for some weeks we've seen large amounts of Phishing attemps with manipulated From: lines in their headers. Earlier we saw this only in those rare cases of CEO fraud, but it now has become commonplace. Additionally those mails consist of hardly more than a malicious link, which is by far not often enough recognized by Intent Analysis, and come from hijacked legitimate mail servers, so the IP based reputation lists don't stop these mails, too.
The net result is that way too much of these mails are allowed by the ESG and that's why I propose to implement some sanity checks for the From field as soon as possible.
The usual case looks like this:
From: mailto:firstname.lastname@example.org <mailto:email@example.com>
Sometimes the first part is enclosed in quotation marks, but the main point is that it should be possible to block or at least quarantine mails in which the real name contains an email address, whose domain differs from the domain of the smtp address in brackets.
As we see it nearly all cases of CEO fraud and most if not all Phishing mails that currently go right through the ESG could be blocked with this check, so it would be great to see this feature in the ESG soon.