How to detect executive or VIP impersonation


Attackers impersonate trusted executives or VIPs - like your CEO or CFO - in order to trick another employee into sharing confidential tax information (e.g., W-2 tax forms), executing an unauthorized wire transfer, or buying gift cards.

Here is a simple VIP impersonation rule leveraging the $org_vips dynamic system list:

and any($org_vips, .display_name == sender.display_name)
and (
            // ignore personal <> work emails
            // where the sender and mailbox's display names are the same
            length( + length( > 1
            or sender.display_name != mailbox.display_name
and not in $recipient_emails