I'm working with a client running MEG 7.6 and they're running into a weird issue.
They have a dictionary setup where they look for @mydomain.com and the "condition" is set to "Sender". The intent is to find spoofed email with their domain as the sender in the header-from. They're using another rule in parallel which looks for @mydomain.com in the Envelope from.
What we've seen is that if we attach an email (as a .msg) which contains a From: email@example.com, the dictionary will trigger on it even though we told the compliance rule to only look in the "Sender" and not in the attachment. It's as if the compliance rule scans the attachment, sees that it's another email and scan the email header and fires on it.
Is this expected behavior ?
This is expected behavior. The Sender field is present in the headers of every message, regardless of whether it's an attachment or the host message. The MEG will scan for that header in any message it receives.