Start a conversation

[Essentials] Spoofed Email Headers or CEO, VP Impersonation

Situation There has been an increase of cases where hackers are spoofing the email header of CEO's, Executives, VP's, etc of our customers companies. End users believe that that the email is coming from a company CEO, VP, or internal user and so they open the email. The Email is a phishing email attempt to extort end users, or ask to send money to outside accounts.
Solution Create a Custom filter that verifies the email header is the same as a real sender email address.


Steps To Create A Header Filter

  1. Navigate to Company > Filters > Inbound.
  2. Click Add.
  3. Give the filter an appropriate name.
  4. Use the following conditions for your Filter Logic:
    1. From the If dropdown, select Email Headers.
    2. From the next dropdown, select CONTAIN(S) ANY OF. 
    3. In the final field, type From: [First Name Last Name] (Name of the spoofed user and be sure to include the From: and do not include the brackets [ ].

      Note: Be sure to include the From: and do not include the brackets [ ]. Spammers sometimes use quotes and sometimes not so it's safest to include both.  You may also add variations of a name i.e. Michael and Mike
      Example:  
      From: Bob Jones,From: "Bob Jones",From: Robert Jones,From: "Robert Jones"

      Do not use the format of Last, First as the comma in between will not be checked if using the format of : From: Last,First. A comma in between like this will treat the First name as a separate entry in the filter.

  5. Click Add Another Condition. (This additional condition is optional).
  6. From the first dropdown, select Sender Address.
  7. From the next dropdown, select IS NOT.
  8. In the final field, type the genuine email address of the Executive, if applicable. This line is optional.
  9. From the Do dropdown, select Quarantine.
    • Optional Actions:
      • You can add an action of 'Require Admin Privileges to Release' from the drop down. This prevents users from seeing the message in their quarantine and accidentally releasing it.
      • You add an action to 'Alert Tech Contact', or 'Alert Specified Users'.  This will notify the designated Alert contacts whenever the filter is triggered so they can closely monitor these spoof attempts.
  10. Next, be sure and add a good description in the description field.  When the filter is triggered and the alert is sent it does not specify the name of the filter.  However, it does provide the description so that will help the alert contact know exactly which filter triggered.
  11. Click Save.

Considerations

Updating your filter may be necessary

Sometimes hackers use a variation of the email header for example: John Doe, John_Doe, JohnDoe. You need to add every variation you find in the filter. Including the word From:

If "Email Headers" "Contains Any OF"  From: John_Doe, From: JohnDoe, From: john doe, etc.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Carlos Rios

  2. Posted
  3. Updated

Comments