we recently had a compromised account that was being used to send out spam. shortly after, that account was used to send phishing emails to other local users on our domain therefore allowing the attacker to gather even more valid credentials of good accounts.
the phishing attacked asked the users to verify account information by following a link and entering their credentials. in the body of the message the URL appeared as a known/good URL: http://mail.mydomain.com , but the actual link the users were taken to was something much different.
is it possible to assign a spam score to messages that are found to have these misleading links in the body so that they are tagged as spam and not delivered? and/or how to best prevent these attacks?