Blocking ingress emails with a certain URL via transport rules.

As Vasil says, use the patterns predicate rather than words but beware that the Microsoft definition of "patterns" should not be equated with generally accepted standards for regular expressions even though there are Microsoft articles suggesting that the .Net standards apply. They don't, at least as far as Exchange Online is concerned. We instead have an undocumented subset of regular expressions, and if anything has been published in the last 6 months to clarify that then by all means please post the link.

I am going with 'http\S*\.google\.com/url\?hl=' and will post if it does not work.

Before you go hog-wild with patterns, do remember that there is a limit to the total length of patterns a tenancy is allowed. It's in the product limits statement.

Now here is a general question: when we discuss a specific attacking technique in TechCommunity, we are presumably exposing our knowledge to the black hat community who will then think one of two things:

1) that is a good idea - I will try it on some of my Microsoft targets
2) time to devise a new technique

What is the correct balance between concealing countermeasures and warning the community?