Sophos XG Emai Protection with Sandstorm and URLs


So far, i thought that using XG email protection (MTA mode) with sandstorm, the urls/links in email will be scanned or rewrited to sophos-sandbox (time-of-click). But the urls in emails seem to stay untouched (tested with eicar, and a real malicious url - no sandstorm activity is logged). Only attachments are scanned through sandstorm. Is this correct or am i missing some further configuration?

Thank you


  • Rasal,

    If I remember correctly, the ToC is available only on Sophos Email Appliance (SEA) where each link is rewritten with the SEA URL.

    On XG, the Sandstorm checks the attachment to understand if the file is malicious or not.


  • Curious about this as well.  While it wouldn't assist users clicking links via mobile devices, If they were to click a link from an internal host and you have all connections from LAN->WAN sandstorm enabled, that should protect internal devices correct?  I would like to see true time of click protection appended to URLs in emails though to keep my user's mobile devices protected if my thoughts on LAN-> WAN are correct.