Phishing Emails

%3CLINGO-SUB%20id%3D%22lingo-sub-3178278%22%20slang%3D%22en-US%22%3EPhishing%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3178278%22%20slang%3D%22en-US%22%3E%3CP%3EDears%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20received%20emails%20from%20similar%20names%20of%20our%20Employee.%3C%2FP%3E%3CP%3EIt%20is%20critical%20that%20I%20am%20getting%20reply%20from%20unknown%20source%20on%20same%20email%20which%20was%20communicated%20internally.%3C%2FP%3E%3CP%3EHow%20we%20can%20solve%20this%20kind%20of%20attack.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3178278%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3182433%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3182433%22%20slang%3D%22en-US%22%3EDo%20you%20use%20eop%20or%20a%20similar%20mail%20filter%20solution%3F%20Consider%20also%20transport%20rules%20marling%20external%20mail%20with%20a%20subject%20tag%20i.e.%20%22%5BEXTERNAL%5D%20my%20subject%22%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3182784%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3182784%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3EWe%20configured%20anti-spam%20and%20anti-phishing%20rules%20also%20we%20have%20labeled%20the%20external%20emails.%3CBR%20%2F%3EBut%20how%20they%20can%20send%20emails%20with%20the%20same%20name%20of%20our%20employees%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3193236%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3193236%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20a%20lot%20for%20help%20we%20will%20do%20it.%3CBR%20%2F%3EDKIM%20is%20gd%20also%20as%20a%20solution%3F%3CBR%20%2F%3E%3CBR%20%2F%3ERegards%2C%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Dears,

 

We received emails from similar names of our Employee.

It is critical that I am getting reply from unknown source on same email which was communicated internally.

How we can solve this kind of attack.

 

Regards,

 

 

7 Replies

Do you use eop or a similar mail filter solution? Consider also transport rules marking external mail with a subject tag i.e. "[EXTERNAL] my subject"

Hello,
We configured anti-spam and anti-phishing rules also we have labeled the external emails.
But how they can send emails with the same name of our employees?

Regards,

Hi Elie,

Unfortunately this is a pretty common tactic for scammers. Here are some ways they can do this.

1) The scammer can create a free online email account, and use the employees name as their display name. In this scenario, you would receive an email that may look like it comes from the employee, and would have their name in the email field, however if you hover over their name you may see the email address is not from the employees actual address.

2) The scammer may be using a more sophisticated method to spoof the email address of the employee, and in this case both the display name, and actual email address is shown, which adds to the deception over the previous method. In this scenario, the EOP or similar protection can help mitigate this.

3) The scammer may have compromised the employees email account, and are sending emails directly from the employees compromised account. If you have confirmed this is the case, then the employee will need to change their password imminently. If not done so already, it is recommended to also enable Multi-factor Authentication for the entire organization.

Hope this helps.

Regards,

David
Hello,

Thanks a lot for help we will do it.
DKIM is gd also as a solution?

Regards,

@ElieAT 

 

DKIM can help with certain aspects of this. If needed, I have included a couple links below for more information.

 

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-out... 

 

https://www.csoonline.com/article/3402016/3-email-security-protocols-that-help-prevent-address-spoof... 

 

Kind regards,

 

David

Hello,

Thanks a lot

Regards,

You are very welcome.

Regards,

David