05-11-2021 04:31 AM
Hi @ all,
we saw a few incoming mails which used as the from Name a vip´s Name like Name@ourdomain.test ..probably phishing attacks as they had some charakteristics to.
Now the question is it possible and if yes how..that the ESA is looking in the mail Header and check if the from field is like our Domain and then Transfer it to the SPAM Quarantine?
Normally such senders arent blocked cause they send from acceptable mail hosts like Google or gmx etc.
Thanks for help
Best Regards
05-11-2021 06:05 AM
You may want to check the articles below regarding creation of anti-spoofing filters in case you don't have one already:
Basically you can compare the content of both envelope sender and header "From" in inbound messages with a dictionary in which you've defined your own domain names, and apply an action like "quarantine" or "drop".
05-11-2021 06:53 AM
2 things;
If you're using a policy (under Mail Policies/Incoming Mail Policies) to match against these, you'll want to make sure you go to Mail Policies/Mail Policy Options and add From to the Match priority.
You may want to look at the "Forged Email Detection" content filter. In the incoming content filters, as a Condition, FED will compare from to a dictionary (Mail Polices/Dioctionaries) of full names of your high risk employees (execs, managers, HR, etc) and if it matches, you can handle how you want... one possible Action is the "FED" action, where it swaps the From address with the Envelope Sender, so it makes it apparent who the email is really from. We also stamp the subject as possibly forged and deliver the mail. Make sure to train/inform the users... it will generate calls...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: