1. Navigate to Profile -> Dictionary -> Dictionary -> New -> Anti-Spoofing-Header-From.

2. Navigate to Profile -> Dictionary -> Dictionary -> Edit -> Anti-Spoofing-Header-From -> Move down to Dictionary Entries -> New -> Enter the below values and replace the domain name in regex pattern 'internal.local' with the Actual internal domain name.

[EHeAdEr]^from:.*\b\@internal.local\b

3. Navigate to Profile -> Antispam -> Edit/New -> The Antispam profile which is used in the matching recipient policy -> Move down to Dictionary and Expand -> Under 'With dictionary profile', choose the recently created Dictionary profile -> Choose the necessary action regarding Dictionary detection.
   
   

4. Move to Policy -> Recipient Policy -> edit/new Matching recipient policy -> Move down to profiles: Under 'Antispam', choose the recently created Antispam profile.
   
   

Result:

1. Log details are detected:

2. Log details accepted:
   
   

3. CrossSearchlog1 Detected.

4. CrossSearchlog2 Accepted.

Notes

• Dictionary profile can be used under Antispam Profile & Content Profile.
• Recipient Policy should be reordered to accept legitimate users.
• The Configured 'Pattern' will only match when the 'Search body' button is disabled.