Alert: Self Trusted
Text in alerts email:
User email@example.com is trusting all emails from firstname.lastname@example.org
User email@example.com is trusting all emails from firstname.lastname@example.org
Why is self-trusting a bad thing?
Simple, people who send phishing emails will often impersonate people in the company either through the friendly name part or by simply impersonating your own domain.
Note that SPF doesn't protect you necessarily because SPF is meant for the SMTP transaction MAIL FROM statement and not the header FROM. An attacker could simply put an SMTP MAIL FROM of a domain that has a proper SPF record but put FROM: email@example.com in the header from.
If say, firstname.lastname@example.org is trusting his own email address, it means anybody can send him an Email with FROM: email@example.com in the from field. So it's pretty important NOT to self-whitelist.
Proofpoint no longer allows end-users to self-trust however this interdiction was only put in place in late 2020 ... so anybody with a trusted list that pre-dates that may have self-trusting entries.
There are two cases possible:
Self-trusting (bad) and trusting someone else in the organization (not as bad but still bad).
How do I clean those up?
You can use the vircomportal self-trusted cleanup. (link)