Spearphishing messages are customized phishing emails that typically spoof C-level executives to get employees to take actions that will benefit the spammer. While multiple checks already exist in your email filtering to help prevent these messages from being delivered, administrators can use the spearphishing module to apply more aggressive protection to users who are particularly at risk.
This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters
Administrators can manage the Spearphishing module under:
My Organization → Parameters → Advanced → Spearphishing
|IN THIS ARTICLE|
|What is the Spearphishing Module?||Adding Names to the Spoofed Sender List|
| Strict vs Loose Name Matching
|| False Positive Risks
What is the Spearphishing Module?
The spearphishing module blocks incoming messages based on a single element: the name of the person being spoofed.
Since spearphishing threats are built to look like they're coming from inside your organization, this module will quarantine all incoming messages from outside your organization using any of the names entered in the Spoofed Senders list.
Adding Names to the Spoofed Sender List
This module requires you to input the full name of users in your organization who are most likely to be impersonated in spearphishing attacks. To add a new name to the list:
Click on the Add a new spoofed sender link.
Enter the user's full name.
Choose which action should be taken when an incoming message has a matching sender name:
ACTION UPON MATCH DESCRIPTION Quarantine (default) Messages matching the name will be automatically quarantined for review by an administrator. In the quarantine interface, they will be marked with a red phishing icon.
If specific addresses should be exempt from this, they can be added to the Sender Whitelist in your filtering options.
Deliver with Header
This mode systematically marks all matching emails with a specific header
X-ZEROSPAM-POI: hit, and otherwise continues with filtering normally. This allows you to determine how you want these messages to be treated by applying custom handling via your email server or hosting platform. Examples could include adding a custom warning to the email or tagging it as "at risk".
Strict vs Loose Name Matching
When using the spearphishing module, there are two possible options for how precisely you want to match on the sender's name: strict or loose. If you wish to change between the two options, you can do so by clicking the edit link near the top of the page.
When matching, there must be an exact match in the spelling of each individual word. Spelling variations or typos will not be automatically matched for any names in the spoofed sender list.
Accents, hyphens, capitalization, punctuation and the specific order of the words will not affect whether a name matches an entry.
This mode is applied by default when names are first added to the spoofed sender's list. Under strict matching, all parts of an entry's name must be present in the message's sender name with no additional words for a match to occur.
Under loose name matching, a message will be considered to match as long as all parts of an entry's name are present in the sender's name regardless of any additional words that are present.
|SPOOFED SENDER ENTRY|| "FROM" NAME IN MESSAGE
||STRICT MATCHING||LOOSE MATCHING|
|John Doe||John, Dôe||✔️||✔️|
|John Doe||John Doe via MyMail||✖||✔️|
|Mary-Jane Létourneau||Mary Jane Letourneau||✔️||✔️|
|Mary-Jane Létourneau||Jane Létourneau||✖||✖|
|Kevin Phillips||Kevin Philips||✖||✖|
|Kevin Phillips||Kevin R. L. Phillips||✖||✔️|
|Kevin Phillips||kevin philllips||✔️||✔️|
False Positive Risks
This module will block legitimate messages if internal messages are routed through the Internet. In most properly configured environments, this should not happen.
If any users in the spoofed senders' list use addresses on a domain which do not belong to your organization (personal Gmail accounts for example), they will need to be whitelisted if you wish to avoid them being quarantined as potential spearphishing emails.
Any external email servers that will be sending email with a From-name belonging to a spoofed sender should also be whitelisted, for the same reason.