Jump to content


Photo

Phishing attacks that appear to be from someone in my company

phishing display name

  • Please log in to reply
4 replies to this topic

#1 Michael Lynch

Michael Lynch
  • Members
  • 19 posts

Posted 25 February 2019 - 12:41 PM

Hi,

We have noticed a significant increase in a specific type of phishing attack. The email has a display of someone in our company, usually someone important. The subject line is sometimes frighteningly accurate in that it is something that the user might very well put in his/her subject line that relates to his/her work. It is clear, with even a quick scan, that these are spoofed, as the email addresses associated with the username are clearly bogus. But the combination of an authentic looking username and Subject line sometimes fools people. Is there some way to flag/block emails that use a display name of someone in my company but comes from outside the company?

Funny thing is, when I search on the spoofed display name, nothing comes up.  Actually, there is no way to search on a display name. I search on the Username field, but that never returns anything.

Thanks for nay help with this.



#2 Michael Manning

Michael Manning
  • Members
  • 199 posts
  • LocationOhio, USA

Posted 25 February 2019 - 02:47 PM

We've seen this too. I'm not sure if there is a good way to filter for it with the Barracuda appliance, but an interim 'fix' might be to add a Transport rule in Exchange (assuming you are using Exchange) to prepend [EXT] or [EXTERNAL] to the subject line of any email coming from outside your organization to recipients inside your organization, or to add a disclaimer to the top of the message indicating that it came from outside your organization. We currently have the latter implemented. It's load on the email server but without a better solution it does the job. 



#3 Michael Lynch

Michael Lynch
  • Members
  • 19 posts

Posted 25 February 2019 - 03:30 PM

Michael,

Thanks for getting back to me, I really appreciate this. I'm pretty flabbergasted with the volume and breadth of this sort of attack that some provision for creating a Display Name filter hasn't been forthcoming. I have the Exchange Transport rule configured, just hoped something had changed since then, almost a year ago. 

Thanks again for responding!



#4 John In Cleveland

John In Cleveland
  • Members
  • 1 posts

Posted 27 February 2019 - 07:59 AM

Other spam appliances have it. How it works

 

Say your CEO is John Jones

 

his email is John.jones@company.com

 

but people send that have an email address that looks like this

 

John Jones ($#GSEDGGE#SD@yahoo.com)

 

and then send an email from that account that says.

 

Hello (Insert Managers name here),

 

What are you doing this afternoon? do you have time free this afternoon to talk to me?

 

Out of 10 people 3 replied. in my Org. I saw them right in the hardware barracuda. Ok that is sort of dumb but then paying for what is next is beyond even more wild.

 

The follow up response was "Go buy me some itunes cards and send me the serial numbers to it."

 

Apparently people ARE falling for this and it is IT's job to protect from this. We cannot hold the people responsible if they fail on BOTH levels of this.

I even had a manager edit the email and edit out the email address and just leave the person's name then reply back

 

"I didnt know this wasnt John Jones"  Anyhow.

 

Do I call them out? Or do I just get a software program that takes care of this problem and lets me move on to the next task?

 

Well Barracuda isnt helping us with this. It isnt in the cloud appliance and it isnt in the hardware one. I have BOTH

 

It is in other vendors equipment however. Barracuda is about to lose 15 years of my business because I have to fight this. (My cloud demo expires in 2 days)

 

should be an easy thing to implement.

 

Oh and what if your CEO uses a Gmail address for stuff he sends to his subbordinates.

 

Other spam filter softwares allow for you to in that rule that would block "John Jones" it also lets you whitelist when that person uses jjones1962@hotmail.com

 

Barracuda ADD THIS. Probably too late to save me as a customer but there are others.



#5 Michael Manning

Michael Manning
  • Members
  • 199 posts
  • LocationOhio, USA

Posted 04 March 2019 - 11:19 AM

Well, the user is always the weakest link. We saw several users receive an email from a address outside our org with a display name suggesting it was from our company president and even though the mail server inserted the banner WARNING message a couple of our users still replied as though it was a legitimate email. Duh!

 

So yes, please add a way to filter out email with spoofed user names so my dumb users won't keep falling for this nonsense.







Also tagged with one or more of these keywords: phishing, display name