Internal Executive Spoofing

The Internal Executive Spoofing feature provides protection against spear phishing attacks targeting individuals within your organization. Such emails may come from legitimate (non-spoofed) email addresses, thereby passing other spoofing checks, but use the display name of a known user (often an executive), with the intention of tricking employees into sending money or information.

If an incoming email appears to be from one of your named executives, the feature will check that the message comes from one of a set of approved email addresses for that individual. Messages that appear to come from a named executive, but originate from an address you have not added, are treated as spoofed, and the action you define will be taken (quarantine, discard, or tag). If the email comes from an address you have added for the executive, the usual spoofing checks are performed against the email address to check it is genuine.

To enable the internal executive spoofing check:

Select Apply internal executive spoofing check to these names.

Click the these names link to configure the list of executive and their approved email addresses:

Click Add, and enter a first name and last name (both fields are required). Various combinations of the name are protected (for example, "John Smith" as well as "Smith, John").

Enter a list of approved email addresses for the executive, separated with a comma or a line break. This list should include any addresses the executive uses, including work or personal addresses.

Click Add to repeat the process for each executive whose name and addresses you wish to check. Click Save when finished.


	Tip Where executives may use various spellings of a first name (for example Elizabeth/Liz, David/Dave), add multiple name entries for the user. Each entry should include a duplicate set of allowed email addresses for the user.

Select an action to perform on messages detected as potentially spoofed. The options are:

Quarantine. This is the default option. Messages are kept in quarantine for up to 30 days.

Discard. Spoofed messages are discarded.

Tag subject with. The subject line of spoofed messages are tagged with a custom tag that you enter.

Messages detected as spoofing named executives will be logged as "Spoofed-Targeted". Messages quarantined for this reason will be excluded from end users' Personal Email Subscription reports, in order to prevent users from inadvertently acting upon a targeted phishing message.