Create a new Data Protection policy, and configure it as follows:
Name: Restricted URLs
Apply to: Inbound email only. Other options are available, which depend on the scope you desire.
Execute if: All rules are met
Action: Block and Delete. Other actions are available, which depend on the result you intend.
Administrator email: Configure a non-production administrator email address. This must be non-production address because Data Protection policy administrators are automatically whitelisted from all Data Protection policies to avoid mail loops.
Notifications: None
Add a new Rule, and configure it as follows:
Name: Restricted URLs
Set it to: ANY conditions are met
Add a new condition, Content URL List.
Click Create a new URL List.
Name: Blocked URLs
Add the URLs that you are wanting to block. There are format instructions and an example list on the "Create a new URL List" page.
Click "Save" when the URL list is complete.
Configure the condition as follows, to either look for the URLs in the body of emails or in attachments or both.
Then select "Save" at the bottom of the Edit Policy page.