Spearphishing Module

Spearphishing messages are customized phishing emails that typically spoof C-level executives to get employees to take actions that will benefit the spammer. While multiple checks already exist in your email filtering to help prevent these messages from being delivered, administrators can use the spearphishing module to apply more aggressive protection to users who are particularly at risk.

This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters

Administrators can manage the Spearphishing module under:
My Organization → Parameters → Advanced → Spearphishing

What is the Spearphishing Module?

The spearphishing module blocks incoming messages based on a single element: the name of the person being spoofed. 

Since spearphishing threats are built to look like they're coming from inside your organization, this module will quarantine all incoming messages from outside your organization using any of the names entered in the Spoofed Senders list. 

Adding Names to the Spoofed Sender List

This module requires you to input the full name of users in your organization who are most likely to be impersonated in spearphishing attacks. To add a new name to the list:

1

Click on the  Add a new spoofed sender link. 

2

Enter the user's full name.

3

Choose which action should be taken when an incoming message has a matching sender name:

ACTION UPON MATCH	DESCRIPTION
Quarantine (default)	Messages matching the name will be automatically quarantined for review by an administrator. In the quarantine interface, they will be marked with a red phishing icon. - Phishing icon. If specific addresses should be exempt from this, they can be added to the Sender Whitelist in your filtering options.
Deliver with Header	This mode systematically marks all matching emails with a specific header  X-ZEROSPAM-POI: hit, and otherwise continues with filtering normally. This allows you to determine how you want these messages to be treated by applying custom handling via your email server or hosting platform. Examples could include adding a custom warning to the email or tagging it as "at risk".

Strict vs Loose Name Matching

When using the spearphishing module, there are two possible options for how precisely you want to match on the sender's name: strict or loose. If you wish to change between the two options, you can do so by clicking the edit link near the top of the page.

When matching, there must be an exact match in the spelling of each individual word. Spelling variations or typos will not be automatically matched for any names in the spoofed sender list.

Accents, hyphens, capitalization, punctuation and the specific order of the words will not affect whether a name matches an entry.

Strict Matching

This mode is applied by default when names are first added to the spoofed sender's list. Under strict matching, all parts of an entry's name must be present in the message's sender name with no additional words for a match to occur.

Loose Matching

Under loose name matching, a message will be considered to match as long as all parts of an entry's name are present in the sender's name regardless of any additional words that are present.

Examples

False Positive Risks

This module will block legitimate messages if internal messages are routed through the Internet. In most properly configured environments, this should not happen.

If any users in the spoofed senders' list use addresses on a domain which do not belong to your organization (personal Gmail accounts for example), they will need to be whitelisted if you wish to avoid them being quarantined as potential spearphishing emails. 

Any external email servers that will be sending email with a From-name belonging to a spoofed sender should also be whitelisted, for the same reason.