Start a conversation

Spoofed Email Headers or CEO, VP Impersonation

Situation

There has been an increase of cases where hackers are spoofing the email header of CEO's, Executives, VP's, etc of our customers companies. End users believe that that the email is coming from a company CEO, VP, or internal user and so they open the email. The Email is a phishing email attempt to extort end users, or ask to send money to outside accounts.

Solution Create a Custom filter that verifies the email header is the same as a real sender email address.


Steps To Create A Header Filter

  1. Navigate to Company > Filters > Inbound.
  2. Click Add.
  3. Give the filter an appropriate name.
  4. Use the following conditions for your Filter Logic:
    1. From the If dropdown, select Email Headers.
    2. From the next dropdown, select CONTAIN(S) ANY OF. 
    3. In the final field, type From: [First Name Last Name] (Name of the spoofed user and be sure to include the From: and do not include the brackets [ ].
  5. Click Add Another Condition. (This additional condition is optional).
  6. From the first dropdown, select Sender Address.
  7. From the next dropdown, select IS NOT.
  8. In the final field, type the genuine email address of the Executive, if applicable. This line is optional.
  9. From the Do dropdown, select Quarantine.
  10. Click Save.

Considerations

Updating your filter may be necessary

Sometimes hackers use a variation of the email header for example: John Doe, John_Doe, JohnDoe. You need to add every variation you find in the filter. Including the word From:

If "Email Headers" "Contains Any OF"  From: John_Doe, From: JohnDoe, From: john doe, etc.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Carlos Rios

  2. Posted
  3. Updated

Comments