How to detect executive or VIP impersonation
Background
Attackers impersonate trusted executives or VIPs - like your CEO or CFO - in order to trick another employee into sharing confidential tax information (e.g., W-2 tax forms), executing an unauthorized wire transfer, or buying gift cards.
Here is a simple VIP impersonation rule leveraging the $org_vips
dynamic system list:
type.inbound
and any($org_vips, .display_name == sender.display_name)
and (
// ignore personal <> work emails
// where the sender and mailbox's display names are the same
length(recipients.to) + length(recipients.cc) > 1
or sender.display_name != mailbox.display_name
)
and sender.email.email not in $recipient_emails
Updated 10 months ago