Spoofed Email Headers

Name spoofing, Imposter spoofing, or CEO, VP Impersonation


There has been an increase of cases where hackers are spoofing the names of CEO’s, Executives, VP’s, etc of our customers companies in the From Header. End users believe that the email is coming from a company CEO, VP, or internal user and so they open the email. The Email is a phishing email attempt to extort end users, or ask to send money to outside accounts or other scam requests.


Create a Custom filter that verifies the email header is the same as a real sender email address.

Steps To Create A Header Filter

  1. Navigate to Security SettingsEmail > Filter Policies
  2. Click New Filter.
  3. Give the filter an appropriate name.
  4. Use the following conditions for your Filter Logic:
    1. From the If dropdown, select Email Headers.
    2. From the next dropdown, select CONTAIN(S) ANY OF.
    3. In the final field, type From:[FirstName LastName], From: “[FirstName LastName]” using the name of the spoofed user.
      1. Note: Be sure to include the From: and do not include the brackets [ ]. Spammers sometimes use quotes and sometimes not so it’s safest to include both.  You may also add variations of a name i.e. Michael and Mike
        1. Example:  From: Bob Jones, From: “Bob Jones”, From: Robert Jones, From: “Robert Jones”
  5. Click Add Another Condition. (This additional condition is optional).
  6. From the first dropdown, select Sender Address.
  7. From the next dropdown, select IS NOT.
  8. In the final field, type the genuine email address of the Executive, if applicable. This line is optional.
  9. From the Do dropdown, select Quarantine.
    1. Optional Actions:
      1. You can add an action of ‘Require Admin Privileges to Release’ from the drop down. This prevents users from seeing the message in their quarantine and accidentally releasing it.
      2. You add an action to ‘Alert Tech Contact’, or ‘Alert Specified Users’.  This will notify the designated Alert contacts whenever the filter is triggered so they can closely monitor these spoof attempts.
  10. Next be sure and add a good description in the description field.  When the filter is triggered and the alert is sent it does not specify the name of the filter.  However, it does provide the description so that will help the alert contact know exactly which filter triggered.
  11. Click Save.


Updating your filter may be necessary!

Sometimes hackers use a variation of the email header for example: John Doe, John_Doe, JohnDoe. You need to add every variation you find in the filter. Including the word From:

If “Email Headers” “Contains Any OF”  From: John_Doe, From: JohnDoe, From: john doe, etc.