I wonder if it would be helpful to identify spear phishing messages if PureMessage could examine the links within a message are pointing at addresses that are not local to the organization. The administrator could define a regex (in pmx.conf) that identifies what local link addresses should look like (such as /(\.school\.edu|\.partner\.org)$/). At that point, there could be a new anti-spam rule (such as HAS_EXTERNAL_LINK) that triggers when the message contains non-local links. From that point, you could add a composite rule that uses HAS_EXTERNAL_LINK in combination with the various phishing rules. I think that this functionality would help add more certainty to identification of spear phishing messages which might otherwise slip by under the threshold. This functionality might also be useful for organizations that would like to add banner warnings to the bodies of inbound messages that look suspicious.
This thread was automatically locked due to age.
