Skip to content

Sophos EMS (Email Monitoring System)

Sophos EMS is used only for monitoring. It scans and logs email messages but doesn't take any action.

Sophos EMS (Email Monitoring System), also known as "Email Sensor", is designed for monitoring and reporting only, and it generates detailed reports in Sophos Central. This flexible, non-intrusive tool enhances visibility and supports remediation for customers using Microsoft Defender for Microsoft 365, Google Workspace Security, or other third-party email security services.

EMS receives journaled copies of messages that may have passed existing security checks and been delivered to end users. EMS scans these messages and logs the results, but doesn't take any action on them. You can configure policy actions, but these actions aren't applied to the messages.

EMS also seamlessly integrates with Sophos' MDR and XDR systems, empowering security teams with a deeper understanding of potential threats. Through API integration, EMS offers its M365 customers the manual clawback capability.

What Sophos EMS does

Sophos EMS does as follows:

  • Scans inbound and outbound emails for monitoring purposes.
  • Logs scan results and updates Message History, Quarantined Messages, and other reports.
  • Supports manual email clawback for Microsoft 365 customers.
  • Integrates directly with Sophos MDR or Sophos XDR.
  • Feeds data into the Sophos Data Lake for threat detection, analytics, and MDR or XDR investigations.
  • Adds additional context for threat detection and enhances incident response capabilities.

How it works

Sophos EMS uses journaling rules configured in your mail service (Microsoft 365 or Google Workspace), to get a copy of each email for scanning. The original email remains unchanged and is delivered to the intended recipient. Because EMS depends on journaled messages, it doesn't scan emails that are blocked by Microsoft 365 or Gmail before a journal copy is created.

As data flows in, you'll start seeing email records in Message History, Quarantined Messages, and other reports in Sophos Central. This lets you monitor email activity and gain visibility into potential threats, even though no actions are taken on the emails.

Note

Internal emails aren't scanned in Sophos Central. This includes emails exchanged between any two domains configured in the same Sophos account, even if the domains belong to different tenants or use different service providers such as Microsoft 365 or Google.

For Microsoft 365 users, EMS supports manual email clawback. You can configure Email Security and Data Control policies to monitor for sensitive or policy-violating content, though the actions you configure within these policies don't affect email delivery. Logging from EMS also contributes valuable context to MDR investigations.

If you use a third-party email security solution, you can integrate it with EMS in the following ways: Create a secure connector if you're using an M365 gateway-based setup, create transport rules for an M365 mailflow-based setup, or configure an inbound gateway if you're using Google. This integration extends visibility and ensures consistent monitoring across your environment.

Set up Sophos EMS

To get started with the Sophos EMS setup, see Set up Sophos EMS.

Migrate from Sophos Email Advanced to Sophos EMS

If you're migrating from Sophos Email Advanced to Sophos EMS, do as follows:

  1. Remove the domains from the gateway or mailflow configurations. See Delete Sophos Email Security domains.
  2. Reset the MX configurations (for gateway) or mailflow settings (for mailflow), as applicable.
  3. In Account preferences, make sure Monitor Only Mode (EMS) is turned on.
  4. Add the domains again and complete the journaling configurations.

Migrate from Sophos EMS to Sophos Email Advanced

If you're migrating from Sophos EMS to Sophos Email Advanced, do as follows:

  1. Remove the domains from Sophos EMS. See Disconnect email domain from Sophos EMS.
  2. Remove the journaling configurations.
  3. In Account preferences, make sure Monitor Only Mode (EMS) is turned off.
  4. Add the domains again and complete the gateway or mailflow configurations.