unfortunately I couldn't find a solution to this, so hopefully you are able to help
In our ESA cluster (AsyncOS 14.2.2-004) we use dictionaries to quarantine mails e.g. by links contained in body or attachments. The filter is a simple body-dictionary-match.
Recently we receive mails with links to bit.ly (which is not filtered), that are expanded by ESA to a URL that is in a dictionary. Is there a way to also have these expanded URLs examined by the Content Filter? (this is from message details, ohrmf.app.link would normally get filtered out)
URL filtering's capability to expand a shorted URL is to verify the actual's reputation or category and take actions. But it doesn't re-write the email with the expanded URL.
When a different content filter with body scanning condition looks at the email, it can only see "bit.ly" but not the expanded URL. It's behaving as expected at the moment, but I do understand your ask.
Feel free to talk to TAC and see if there are any options that can be explored here though I feel there aren't many (may be an enhancement if nothing works out)
firstly, clear the caches on your web browser and flush the DNS cache on your computer. cached data or outdates DNS records can sometimes causes issues with urls expansions. after clearing the caches and try accessing the urls again to see if the content filter recognizes them correctly. Regards.