How to Implement a Display Name Spoofing Blocking Rule

Created by Yves Lacombe, Modified on Wed, 24 Nov, 2021 at 4:49 PM by Yves Lacombe

The threat


One of the biggest threats these days come in the form of people impersonating people of authority in your organization.  Usually these are phishing messages that are trying to get the user to provide either financial access to the attacker, or to get the end user to open a malicious file.

When the user opens the Email, if they don't pay attention to the Email address (some mail clients hide the Email address and only show the "friendly name" part, you need to hover over the name to get the Email), they will often fall for the scheme.


Example:


Lets say your CEO is named "Peter Parker" (not to be confused with a certain arachnid-like person)


From: Peter Parker <[email protected]>

To: [email protected]

Subject: Need you to do a wire transfer


You'll notice the "friendly name" part is our CEO (Peter Parker) but the return address is a throwaway mailbox on Gmail.


So how do you fight this?




How to block these threats


Easiest way is with a filter rule.  


You want to block anything in the header that has From: Peter Parker or From: "Peter Parker" coming from the outside world.


You don't need to check if the sender ISN'T LOCAL to your organisation because in most cases, those emails stay on the mail server.  If the real Peter Parker emails someone else in the organization, the email won't transit through proofpoint.  So you could simply block any appearance of the friendly name in the header from.


So the rule should be:


if email header contains 

From "Peter Parker, From: Peter Parker

Then Quarantine

And Required administrator to release


You'll notice that From: "Peter parker <-- doesn't have a closing double-quote.  That's because spammers have gotten in the habit of putting trailing spaces after the name in case you do an exact match of "Peter Parker" .... in our example, if they put "Peter Parker    " with a bunch of spaces between Parker and the closing double-quote, it doesn't matter.




Now this rule has one issue.  Lets say our hypothetical Peter Parker has a gmail address and he forwards himself regularly emails from his personal address to his work address.  They would get blocked by this rule.

THEN you would add an exception:

 

if email header contains 

From "Peter Parker, From: Peter Parker

AND

Sender IS NOT [email protected]

Then Quarantine

And Required administrator to release


Finally, one trick spammers use is UTF-8 encoding on the subject so the Friendly Name is in base 64.  So it's a good idea to add the base64encoded value of the person's name as a third string to check.


You cans use base64encode.org to encode "Peter Parker" into base64 which yields this string:  UGV0ZXIgUGFya2Vy



And then add it to the rule:


if email header contains 

From "Peter Parker, From: Peter Parker, UGV0ZXIgUGFya2Vy 

AND

Sender IS NOT [email protected]

Then Quarantine

And Required administrator to release


The final form of our rule is this:





OKAY, this sounds complicated, can you do it for me?



Yes, yes we can - we have bots that can scour your user list (as long as the firstname and lastname are present) to bulk-create these rules for you  You can supply us with a list of email address of the C-Levels you have that you want this rule done for and we can do it for you, free of charge.


Just contact us!