How to detect executive impersonation

Background

Attackers impersonate trusted executives - like your CEO or CFO - in order to trick another employee into sharing confidential tax information (e.g., W-2 tax forms), executing an unauthorized wire transfer, or buying gift cards.

Here is a basic executive impersonation rule protecting a single person's display name:

type.inbound
and sender.display_name == "your_execs_display_name"
and sender.email.domain.root_domain != "your_domain"

You can also protect multiple display names in a single rule:

type.inbound
and sender.display_name in ("display_name_1", "display_name_n")
and sender.email.domain.root_domain != "your_domain"

Coming soon

Soon you'll be able to reference historical patterns of communication in these rules:

type.inbound
and sender.display_name in ("display_name_1", "display_name_n")
and sender.email.domain.root_domain != "your_domain"
and graph(sender.email.email to org.mailboxes) == 0

You'll also be able to reference display names and domains from dynamic properties such as Active Directory and Google Groups:

type.inbound
and sender.display_name not in groups.executive_team.display_names
and sender.email.domain.root_domain not in org.domains
and graph(sender.email.email to org.mailboxes) == 0