URL Protection

Ok think i understand.

So you mean urls in the message text can so be identified and the mail can than be moved to quarantine? That would be great. If yes, is this possible with embedded images in mails, wich have attached a clickable link to a url too? Because we have seen many mails with that new attack surface. The sophos support told us to report these mails as spam for further analyses. But this is not the best solution in that case, because over time we now about the bad url's so we want to handle them.

Can you tel me how such a REGEX for that specific case und the product sophos email protection should look like?

Tanks in advance.

Try to start with a normal URL. If it is a HTML email, then the Central should find the URL as well. 

Double Check here the Attachment Content is selected on the bottom. 

Ok i see. So i have testet both situations now (only link and link attached to embedded picuture) both are then in our example configuration then quarantined in sophos email protection. Thats the solution we have searched for.

I tested it again. It is not realy well working. Sometimes it filters / sometimes not.

Can you analyze the both emails and compare them to each other, when it does not work? 

I tried it again. It's not working. I have set that regular expression:

I have send a mail with embedded links: web.tld (Tld as shown in picture above | Yesterday my account has been blocked beacause i posted the in the picture above mentionend tld | what i can't understand | In the meantime it's unblocked again) and https://web.de. But the mail is accepted and delivered successfull. I have send a mail before that mail with the embedded link: netphone.test.proton.extra.mime.tld. Here sophos email protection matched the regex and put it in the qurantine. And so it goes on. Thats a problem. We see many spam attemps like descriped in the beginning. But there is at the moment no solution from sophos wich helps us dealing with that. An as already described the solution from the support team send the mails for analyses no solution for that. Next thing is that the regex is limited to 50 characters.

I tried it again. It's not working. I have set that regular expression:

I have send a mail with embedded links: web.tld (Tld as shown in picture above | Yesterday my account has been blocked beacause i posted the in the picture above mentionend tld | what i can't understand | In the meantime it's unblocked again) and https://web.de. But the mail is accepted and delivered successfull. I have send a mail before that mail with the embedded link: netphone.test.proton.extra.mime.tld. Here sophos email protection matched the regex and put it in the qurantine. And so it goes on. Thats a problem. We see many spam attemps like descriped in the beginning. But there is at the moment no solution from sophos wich helps us dealing with that. An as already described the solution from the support team send the mails for analyses no solution for that. Next thing is that the regex is limited to 50 characters.

Hello SoC2024 

Your post contains sample links, and I suspect that our community filters potentially treat it as spam. So that's why your reply has been processed in our moderation queue, and not your account being "blocked"

We understand that you might need to put up sample URLs for context purposes of the discussion, what I may recommend is manually type the URL in this manner e.g. netphone(dot)test(dot)proton(dot)extra(dot)mime(dot)com - to avoid your post being lined up for moderation checking. 

Thank you

Ok understand. I look for that on my next replys. Thank you.