Sophos Central Email - Updates from the last few months

Sophos Central Email is currently the most exciting product, and that is because something is actually happening in product development.

The situation is different with ZTNA, where the datasheet has said since day one that mobile apps are planned, but nothing is happening. And that was more than 2 years ago. 🫢

That is why it is good to see how Central Email is developing. In January, I summarized the new features in the article Latest Features of Sophos Central Email, and I will now do the same again. Not only do new features and improvements arrive almost every 2 months, there is also always a video about the updates 🤯. So a big compliment to the Central Email team at Sophos 🫡. This is exactly how we imagine a cloud service should work.

List of updates

• Aggressive Mode for Anti-Spam
• Quarantine Improvements
• Secure Message Policy & Policy Improvements
• Impersonation Protection
• SMTP Routing
• Inspect & Modify Header
• Email Quarantine API
• Outbound Disclaimer

Aggressive Mode for Anti-Spam

The era of endless spam could take a serious hit with the introduction of the new anti-spam function in Sophos Email: “Aggressive Mode”.

What is “Aggressive Mode” for Anti-Spam?

The new function allows administrators to adjust the spam detection rate individually. In the Anti-Spam Email Security policy, a slider displays five catch-rate levels from L1 to L5. The further to the right, the more aggressive the detection. Aggressive Mode also allows specific settings for different external and internal senders, ensuring maximum flexibility and control.

• Careful adjustment: Increasing the aggressiveness of the anti-spam catch rate can increase the risk of false positives. It is therefore recommended to change the level gradually and monitor the results for false negatives and false positives over a defined period.
• Adjustment for External Senders: For example, if you receive more spam from a single domain, you can set your policy more aggressively for that specific domain.
• Protection of Internal Departments: Parts of your organization that are particularly sensitive to spam can be protected by setting a more aggressive catch-rate level in another policy for these users, groups, or domains.

Sophos KB Article: Sophos Email: Suspected Spam

Quarantine Improvements

The quarantine functions in Sophos Central Email give administrators more flexibility and control when handling quarantined emails and their attachments. They enable safer handling of potentially dangerous content and provide additional tools for analysis and verification. Cloning email security policies simplifies their management and implementation. These improvements are another step by Sophos to help administrators keep their systems secure.

Admin Quarantine

• Administrators can now remove or reattach attachments from quarantined emails before releasing a copy of the email.
• Attachments can be downloaded for manual review. These attachments are provided in a password-protected zip file.
• There is an advanced search function that by default displays the most recently quarantined messages.
• Administrators can view URLs in the message body and search for specific URLs.
• Emails can be sent to Intelix for review. If they have already been scanned by Intelix, they can be released with confidence or submitted for another review.

User Quarantine

• The extended search is now available in both the end-user quarantine and the distribution list quarantine of the Self Service Portal.
• Two new fields, “To” and “Reason,” have been added to help end-users make informed decisions about releasing or deleting emails.

Further Improvements

• Support for outbound messages on Port 587 in Gateway Mode. Previously, only Port 25 was supported.
• A new function detects compromised mailboxes based on traffic patterns. When a compromise is detected, a notification is sent requesting that multi-factor authentication be activated and the mailbox password changed.
• Impersonation Protection has been extended to support more VIPs. Up to 500 users can now be added.
• There is also a new cloning function for Sophos Email policies.

Secure Message Policy & Policy Improvements

Secure Message Policy - This function consolidates various encryption and security settings into a single policy, giving administrators more precise control than before.

The previous global settings, especially the settings for encryption and TLS connections, have been migrated to this new policy. Users will notice this because a banner appears on the dashboard indicating the move. Despite this change, the product’s functionality remains unchanged. However, the change allows users to adapt and refine their policies more easily.

Another important update is the improved distinction between internal and external users or domains, which simplifies selection and management. Sophos has also improved TLS encryption and now supports TLS 1.3, a recommended setting for inbound and outbound messages.

Another area that has been improved is encryption. S/MIME can now be used for inbound and outbound messages with specific policies. The push encryption and portal encryption functions for outbound messages have also been improved, with portal encryption now offering more intuitive license management in particular.

Overall, these updates aim to give administrators an improved, more intuitive, and more secure messaging experience. For anyone who wants a deeper look, a video is available that covers these changes in detail.

Impersonation Protection

Impersonation Protection was developed to protect companies from fraudulent emails. This feature detects emails that pretend to come from known brands or important people in your company.

Previously, email administrators had to rely on complex filter rules and third-party tools to detect such fake emails. With Impersonation Protection, Sophos offers an integrated solution that automatically looks for signs of email impersonation. This includes the impersonation of known brands and the use of VIP names in your company.

Configuration is straightforward. Administrators can go to the email security settings and define various actions for detected fraudulent emails, such as adding a warning banner to an email or blocking the sender. There is also a VIP management function where administrators can store the email addresses of up to 500 important people in their organization. These addresses are then monitored more closely.

Furthermore, administrators can view detection entries at various locations in Sophos Email to get an overview of potential threats and fake emails.

Impersonation Protection is an important step in the fight against phishing and email fraud. It provides companies with an additional safety net and makes it easier for administrators to protect their organization from these growing threats. If you want to learn more about it, you can watch the detailed video from Sophos.

Sophos KB Article: Impersonation Protection and VIP Management

SMTP Routing

SMTP Routing enables targeted forwarding of email messages by defining gateway routes, thereby optimizing direct communication between email servers.

With this feature, gateway messages can be sent directly to an email server by using either the server’s A record or its Fully Qualified Domain Name (FQDN).

• Settings: SMTP Routing can be found in the global settings under “Email Security” and “Custom SMTP Routing”. There, the email domain can be selected and IP addresses or DNS names for forwarding can be defined.
• Individualization: It is possible to create individual SMTP routing policies that can be configured specifically for users, groups, or domains.
• Data Control: This function allows messages to be forwarded based on criteria such as a specific subject.
• Rule-based redirection: Messages can be redirected based on the presence of certain headers or subjects.
• Verification: The correct operation of SMTP routing can be checked in the logs and reports of Message History.
• Platform: With the update, it is possible to send emails from different platforms, such as Office 365 or Google Apps Gmail, under the same email domain.

An additional video supports administrators in introducing this feature. Please note that SMTP routing is designed specifically for messages processed by the Sophos Email Gateway.

Inspect & Modify Header

The “Inspect & Modify Header” function in Data Control: with this extension, you can inspect and edit your email headers more precisely. Below is a brief summary.

Inspect Header

With the new rule type Message Attribute in Data Control, you can now inspect the attributes of any email. This allows filtering messages by header, source, or size.

• Header inspection can be used to check whether a header value matches a regular expression, contains a specific value, is equal to a value, or whether the header itself exists.
• The Source Message Attribute can be used to check if an IP address or domain matches a specific value.
• Size control allows filtering messages or attachments that are larger or smaller than a specific value.

Message attribute inspection can also be combined with other rule types to enable even more detailed rule definitions.

Modify Header

Header modification now also has its own place. Each rule type allows you to:

• Insert a new header and value into the message.
• Edit the value of all matching headers.
• Remove all matching headers.

A practical use case was demonstrated in the video: a header was first used to make a decision, and after the action was performed, a rule was added to remove the header so it would not be forwarded to external recipients.

Benefits of Inspect & Modify Header

The main advantage of this function is that administrators now have more precise control over their email headers. Whether it’s checking specific header values for matches, filtering messages by attributes, or modifying the headers themselves, everything is now possible.

A clear example from the video below shows how you can use header inspection to encrypt an email based on its sensitivity. This demonstrates how powerful this function can be for everyday administrative tasks.

Conclusion: The new Sophos update offers clear advantages for anyone looking for improved data control options in their email solution. With the new Inspect & Modify Header function, you now have more control and flexibility when managing your email headers.

For a practical introduction to this new function, you can watch the video at the end of this article. It clearly shows how to make the best use of this function.

Email Quarantine API

Sophos Central Email has introduced a new Quarantine API that gives administrators extended control over quarantined emails. The interface enables more efficient and automated management of email security and therefore helps improve email security.

Key Features of the Quarantine API

• List quarantined messages
• Retrieve details of specific quarantined messages
• Release or delete messages in quarantine
• View, download, attach, remove, and list attachments of a message
• Automate quarantine management tasks
• Extended control of quarantined messages
• Integration into various systems and workflows
• Direct interaction with quarantine without UI

Outbound Disclaimer

Sophos Email has responded to user feedback and introduced a useful new feature: the Outbound Disclaimer function. This now makes it possible to insert legal notices or other notes directly into outbound emails, in both plain text and HTML format.

In the past, external tools or scripts had to be used to insert such disclaimers into emails. This was time-consuming and complicated. With the new Sophos function, you can now do this directly in the email security settings. Depending on whether the message is written in plain text or HTML format, the corresponding disclaimer is added automatically.

To learn more about the exact functionality and configuration, I recommend the attached demonstration video.