Enhanced Email Malware Scan

You can apply enhanced email content scanning.

Restriction This option is only available if your license includes Sophos Email.
Note If an option is locked global settings have been applied by your partner or Enterprise administrator.

Enhanced content and file property scan

This is our highest level of protection against email malware. It is on by default.

This setting applies to inbound and outbound messages.

Note If malware is detected in a message, it is always discarded.

Un-scanned emails

You can choose what happens to messages that cannot be scanned. The available actions are:

  • Quarantine
  • Delete
  • Tag subject line

This setting applies to inbound messages only.

There are various reasons we may not be able to scan specific messages:

  • Inability to access the file: The file is identified correctly, but the software can't access the file to decompress or scan it.
  • Corrupt file: The file is corrupt, which means it cannot be accessed.
  • Correct identification of a file, but unexpected content is encountered: The file is correctly identified and access is granted, however unexpected content is found. The antivirus scan process produces an error.
  • Scanner times out: The antivirus scanner times out when attempting to scan. There are several reasons this can occur. Some examples are, when a file is compressed in lots of nested levels and when the antivirus scanner exceeds the scan time limit.
  • Large compressed attachment: If a compressed attachment is too large, it cannot be scanned. It may be that the attachment is nested within too many levels of compression, the compressed files included are too large or there are too many compressed files within the attachment.

These are just some examples. There may be other reasons.

Email addresses and domains that you add to the Inbound Allow/Block list and Sophos encrypted emails won't be scanned.

Time of Click URL Protection

This is available with an Email Advanced license only and is turned on by default.

When Time of Click URL Protection is enabled, URLs contained within inbound messages are rewritten so that they point to Sophos Email instead of the original destination.

When the link is clicked, Sophos Email performs an SXL lookup, and if it is malicious it is blocked. If the URL is clean, the action taken when you click the link will depend on what you have specified in the policy. For example, if you have set medium risk websites as allowed, once the link has been checked and has been classified as not malicious, the link will take you to the original link destination.

The domain name will be displayed at the start of the rewritten URL so that you can see where the link will send you, if allowed. For example d=domain.com.

Warning Sophos Email can't re-evaluate an URL after it has been rewritten by another product.

You can select the action you want to take for websites with the following reputation levels:

  • High risk: Includes illegal sites, sites containing malware and phishing sites.
  • Medium risk: Includes sites associated with spam and anonymizing proxies.
  • Unverified: The reputation of the website can't be verified.

You can't allow high risk websites.

Note URLs you add to the Time of Click allow list are never rewritten at time of click.

You can also control whether URLs are rewritten in plain text messages and within securely signed messages:

  • Plain text messages: refers to emails with no HTML formatting. Without HTML formatting, when URL rewriting is enabled, the entire encoded URL will display in the email. You can bypass URL re-writing in these messages by deselecting the Re-write URLs in plain text messages. option.
  • Securely signed messages: URL rewriting may break the signatures of S/MIME, PGP, and DKIM signed messages. You can bypass URL re-writing in these messages by deselecting the Re-write URLs within securely signed messages. option.
Warning Be careful if you choose to bypass URL re-writes, as URLs in these messages will not be protected.

See See URL allow list.

Intelix Threat Analysis

This is available with an Email Advanced license only and is turned on by default.

This option sends emails that may contain active malicious content to an isolated virtual environment where they are opened and checked. If emails are found to be malicious, they are removed. SophosLabs Intelix detects threats in messages using static and dynamic analysis. Static analysis leverages multiple machine learning models, neural networks, global reputation, deep file scanning, and more. Dynamic analysis detonates a message in a sandbox to reveal its true nature and capabilities of a potential threat.

When Intelix service location is enabled, you can select your preferred location.

Tip Select Let Sophos decide (recommended) to automatically route messages for optimal performance.

Messages that may be malicious will run in a virtual environment for closer inspection.

Messages that are clean are delivered as normal. Messages that contain advanced threats are discarded.

Impersonation Protection

This is available with an Email Advanced license only and is turned on by default.

This feature detects emails that pretend to be from well-known brands, or from very important people (VIPs) in your organization.

Choose the action taken when emails are detected by this feature.

If you add a banner to suspect emails you can select the actions the users see in the banner.

Choose from the following options:

  • Block Sender: The sender's email address is added to a block list.
  • Report Spam messages to Sophos: Users can report suspect messages to SophosLabs. This helps us improve our impersonation detection.

Example impersonation banner

We can only apply banners to HTML format emails, not plain text emails.

In summary reports, these emails are labeled as advanced threat.

You can add email addresses for VIPs in VIP management.

For more information, see Impersonation Protection and VIP Management.