Professional Documents
Culture Documents
Introduction to Sophos
Email
Sophos Email
Version: 3.0v1
[Additional Information]
Sophos Email
EM0505: Introduction to Sophos Email
May 2023
Version: 3.0v1
© 2023 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 8 minutes
In this chapter you will learn what Sophos Email is, how to access it, and how it works. You will also
learn how it is licensed.
Delivery and
1. 2. 3.
Instruction
The threat delivery phase of a cyberattack is where Sophos Email provides protection. Phishing emails
are popular with attackers as it is easier to trick one person into clicking a malicious link or opening an
attachment then trying to break into an entire network.
Cybercriminals often combine multiple techniques to compromise a victim’s device. The greatest risk
from an attacker is not individual campaigns, it is connected attacks.
▪ Blocks malicious links and email attachments in both before and after delivery
It is no surprise then that email is a major threat attack vector. Sophos Email can be used as a cloud-
based secure email gateway as well as a Microsoft 365 complementary API-based solution. It provides
centralized management and reporting along with protection against email-based attacks both before
and after the email has been delivered. Additionally, Sophos Email can be configured to prevent data
loss.
Sophos Email can integrate with on-premises and virtual third-party email platforms and provides
email continuity. Should your email server experience a power failure or disruption, Sophos Email will
queue your emails until your email server is recovered.
[Additional Information]
M365 integration functionality is also known as both Integrated Complementary Email Security (ICES),
and Complimentary Email Security Systems (CESS)
Google Chrome
Mozilla FireFox
Microsoft Edge
Sophos Email is accessed through Sophos Central. Log into your Sophos Central account with your
Sophos ID and password. From the dashboard, navigate to Email Security from the left-hand menu.
As Sophos Email is cloud-based, it is supported on the latest versions of all major Internet browsers.
GATEWAY INTEGRATION
Integrated Complementary Email Security (ICES)
There are two ways to configure Sophos Email Security, either in gateway mode or using Integrated
Complementary Email Security (ICES).
In gateway mode you can integrate Sophos Email Security with third-party mail services. Using ICES,
you can integrate Sophos Email Security with Microsoft 365 email domains without modifying your
DNS and MX records.
Gateway Mode
2. The email is sent to the sender’s mail 3. The sending mail server checks where the mail
server server for the recipient’s domain is
First, our sender writes and email to globaltraining@sophos.com and clicks send.
The sender’s email client sends the email to their mail server. The email server identifies the server for
the email address using domain name server (DNS).
The DNS server responds with the mail exchanger (MX) record for the recipient’s domain, which is
configured as the Sophos email server in this example.
Gateway Mode
5. The sender’s mail server sends 7. Clean emails are delivered to the
the email to Sophos Central recipient’s mail server
Recipient
Now the email server knows that to deliver the email to globaltraining@sophos.com it needs to send
it to the Sophos Central mail servers.
When Sophos Central receives the email, it scans it for viruses and spam, and checks the sender
against an allow and block list.
Once the email is determined to be clean, it is delivered to the recipient’s mail server. The recipient’s
email client downloads the email.
In this example there is nothing to stop an attacker sending an email directly to the recipient’s mail
server, bypassing Sophos Email.
Gateway Mode
Sophos Email
Recipient
To prevent this, the recipient mail server must be configured to only accept inbound mail from Sophos
Email.
This means that if an attacker were to directly send an email to the recipient’s mail server, the email
will be rejected as it is not an inbound email from Sophos Email.
When using ICES to integrate Microsoft 365, Sophos Email uses Microsoft APIs to create mail flow
rules in your Microsoft 365 environment. These mail flow rules route email to Sophos Email and back
to Microsoft 365.
Let’s look at how this works. Firstly, an inbound email is sent from an external email service. M365
sends the email to Sophos Email for scanning. Sophos Email then sends the scanned email back to
M365 which routes the email to the intended recipient.
4. The outbound email is sent to the 3. The outbound email connector sends the email
external email service from Sophos Email back to M365
In the same way, when an email is sent from a protected mailbox, it is sent to M365 first. M365 sends
the email to Sophos Email for outbound scanning. The outbound connector sends the email back to
M365 which sends it out to the external email service.
Synchronized Security
Synchronized Security
Synchronized security is enabled by default in CONFIGURE > Settings > Synchronized Security. It links
Sophos Email with other Sophos solutions to prevent your organization from unknowingly sending
outbound spam and blocks malicious emails.
Security Heartbeat™
When your domain is used to spread spam and phishing emails, it can impact your reputation as an
email sender and as a trusted business. There are common symptoms of compromised email activity,
but busy teams may struggle to notice, leading to undetected threats.
Synchronized Security monitors outbound email. If 5 or more outbound emails are classified as spam
or contain viruses within a ten-minute period action will be taken. If outbound spam is detected, the
mailbox that is sending the spam will be isolated to prevent the attack from spreading.
As the list of users is shared in Sophos Central between all products, Sophos Email can alert the
endpoint associated with that mailbox to scan for malware. Perhaps the computer has become part of
a botnet for instance. It will attempt to automatically clean up any infection and restore access.
Please note that if Synchronized Security is turned off, this will only disable the endpoint scan. The
senders of outgoing spam and virus emails will still be blocked.
[Additional Information]
The blocking process works by identifying the originating mailbox and the owner along with any
devices assigned to that owner. The mailbox is blocked from sending emails for 1 hour. After 1 hour,
the mailbox is unblocked automatically. Lockout periods increase every time the blocking process is
triggered. The amount of time the mailbox is blocked for is doubled every time the spam threshold is
reached. The previous block period needs to end before another can start. These timed blocks can't be
removed, and you must let them expire. After 6 times, the mailbox will be blocked permanently, and
the owner will not be able to send any email from that mailbox. If you believe a permanently blocked
mailbox should be unblocked, please contact Sophos support. An alert is sent to the administrator
saying that the sender has been blocked. The events report is updated to show that the mailbox has
Sophos Email links into Sophos Phish Threat, which is our cybersecurity awareness solution that
educates users to protect themselves from multiple types of attack. Cybersecurity awareness training
is an important aspect of your security strategy, but while you train all users, how do you identify
those who exhibit the riskiest behavior?
Sophos Synchronized Security connects Sophos Email and Phish Threat to identify users who have
been warned or blocked from visiting a website due to its risk profile. You can seamlessly enroll
identified users into targeted phishing simulations and training to improve awareness and cut your risk
of attack.
[Additional Information]
Further information on connected email protection with Sophos Synchronized Security can be found
here: https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-email-sync-sec-ds.pdf
The use of Sophos Email requires a Sophos Email Advanced license. The license includes the
protection features shown here.
[Additional Information]
https://assets.sophos.com/X24WTUEQ/at/f84fgz64xhf87tckpk3jk59k/sophos-email-ds.pdf
If a mailbox is deleted from Sophos Email, it will be removed from the license count
A license is counted in the following scenarios; for individual users requiring email security and shared
mailboxes. Mailbox aliases, distribution lists, and public folders do not count towards the license use
count.
If a mailbox is deleted from Sophos Email, it will be removed from the license count. This change will
be reflected in the license usage count and will display as a decrease within 4 hours.
[Additional Information]
FAQ: KB-000036272: https://support.sophos.com/support/s/article/KB-000036272
Chapter Review
Sophos Email is a cloud-based solution that can be configured as a secure email gateway as well as an
integrated Complementary Email Solution (ICES). It provides centralized management and reporting
along with protection against email-based attacks both before and after message delivery.
Sophos Email can integrate with on-premises and virtual third-party email platforms and provides email
continuity.
Here are the three main things you learned in this chapter.
Sophos Email is a cloud-based solution that can be configured as a secure email gateway as well as an
integrated Complementary Email Solution (ICES). It provides centralized management and reporting
along with protection against email-based attacks both before and after message delivery.
Sophos Email can integrate with on-premises and virtual third-party email platforms and provides
email continuity.