Sophos Email: What to do when a legitimate email is quarantined/deleted for 'Malicious URL - High Risk' reason

Hi Everyone,

I have just encountered a case where a customer's inbound email keeps being quarantined for the reason of Malicious URL.

They tried putting the sender's domain and email address into the Allowed list however the issue persists.

Symptom

Here is how it looks in the Message History:

Here is the Email Details, it would show the URL that triggered the event:

Reason

The reason why the issue still occurs is because 'Malicious URL' scanning is part of the URL protection module instead and is not part of the anti-spam scanning (which the Allow list can affect).

There is no workaround for this. The email will either be quarantined or deleted.

If set action is 'Quarantine', it can be released via the Admin GUI, Quarantine Summary, or user's SSP page (depending on the configuration)

If set action is 'Delete', then it will just be deleted (cannot be retrieved).

Here is the URL protection actions:

Resolution

Once you have confirmed that the URL that triggered the event is non-malicious, open a case with Technical Support via https://support.sophos.com/support/s/?language=en_US so that an engineer can get the false classification corrected.



Edited title
[edited by: Raphael Alganes at 8:50 AM (GMT -8) on 11 Jan 2024]