Jump to content


Photo

Spoofed executives - Need a way to identify and block


  • Please log in to reply
9 replies to this topic

#1 Dana Denlinger

Dana Denlinger
  • Members
  • 2 posts

Posted 21 August 2018 - 11:28 AM

One of our biggest issues is phishing users with emails from spoofed executive display names.  Please add the ability to analyze content in a display name and block/quarantine/tag.



#2 Brian Kayser

Brian Kayser
  • Members
  • 9 posts

Posted 21 August 2018 - 11:32 AM

This ability would be beyond awesome!!! 



#3 Brian Kayser

Brian Kayser
  • Members
  • 9 posts

Posted 23 August 2018 - 02:14 PM

Here is a possibly option for you by the way.  I created a Content Filter that uses a Regular Expression to search the header for our CEO’s (and a few others) names.  For example:

 

Put   \nfrom:.*steve.*jones    as a Content Filter with Header checked.  I’m just quarantining them for now until I’m comfortable there are not false positives. 

 

I wanted to ONLY search the actual “From:” field but there can be many instances of “From:” in the header so the “\n” will make sure it only hits on “From:” at the beginning of a new line which usually isolates it down to one hit.  Then the “.*” after “from:” and “steve” will allow unlimited characters between words.  It even allows “Steven” and “Steven T.” for example.  But if he goes by Stephen or something (in this example) you’d need some fancier RegEx or two rules. 

 

My rule actually just caught one; hitting on the stuff underlined in this string.  It was sent to our CFO with the ole’ “Are you in the office?”

From: "Steven T. Jones" <excutiveoffice123@zoho.com>

 

The possible caveats is that if they use a personal email sometimes, it will get blocked/quarantined – unless whitelisted. 

Also, if they have a common name it could block people with the same or similar name. 



#4 Michael Manning

Michael Manning
  • Members
  • 254 posts
  • LocationOhio, USA

Posted 27 August 2018 - 09:25 AM

An interim 'fix' might be to add a Transport rule in Exchange (assuming you are using Exchange) to prepend [EXT] or [EXTERNAL] to the subject line of any email coming from outside your organization to recipients inside your organization. I currently implementing that in my org in an effort to alert users of messages with spoofed sender display names. I've configured my rule to only prepend once in an email chain so the subject line doesn't get out of hand.

 

I'd love it if B'cuda would offer this feature so the Exchange server doesn't have to handle that load.



#5 Michael Proctor

Michael Proctor
  • Members
  • 1 posts

Posted 11 October 2018 - 03:15 PM

The problem with using the "outside the organization" rule is anything from an internal relay, like a server or printer, will get tagged also because it is anonymous.  I have been trying to prepend a disclaimer and users that are on 0ffice 365 get marked as external also.



#6 Michael Manning

Michael Manning
  • Members
  • 254 posts
  • LocationOhio, USA

Posted 15 October 2018 - 10:42 AM

Yeah, I've been struggling with the server and printer issue as well. I don't have any 365 users so that hasn't been an issue, but definitely good to know. 



#7 John Law

John Law
  • Members
  • 1 posts

Posted 23 May 2019 - 02:53 PM

The solution is obvious and easy for barracuda to implement. Just create an option to strip friendly names from outside e-mails. If "Some Executive <fakeguy@yahoo.com>" was rewriten on the fly to "fakeguy@yahoo.com" it would display the e-mail address instead of the name in the mail client and no one would fall for this crap.



#8 Purolite IT

Purolite IT
  • Members
  • 8 posts

Posted 29 May 2019 - 11:04 AM

Right now, you can only do basic RegEx statements  in content filtering, then couple that with whitelisting for exceptions, outside of adding Sentinel if you happen to use Office 365.

 

 

The issue with the complimentary whitelisting is that whitelisting removes all filtering except for virus scanning (A feature request that I have chimed in on as well).

 

If content filtering supported forward lookups, then you could do everything in the filter such as:

 

^From:.*(?i)John\Doe(?!.*<john.doe@aol\.com>)(?!.*<john.doe@gmail\.com>)

 

That basically says.  If the From (not envelope from, but basically the from label, has case insensitive "John Doe" AND the email address is NOT john.doe@aol.com OR john.doe@gmail.com then block

That is really what you would want to state, however, the barracuda does not support forward lookups in Regex (confirmed from support).

 

Those forward lookups are pretty intense, so maybe not something they can really do but maybe??



#9 Thurman

Thurman
  • Members
  • 1 posts

Posted 02 July 2019 - 03:30 PM

Bryan Kayser's example works though I had to add exemptions to the senders in order to allow exec's personal email to bypass the spam filter and be delivered. I tested it on my own email address and it worked. My emails from my gmail address were blocked when I added the content policy for my name and when I added my personal email address to the sender policies as an exemption it bypass the content policies as sender policies trump content policies and it was allowed through. I applied the content filter to sender and header and it seems to do the job pretty well. The only issues that i have come across is it takes a few minutes for the settings to apply so give it a couple minutes for processing. 



#10 Kurt

Kurt
  • Members
  • 12 posts

Posted 11 July 2019 - 03:39 PM

Would LOVE this as well.  Happens all too often in our School District.  Spoofing our Superintendent is quite common.