How Targeted Threat Protection - Impersonation Protect Works

Document created by user.KZrHBaK4Vn Employee on Feb 20, 2016Last modified by user.oxriBaJeN4 on Aug 12, 2019
Version 15Show Document
  • View in full screen mode

Targeted Threat Protection - Impersonation Protect tackles the increasing threat of socially engineered "whaling" attacks. These threats aim to trick key employees into making fraudulent wire transfers, or disclosing personal or corporate information through social engineering, email spoofing and content spoofing.


Targeted Threat Protection - Impersonation Protect solves this, by looking for combinations of key identifiers commonly found in these attacks. For example Impersonation Protect checks:

  • The similarity of the sender's domain to your internal domains.
  • The sender's domain against a list of domains that have been seen sending traffic in the last week. This means it can include domains created at any time (e.g. those created but previously dormant).
  • If the sender's display name (usually the first and last name) is the same as one of your internal user display names, excluding the recipient’s internal username.
  • If a mismatch has occurred between the sender’s email address (both Header and Envelope) and the Reply To email address.
  • The message content against a one of our Targeted Threat Dictionaries.


As an administrator, you can set the number of checks a message must fail before it is marked as suspicious. You can also specify whether to take no action, bounce the message, or hold the message. 


You can also help users identify messages as coming from outside your organization, regardless of whether any identifiers are triggered. This takes the form of text that can be added to a message's body, subject, or header.


See Also...


1 person found this helpful