In our paid penetration test our vendor recommended the following:
Create a filter that will inspect the message body of an email and compare a link's text to the URL in the link's HTML tag. If there is a difference, prepend a message to the message body warning the user to be cautious and include the real URL.
Additionally a filter can be created if an HTML formatted email does not have the RFC standard, alternate plain-text version of the message body.
Is this possible today with Cisco IronPort? We have a call with proofpoint next Wednesday to intro their email security solution so if Cisco wants us to stay next year they better step up to the plate here.