Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 5734 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos filtered Email to M365 - Microsoft then removing legit emails as High Confidence Phish

Dennis Jones

We have many clients on Sophos filtering of email before delivery to m365

Yesterday we had several clients, where the email was "removed" (after delivery) from their inboxes and taken back to M365 quarantine as a "high confidence phish"

Essentially it was very much (all) the emails that contained a URL

I'm wondering if the Sophos modification of those URL's at the spam/virus filter end (safe links) prior to delivery, is upsetting "something" at M365 and what do we need to do to fix it?




This thread was automatically locked due to age.

Top Replies

  • +4 verified

    Hello,

    This issue is being investigated under XGE-28086 

    If you’re being affected by this, please share the following in your case Details:

    1) Queue IDs of Affected Emails:

    Go to > Email Security > Logs & Reports > Message History > Subject (localize the affected emails and click the subject) > Raw Header and look for ESMTPS id 4PXYy06g0Kz1y9P (Usually around the 10th line) or let support which emails are being affected

    2) Remote Access ID:

    Top Right Corner > Click your name/Org > Account Details > Sophos Support > Turn on Remote Assistance > and COPY AND PASTE "The unique ID for this Sophos Central account is:" number

    3) Location of the Central Account :

    4) Mention XGE-28086 if the issue is with Mailflow or PHISH-8610 if the issue is related to Sophos Phish Threat 

    Top Right Corner > Click your name/Org > Account Details > Sophos Support > Scroll down to "This account is located in the XXXXXXXXXXXX region.

    Regards,

    Jump to answer
Parents Reply Children
  • +1 in reply to Dennis Jones

     I have taken a look at the case but did not find any screenshots nor indicators as to what might be happening or causing this. I would like to set the expectation that this is not a Sophos issue but a Microsoft one. From the symptoms described, it looks like Microsoft did something in their product that basically classified emails that have URLs to be quarantined eventhough they were already inbox. As we did not create M365 our diagnosis/recommendations would not be on par with Microsoft's support on this matter. I would therefore recommend contacting them instead in order to resolve this faster.

  • 0 in reply to josepalad

    Yes we have come to the same conclusion. 

  • 0 in reply to Dennis Jones

    Hi Dennis, did you happen to get to the bottom of this?

    I presume we could add our Sophos Central Email IPs and Domain / URL as a Third Party Phishing SImulation to bypass this, however I am struggling to find the URL to use.

  • 0 in reply to Chris Third

    Hi Chris
    We determined its a new Microsoft "feature"
    We Disabled the Zero-Hour auto purge  (ZAP) "feature" in the 365 backend
    (Given Sophos has already seen the email and considered it's safe)
    Problem has gone away now
    Not entirely comfortable with that solution, but its working for us