Sandstorm does not recognize Locky?

I'm wondering, why Sandstorm does not recognize and block Locky.

Yesterday a E-Mail passed the UTM, with attached, containing *.js scripts.

The ZIP was not encrypted and for my unterstanding Sandstorm should have analyzed this file and blocked it, as the *.js are very suspicious, as the arey downloading the Locky payload.

On our Exchange Server, the E-Mail was detected by Trendmicro Scanmail for Exchange as JS_LOCKY.KF