06-27-2022 03:24 PM
Good Adternoon,
I setup an outgoing filter for Account Takeover based on Best practices, but now emails reported as phishing get quarantined due to the content filter. Any Suggestions?
This is how I configured the Content Filter
ACCOUNT_TAKEOVER
Condition: Other Header; header("X-AMP-Result") == "(?i)malicious"
Condition: URL Reputation; url-reputation(-10.00, -6.00 , "", 1, 1)
*Set Apply Rule: If one or more conditions match
Action: Notify;notify ("myit@mycompany.com", "POSSIBLE ACCOUNT TAKEOVER", "", "ACCOUNT_TAKEOVER_WARNING")
Action: duplicate-quarantine("ACCOUNT_TAKEOVER")
Solved! Go to Solution.
06-27-2022 07:08 PM
Which engine is reporting these emails as phishing? outbreak? If it's outbreak it may be looking into the URL's reputation to provide a threat level/category.
Given the content filter condition is set to match either the header or the reputation, some of these phishing emails may have URL(s) falling under the score of -10 to -6 resulting in quarantine action.
06-27-2022 07:08 PM
Which engine is reporting these emails as phishing? outbreak? If it's outbreak it may be looking into the URL's reputation to provide a threat level/category.
Given the content filter condition is set to match either the header or the reputation, some of these phishing emails may have URL(s) falling under the score of -10 to -6 resulting in quarantine action.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide