Office Protect Settings - Flag Attachments containing Links
A common practice for phishing attempts is to include an attachment mimicking an invoice, or work document, containing a link to webpage that will either request credentials under false pretense, or directly try to exploit the user's web browser.
This setting will add a message to any email with an attachment that contains an identifiable web link. It will not prevent the delivery. Users need to understand they should be suspicious of these attachments.
You can customize the warning message displayed to your user to fit your organization’s need directly in the setting.
When enabled, Office Protect will create a transport rule, you can find it in the Exchange Admin Center, in the Mail Flow section, the transport rule will be named "Url in Attachment"
Operation to look for in the Unified Audit Logs: Set-TransportRule
Microsoft’s documentation on Transport Rules : https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules