Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Discussions URL Protection

Sophos Email requires membership for participation - click to join

Thread Info

State Suggested Answer
Replies 6 replies
Answers 1 answer
Subscribers 18 subscribers
Views 103 views
Users 0 members are here

Options

Suggested

URL Protection

SoC2024 3 hours ago

Hello,

at the moment it is only possible to allow curtain domains for the url protection. That´s nice for things like sharepoint and so on.

But one thing that we think is realy missing at the moment is, that there is no block list for the url protection.

As example we often recieve mails with url's ending with r2.dev, wich are definitly bad url's in that cases.

So at the moment we can't block them in the sophos email protection. The only way is to let´s say check every day the sophos

email protection reports und then report the mentionend mails as spam for further analyses to sophos.

This is not the solution.

Best regards

-
[edited by: SoC2024 at 10:48 AM (GMT -8) on 26 Nov 2024]

Top Replies

LuCar Toni 3 hours ago in reply to SoC2024 +1 suggested

Try to start with a normal URL. If it is a HTML email, then the Central should find the URL as well. Double Check here the Attachment Content is selected on the bottom.

Parents

0 SoC2024 3 hours ago

Ok think i understand.

So you mean urls in the message text can so be identified and the mail can than be moved to quarantine? That would be great. If yes, is this possible with embedded images in mails, wich have attached a clickable link to a url too? Because we have seen many mails with that new attack surface. The sophos support told us to report these mails as spam for further analyses. But this is not the best solution in that case, because over time we now about the bad url's so we want to handle them.

Can you tel me how such a REGEX for that specific case und the product sophos email protection should look like?

Tanks in advance.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 SoC2024 3 hours ago

Ok think i understand.

So you mean urls in the message text can so be identified and the mail can than be moved to quarantine? That would be great. If yes, is this possible with embedded images in mails, wich have attached a clickable link to a url too? Because we have seen many mails with that new attack surface. The sophos support told us to report these mails as spam for further analyses. But this is not the best solution in that case, because over time we now about the bad url's so we want to handle them.

Can you tel me how such a REGEX for that specific case und the product sophos email protection should look like?

Tanks in advance.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 LuCar Toni 3 hours ago in reply to SoC2024

Try to start with a normal URL. If it is a HTML email, then the Central should find the URL as well.

Double Check here the Attachment Content is selected on the bottom.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
+1 SoC2024 2 hours ago in reply to LuCar Toni

Ok i see. So i have testet both situations now (only link and link attached to embedded picuture) both are then in our example configuration then quarantined in sophos email protection. Thats the solution we have searched for.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 SoC2024 23 minutes ago in reply to SoC2024

I tested it again. It is not realy well working. Sometimes it filters / sometimes not.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 20 minutes ago in reply to SoC2024

Can you analyze the both emails and compare them to each other, when it does not work?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel