Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Sophos Email: What to do when a legitimate email is quarantined/deleted for 'Malicious URL - High Risk' reason

Hi Everyone,

I have just encountered a case where a customer's inbound email keeps being quarantined for the reason of Malicious URL.

They tried putting the sender's domain and email address into the Allowed list however the issue persists.


Here is how it looks in the Message History:

Here is the Email Details, it would show the URL that triggered the event:


The reason why the issue still occurs is because 'Malicious URL' scanning is part of the URL protection module instead and is not part of the anti-spam scanning (which the Allow list can affect).

There is no workaround for this. The email will either be quarantined or deleted.

If set action is 'Quarantine', it can be released via the Admin GUI, Quarantine Summary, or user's SSP page (depending on the configuration)

If set action is 'Delete', then it will just be deleted (cannot be retrieved).

Here is the URL protection actions:


Once you have confirmed that the URL that triggered the event is non-malicious, open a case with Technical Support via so that an engineer can get the false classification corrected.

Edited title
[edited by: Raphael Alganes at 8:50 AM (GMT -8) on 11 Jan 2024]