We have an increasing amount of Phisingmail goint into our organization.
For the users, its looks like the mail is coming from people high up in the organization but the reply to or x-sender fields are from the "phishers".
The mail is sent from the outside, but has an internal mail adress to for example some Exec.
This is how the mail can look (adresses changed)
From: Some Exec <real mail adress in our organization@ourdomain.com>
X-Sender: Fake adress@phising.com
Reply-To: Some Exec <other fake adress@phising.net>
To: <real recipient@ourdomain.com>
Subject: =?UTF-8?Q?Hall=C3=A5?=
Date: Mon, 23 Nov 2015 06:54:09 -0700
MIME-Version: 1.0
Return-Path: other fake adress@phising.net
We have set up an incoming content filter that matchets on the Envelope Sender, since we figure that these adress never should send mail into the organization, but out to. However, this mails gets through the contentfilter for some reason.
How can we stop them? Is there some way of looking of the X-sender and the from does not match for example?
