How to quarantine or block emails containing embedded URL?

Question

Email Protection is enabled on Sophos UTM 9, however some emails are allowed through to Exchange server that have embedded URL's linking to malicious websites. This type of email also has a modified header to make the sender appear to be a local domain user. 
 Adding the Subject line to the Expression Filter helps some, but since the subject text is usually generic and random some legitimate emails are being quarantined. Is there a better way to quarantine or block these type of emails? 
 Thank you.

SteigerSebastian · Accepted Answer

Hi Tracy, 
 same Problem here. I can filter some Mails with a expression filter that looked for "/rechnung" in the text. But we receive many Mails with a cryptic URL, so the expression filter doesn't work in these cases. 
 Filtering for "http" and "https" would produce too much false positives...our users would need to add many senders into the whitelist, this would be unreasonable. 
 Many greetings, 
 Sebastian

sachingurung · Answer

Hi Tracy, 
 Verify that the SPF check is defined, for blocking the spoofed Emails. Refer to, Sender Policy Framework (SPF): Astaro Security Gateway . 
 Alongside, blocking of malicious URL's could be a part of Web Protection, hence if the User clicks on an URL and gets redirected to a malicious website, the request will be automatically blocked instead of blocking the Email, which could even cause false positives. 
 Thanks