" in that Data Control Policy. This last rule would grab and failed SPF emails and send to quarantine.

    Thankyou for sending us on the correct course.

Children
No Data