We're getting phishing messages with Envelope From as strings-of-numbers@amazonses.com with the From being a phony smtp address. We can't filter on the strings-of-numbers (next message will be from another string) or @amazonses.com (there are valid users that send to is from that domain). I need to filter on the From.
I was thinking about setting up an Other Header filter using "Header value contains term in content dictionary" and then putting the phony domains that are used for the From in there.
Any better suggestions for Cloud Email Security?