Alert: Self Trusted
Type: Security
Text in alerts email:
Case #1
User [email protected] is trusting all emails from [email protected]
Case #2
User [email protected] is trusting all emails from [email protected]
Why is self-trusting a bad thing?
Simple, people who send phishing emails will often impersonate people in the company either through the friendly name part or by simply impersonating your own domain.
Note that SPF doesn't protect you necessarily because SPF is meant for the SMTP transaction MAIL FROM statement and not the header FROM. An attacker could simply put an SMTP MAIL FROM of a domain that has a proper SPF record but put FROM: [email protected] in the header from.
If say, [email protected] is trusting his own email address, it means anybody can send him an Email with FROM: [email protected] in the from field. So it's pretty important NOT to self-whitelist.
Proofpoint no longer allows end-users to self-trust however this interdiction was only put in place in late 2020 ... so anybody with a trusted list that pre-dates that may have self-trusting entries.
There are two cases possible:
Self-trusting (bad) and trusting someone else in the organization (not as bad but still bad).
How do I clean those up?
You can use the vircomportal self-trusted cleanup. (link)