This article is deprecated. You should refer to this one instead: >> How to Implement a Display Name Spoofing Blocking Rule If you're on office365, you can also use the Vircom Portal to create display name rules within O365 instead of Proofpoint: >> VIP Display Name Impersonation Beta |
Situation | There has been an increase of cases where hackers are spoofing the names of CEO's, Executives, VP's, etc of our customers companies in the From Header. End users believe that the email is coming from a company CEO, VP, or internal user and so they open the email. The Email is a phishing email attempt to extort end users, or ask to send money to outside accounts or other scam requests. |
---|---|
Solution | Create a Custom filter that verifies the email header is the same as a real sender email address. |
Steps To Create A Header Filter
- Navigate to Security Settings > Email > Filter Policies.
- Click New Filter.
- Give the filter an appropriate name and choose Inbound as the direction.
- Use the following conditions for your Filter Logic:
- From the If dropdown, select Email Headers.
- From the next dropdown, select CONTAIN(S) ANY OF.
- In the final field, type From:[FirstName LastName], From: "[FirstName LastName]" using the name of the spoofed user.
Note: Be sure to include the From: and do not include the brackets [ ]. Spammers sometimes use quotes and sometimes not so it's safest to include both. You may also add variations of a name i.e. Michael and Mike
Example: From: Bob Jones, From: "Bob Jones", From: Robert Jones, From: "Robert Jones"Do not use the format of Last, First as the comma in between will not be checked if using the format of : From: Last, First. A comma in between like this will treat the First name as a separate entry in the filter.
- Click Add Another Condition.
- From the first dropdown, select Sender Address.
- From the next dropdown, select IS NOT.
- In the final field, type the genuine email address of the Executive, if applicable.
- From the Do dropdown, select Quarantine.
- Optional Actions:
- You can add an action of 'Require Admin Privileges to Release' from the drop down. This prevents users from seeing the message in their quarantine and accidentally releasing it.
- You add an action to 'Alert Tech Contact', or 'Alert Specified Users'. This will notify the designated Alert contacts whenever the filter is triggered so they can closely monitor these spoof attempts.
- Optional Actions:
- Next be sure and add a good description in the description field. When the filter is triggered and the alert is sent it does not specify the name of the filter. However, it does provide the description so that will help the alert contact know exactly which filter triggered.
- Click Save.
Considerations
Updating your filter may be necessary
Sometimes hackers use a variation of the email header for example: John Doe, John_Doe, JohnDoe. You need to add every variation you find in the filter. Including the word From:
If "Email Headers" "Contains Any OF" From: John_Doe, From: JohnDoe, From: john doe, etc.