Targeted Threat Protection: Impersonation Protect

Document created by user.oxriBaJeN4 Employee on Apr 11, 2016Last modified by user.oxriBaJeN4 Employee on Jun 7, 2018
Version 11Show Document
  • View in full screen mode
Targeted Threat Protection - Impersonation Protect is part of our Targeted Threat Protection suite. You must have another product from this suite (e.g. Targeted Threat Protection - Attachment Protect or Targeted Threat Protection - URL Protect) to use the Targeted Threat Protection - Impersonation Protect product.

The increasing number of "whaling" attacks, usually targeting an organization's senior management, means additional protection is required against email threats that do not contain attachments or URLs. Traditional spam filtering systems are unable to detect these as suspicious, due to their minimal content. Targeted Threat Protection - Impersonation Protect solves this, by:

  • Looking for combinations of key identifiers commonly found in these attacks.
  • Tagging a message to make it clear that it is coming from outside your organization.

 

Identifiers

 

In the Impersonation Protection Definition, you can specify the number of identifiers that must be triggered before any action is taken. The available identifiers are:

  • Similar Internal Domain: This checks the similarity of the sender's domain to your internal domains.
  • Newly Observed Domain: This checks the sender's domain against a list of domains that have only been seen sending traffic in the last week.
  • Internal User Name: This identifies if the sender's display name (usually the first and last name), is the same as one of your internal user display names, excluding the recipient’s internal username.
  • Reply to Address Mismatch: This identifies if a mismatch has occurred between the sender’s email address (both Header and Envelope) and the Reply To email address.
  • Targeted Threat Dictionary: This checks the message content against a one of our Targeted Threat Dictionaries.

 

Based on whether the required number of identifiers is triggered, you can specify the action to take if an email is identified as suspicious. The action can be:

  • Bounce
  • Hold
  • Tag

 

External Messages

 

Additionally, you can help users identify all messages as coming from an external domain regardless of whether any identifiers are triggered. This takes the form of text that can be added to a message's:

  • Body
  • Subject
  • Header

 

See Also...

 

3 people found this helpful

Attachments

    Outcomes