Working with Sophos support (case 5397031), the current product is not able to stop a spoof attack in which the "envelope from" is valid but the body sender address is spoofed as an internal address.
SPF checks are not effective in this scenario and the message is delivered.
Bob Alfson commented
Merge this idea with In Anti-Spam, Expression-check everything after DATA or include From
Bill Galeckas commented
Opened a ticket for this exact issue! #112794
This should be built -in functionality to check the "Display From" against the "Mail From" and tag it as spam if different.
Jakir Hussein commented
I agree to Jon Camp. Even we were victim of spoof email attack, where due to strict spf checks failure we recieved spoof emails having email address from address as our internal users.
sophos has to consider this issue seriously and come up with strict spf checks option
Our organisation has been impacted by these types of messages as well. Would like to see what solution can be provided.
This may be difficult as there is a reasonable possibility of false positives. As this type of email is almost certainly spam, perhaps weighting the spam score when this condition occurs is a good way to address it?
Russell Youngs commented
[#5906399] Spoofed email us as well. Spear phish to one internal user and passes SPF and greylisting retry is successful. It seems a message attribute checking might be needed.