SOLVED

Block Display Name Spoof in EAC

Brass Contributor

I'm sure we are all dealing with a tremendous uptick in spam/spoof since Covid so what I am looking to do is combat the Display Name spoof.  The typical scenario is a bad actor sends from a gmail account but changes the display name to one of our execs.  Even though we train users on this and have the "Caution, external email" flag it still eats up time with chaos depending on how many are received.

 

What I would like to do is this: tell exchange to look at the display name and if it is one that I have flagged (one of the execs who gets spoofed a lot) it will only allow the email if it has our domain in the email id - all other domains will be blocked.

 

Is this possible?  Thanks in advance!

5 Replies
best response confirmed by dgillespie-adf (Brass Contributor)
Solution

You can try a mail flow rule, although there is no "display name" condition available, so you'll have to go with "header matches" or similar. 

Thanks for the reply @VasilMichev  - so I made a rule that looks like this and it works!

derek-block-rule.png

 

@dgillespie-adf   I have had success with the Impersonation policy under phishing wherein we tested with <Myname> myname@domain.com added to the list of users to protect and send an email from  <Myname> xyz@somedomain.com . The policy detected it to be impersonation. 

 

I wanted to test this safely with the Senior management email address and trying figure out a safe way to do that.  documentation is here 

Have a look at this freeware: https://ivasoft.com/antispoofingflow.shtml

@Vaman-Kini that's great until the threat actor finds a variation of the employees name and uses that.  For example, on linked in an employee might have First Middle Last name.  But in MS only have First and Last. You cannot enter another entry to include the middle name as you will get an "Email already exists" for that email account you're trying to protect.

1 best response

Accepted Solutions
best response confirmed by dgillespie-adf (Brass Contributor)
Solution

You can try a mail flow rule, although there is no "display name" condition available, so you'll have to go with "header matches" or similar. 

View solution in original post