Attackers impersonate trusted executives or VIPs - like your CEO or CFO - in order to trick another employee into sharing confidential tax information (e.g., W-2 tax forms), executing an unauthorized wire transfer, or buying gift cards.
Here is a simple VIP impersonation rule leveraging the
$org_vips dynamic system list:
type.inbound and any($org_vips, .display_name == sender.display_name) and ( // ignore personal <> work emails // where the sender and mailbox's display names are the same length(recipients.to) + length(recipients.cc) > 1 or sender.display_name != mailbox.display_name ) and sender.email.email not in $recipient_emails
Updated about 2 months ago