Issue:
Cousin domain abuse: Sending email from cousin domains that pass Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting, and
Conformance (DMARC) checks. The From value will show a similar sender address that impersonates a real one (for example, using alice@a1pha.com to impersonate alice@alpha.com).
Conformance (DMARC) checks. The From value will show a similar sender address that impersonates a real one (for example, using alice@a1pha.com to impersonate alice@alpha.com).
Free email account abuse: Using free email (Yahoo, Gmail, etc.) that pass SPF, DKIM and DMARC checks. The From header will show a legitimate sender address with an executive’s name@gmail.com.
Solution:
1. Create an entry for the impersonated username in Directory
Mail Policies > Dictionaries > Add Dictionary
2. Create an incoming content or message filter
Mail Policies > Incoming Content Filters > Add Filter
4. Prepend the subject header with: [WARNING Possible Business Email Compromise]
Mail Policies > Incoming Mail Policy
Comments
Post a Comment