How to detect executive impersonation
Background
Attackers impersonate trusted executives - like your CEO or CFO - in order to trick another employee into sharing confidential tax information (e.g., W-2 tax forms), executing an unauthorized wire transfer, or buying gift cards.
Here is a basic executive impersonation rule protecting a single person's display name:
type.inbound
and sender.display_name == "your_execs_display_name"
and sender.email.domain.root_domain != "your_domain"
You can also protect multiple display names in a single rule:
type.inbound
and sender.display_name in ("display_name_1", "display_name_n")
and sender.email.domain.root_domain != "your_domain"
Coming soon
Soon you'll be able to reference historical patterns of communication in these rules:
type.inbound
and sender.display_name in ("display_name_1", "display_name_n")
and sender.email.domain.root_domain != "your_domain"
and graph(sender.email.email to org.mailboxes) == 0
You'll also be able to reference display names and domains from dynamic properties such as Active Directory and Google Groups:
type.inbound
and sender.display_name not in groups.executive_team.display_names
and sender.email.domain.root_domain not in org.domains
and graph(sender.email.email to org.mailboxes) == 0
Updated about 1 year ago