Copyright © 2023 Sophos Ltd

Introduction to Sophos
Email

Sophos Email
Version: 3.0v1

[Additional Information]

Sophos Email
EM0505: Introduction to Sophos Email

May 2023
Version: 3.0v1

© 2023 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Introduction to Sophos Email - 1

Copyright © 2023 Sophos Ltd
Copyright © 2023 Sophos Ltd

Introduction to Sophos Email

In this chapter you will learn
what Sophos Email is, how to
access it, and how it works. You
will also learn how it is licensed.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
There is no recommended experience required prior
to completing this chapter, however, some knowledge
of what Sophos Central is and how email works is
recommended.

DURATION 8 minutes

In this chapter you will learn what Sophos Email is, how to access it, and how it works. You will also
learn how it is licensed.

Introduction to Sophos Email - 2

Copyright © 2023 Sophos Ltd

Connected Cyber Attacks

The threat delivery phase of a cyber attack is where Sophos Email provides protection

Delivery and
1. 2. 3.
Instruction

Phishing Malicious Command

URL & Control

The threat delivery phase of a cyberattack is where Sophos Email provides protection. Phishing emails
are popular with attackers as it is easier to trick one person into clicking a malicious link or opening an
attachment then trying to break into an entire network.

Cybercriminals often combine multiple techniques to compromise a victim’s device. The greatest risk
from an attacker is not individual campaigns, it is connected attacks.

Introduction to Sophos Email - 3

Copyright © 2023 Sophos Ltd
Additional information in
the notes
What is Sophos Email?
▪ A cloud-based secure solution that can operate in two modes:

▪ Secure email gateway solution

▪ M365 complementary API-based solution

▪ Provides centralized managed and reporting

▪ Blocks malicious links and email attachments in both before and after delivery

▪ Protects against fraudulent emails that impersonate trusted senders

▪ Prevents data loss

▪ Integrates with third-party email platforms

▪ Provides email continuity

It is no surprise then that email is a major threat attack vector. Sophos Email can be used as a cloud-
based secure email gateway as well as a Microsoft 365 complementary API-based solution. It provides
centralized management and reporting along with protection against email-based attacks both before
and after the email has been delivered. Additionally, Sophos Email can be configured to prevent data
loss.

Sophos Email can integrate with on-premises and virtual third-party email platforms and provides
email continuity. Should your email server experience a power failure or disruption, Sophos Email will
queue your emails until your email server is recovered.

[Additional Information]
M365 integration functionality is also known as both Integrated Complementary Email Security (ICES),
and Complimentary Email Security Systems (CESS)

Introduction to Sophos Email - 4

Copyright © 2023 Sophos Ltd

How to Access Sophos Email

https://central.sophos.com

Google Chrome

Apple Safari (Mac only)

Mozilla FireFox

Microsoft Edge

Sophos Email is accessed through Sophos Central. Log into your Sophos Central account with your
Sophos ID and password. From the dashboard, navigate to Email Security from the left-hand menu.

As Sophos Email is cloud-based, it is supported on the latest versions of all major Internet browsers.

Introduction to Sophos Email - 5

Copyright © 2023 Sophos Ltd

Sophos Email Security Configuration

GATEWAY INTEGRATION
Integrated Complementary Email Security (ICES)

▪ Integrate Sophos Email Security with

▪ Integrate Sophos Email Security with
Microsoft 365 email domains without
third-party mail services
modifying DNS and MX records

There are two ways to configure Sophos Email Security, either in gateway mode or using Integrated
Complementary Email Security (ICES).

In gateway mode you can integrate Sophos Email Security with third-party mail services. Using ICES,
you can integrate Sophos Email Security with Microsoft 365 email domains without modifying your
DNS and MX records.

Introduction to Sophos Email - 6

Copyright © 2023 Sophos Ltd

Gateway Mode

4. The DNS server responds with the Mail Exchanger (MX)

1. The sender writes an email to
record for the recipient domain, which is configured for Sophos
globaltraining@sophos.com
Central

Sender Sender’s mail Server Domain Name Server

(DNS)

2. The email is sent to the sender’s mail 3. The sending mail server checks where the mail
server server for the recipient’s domain is

Let’s have a look at how Sophos Email works.

First, our sender writes and email to globaltraining@sophos.com and clicks send.

The sender’s email client sends the email to their mail server. The email server identifies the server for
the email address using domain name server (DNS).

The DNS server responds with the mail exchanger (MX) record for the recipient’s domain, which is
configured as the Sophos email server in this example.

Introduction to Sophos Email - 7

Copyright © 2023 Sophos Ltd

Gateway Mode

6. Sophos Email scans the email for viruses and spam

Sender’s Mail Server Sophos Email Recipient Mail Server

5. The sender’s mail server sends 7. Clean emails are delivered to the
the email to Sophos Central recipient’s mail server

Recipient

Now the email server knows that to deliver the email to globaltraining@sophos.com it needs to send
it to the Sophos Central mail servers.

When Sophos Central receives the email, it scans it for viruses and spam, and checks the sender
against an allow and block list.

Once the email is determined to be clean, it is delivered to the recipient’s mail server. The recipient’s
email client downloads the email.

In this example there is nothing to stop an attacker sending an email directly to the recipient’s mail
server, bypassing Sophos Email.

Introduction to Sophos Email - 8

Copyright © 2023 Sophos Ltd

Gateway Mode
Sophos Email

Sender Email Server Recipient Email Server

Recipient

To prevent this, the recipient mail server must be configured to only accept inbound mail from Sophos
Email.

This means that if an attacker were to directly send an email to the recipient’s mail server, the email
will be rejected as it is not an inbound email from Sophos Email.

Introduction to Sophos Email - 9

Copyright © 2023 Sophos Ltd

Integrated Complementary Email Security (ICES)

2. Using mail flow rules configured in M365, the

1. Inbound email sent from an
inbound connector sends the email to Sophos Email
external email service
for scanning

External Microsoft 365 Sophos Email

Email Service
3. Sophos Email sends the email back to M365 to
4. The email is delivered to the route to the mailbox
recipient mailbox
Mailbox

When using ICES to integrate Microsoft 365, Sophos Email uses Microsoft APIs to create mail flow
rules in your Microsoft 365 environment. These mail flow rules route email to Sophos Email and back
to Microsoft 365.

Let’s look at how this works. Firstly, an inbound email is sent from an external email service. M365
sends the email to Sophos Email for scanning. Sophos Email then sends the scanned email back to
M365 which routes the email to the intended recipient.

Introduction to Sophos Email - 10

Copyright © 2023 Sophos Ltd

Integrated Complementary Email Security (ICES)

4. The outbound email is sent to the 3. The outbound email connector sends the email
external email service from Sophos Email back to M365

External Microsoft 365 Sophos Email

Email Service
2. The email is sent to Sophos Email for outbound
1. The email is sent to an external scanning
email address
Mailbox

In the same way, when an email is sent from a protected mailbox, it is sent to M365 first. M365 sends
the email to Sophos Email for outbound scanning. The outbound connector sends the email back to
M365 which sends it out to the external email service.

Introduction to Sophos Email - 11

Copyright © 2023 Sophos Ltd

Synchronized Security
Synchronized Security

Synchronized security is enabled by default in CONFIGURE > Settings > Synchronized Security. It links
Sophos Email with other Sophos solutions to prevent your organization from unknowingly sending
outbound spam and blocks malicious emails.

Introduction to Sophos Email - 12

Copyright © 2023 Sophos Ltd
Compromised Mailbox Detection
Compromised Mailbox Detected
1 Sophos Email detects a compromised
mailbox sending outbound spam or
phishing emails
Additional information in
the notes
Mailbox Isolation Endpoint: Device Scan
2 3
Sophos Email isolates the mailbox, Sophos Endpoint identifies and scans all known
devices associated to the mailbox
alerts the Central Administrator and
shares information with Endpoints.
Preventing the attack from spreading
and removing sender privileges

Security Heartbeat™

Mailbox Restored Endpoint: Clean-up

5 4 Sophos Endpoint automatically
Mailbox sender privileges
restored cleans up any infection with admin
alerts surfaced in Endpoint

When your domain is used to spread spam and phishing emails, it can impact your reputation as an
email sender and as a trusted business. There are common symptoms of compromised email activity,
but busy teams may struggle to notice, leading to undetected threats.

Synchronized Security monitors outbound email. If 5 or more outbound emails are classified as spam
or contain viruses within a ten-minute period action will be taken. If outbound spam is detected, the
mailbox that is sending the spam will be isolated to prevent the attack from spreading.

As the list of users is shared in Sophos Central between all products, Sophos Email can alert the
endpoint associated with that mailbox to scan for malware. Perhaps the computer has become part of
a botnet for instance. It will attempt to automatically clean up any infection and restore access.

Please note that if Synchronized Security is turned off, this will only disable the endpoint scan. The
senders of outgoing spam and virus emails will still be blocked.

[Additional Information]
The blocking process works by identifying the originating mailbox and the owner along with any
devices assigned to that owner. The mailbox is blocked from sending emails for 1 hour. After 1 hour,
the mailbox is unblocked automatically. Lockout periods increase every time the blocking process is
triggered. The amount of time the mailbox is blocked for is doubled every time the spam threshold is
reached. The previous block period needs to end before another can start. These timed blocks can't be
removed, and you must let them expire. After 6 times, the mailbox will be blocked permanently, and
the owner will not be able to send any email from that mailbox. If you believe a permanently blocked
mailbox should be unblocked, please contact Sophos support. An alert is sent to the administrator
saying that the sender has been blocked. The events report is updated to show that the mailbox has

Introduction to Sophos Email - 13

been blocked.

Introduction to Sophos Email - 13

Copyright © 2023 Sophos Ltd
Additional information in
the notes
Synchronized Security
Synchronized Security

Intelligent Cybersecurity Awareness Training

Sophos Synchronized Security connects Sophos Email and

Phish Threat to identify users who have been warned or
blocked from visiting a website due to its risk profile.

You can then seamlessly enroll identified users into

targeted phishing simulations and training to improve
awareness and cut your risk of attack.

Sophos Email links into Sophos Phish Threat, which is our cybersecurity awareness solution that
educates users to protect themselves from multiple types of attack. Cybersecurity awareness training
is an important aspect of your security strategy, but while you train all users, how do you identify
those who exhibit the riskiest behavior?

Sophos Synchronized Security connects Sophos Email and Phish Threat to identify users who have
been warned or blocked from visiting a website due to its risk profile. You can seamlessly enroll
identified users into targeted phishing simulations and training to improve awareness and cut your risk
of attack.

[Additional Information]
Further information on connected email protection with Sophos Synchronized Security can be found
here: https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-email-sync-sec-ds.pdf

Introduction to Sophos Email - 14

Copyright © 2023 Sophos Ltd
Additional information in
the notes
Sophos Email Licensing
Protection Features Email Advanced Protection Features Email Advanced
Microsoft 365 Mailbox Rules ✓ Display Name Analysis ✓
Microsoft 365 Post-delivery Protection ✓ Look-a-like Domain Checks ✓
Anti-Spam and Malware Scanning ✓ Multi-rule DLP Policies ✓
Cloud Sandbox ✓ Content Control Lists ✓
Malicious URL Detection ✓ Enforced TLS Encryption ✓
Time-of-click URL Rewriting ✓ S/MIME ✓
SPF, DKIM, DMARC ✓ Push-based Encryption ✓
Impersonation Phishing Protection ✓ Pull-based Encryption Add-on

The use of Sophos Email requires a Sophos Email Advanced license. The license includes the
protection features shown here.

Take a moment to review these then click Continue to proceed

[Additional Information]
https://assets.sophos.com/X24WTUEQ/at/f84fgz64xhf87tckpk3jk59k/sophos-email-ds.pdf

Introduction to Sophos Email - 15

Copyright © 2023 Sophos Ltd
Additional information in
the notes
Sophos Email Licensing

Counted Not counted

▪ Mailbox aliases
▪ Individual users requiring email security
▪ Distribution lists
▪ Shared mailboxes
▪ Public folders

If a mailbox is deleted from Sophos Email, it will be removed from the license count

A license is counted in the following scenarios; for individual users requiring email security and shared
mailboxes. Mailbox aliases, distribution lists, and public folders do not count towards the license use
count.

If a mailbox is deleted from Sophos Email, it will be removed from the license count. This change will
be reflected in the license usage count and will display as a decrease within 4 hours.

[Additional Information]
FAQ: KB-000036272: https://support.sophos.com/support/s/article/KB-000036272

Introduction to Sophos Email - 16

Copyright © 2023 Sophos Ltd

Chapter Review

Sophos Email is a cloud-based solution that can be configured as a secure email gateway as well as an
integrated Complementary Email Solution (ICES). It provides centralized management and reporting
along with protection against email-based attacks both before and after message delivery.

Sophos Email can integrate with on-premises and virtual third-party email platforms and provides email
continuity.

The use of Sophos Email requires a Sophos Email Advanced license.

Here are the three main things you learned in this chapter.

Sophos Email is a cloud-based solution that can be configured as a secure email gateway as well as an
integrated Complementary Email Solution (ICES). It provides centralized management and reporting
along with protection against email-based attacks both before and after message delivery.

Sophos Email can integrate with on-premises and virtual third-party email platforms and provides
email continuity.

The use of Sophos Email requires a Sophos Email Advanced license.

Introduction to Sophos Email - 22

Copyright © 2023 Sophos Ltd

Introduction to Sophos Email - 23