In order to use AAA along with an external token authentication mechanism, set the "Method" as "Both" in the Authentication.

Before identifying the URL during HTTPS inspection in Cisco Secure Firewall Threat Defense software, the default action is to "pass." This means that the traffic is allowed through without inspection until the URL can be identified, at which point appropriate security policies can be applied based on the URL categorization and reputation.

Reference: https://docs.umbrella.com/deployment-umbrella/docs/manage-logs

Explanation:
We should scan emails using AntiVirus signatures to make sure there are no viruses attached in emails.
Note: A virus signature is the fingerprint of a virus. It is a set of unique data, or bits of code, that allow it to be identified. Antivirus software uses a virus signature to find a virus in a computer file system, allowing to detect, quarantine, and remove the virus.
SenderBase is an email reputation service designed to help email administrators research senders, identify legitimate sources of email, and block spammers. When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning.
Reference: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide
/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_0100100.html-> Therefore Outbreak filters can be used to block emails from bad mail servers.Web servers and email gateways are generally located in the DMZ soNote: The recipient access table (RAT), not to be confused with remote-access Trojan (also RAT), is a Cisco ESA term that defines which recipients are accepted by a public listener.