The increasing number of "whaling" attacks, usually targeting an organization's senior management, means additional protection is required against email threats that do not contain attachments or URLs. Traditional spam filtering systems are unable to detect these as suspicious, due to their minimal content. Targeted Threat Protection - Impersonation Protect solves this, by:
- Looking for combinations of key identifiers commonly found in these attacks.
- Tagging a message to make it clear that it is coming from outside your organization.
See the Configuring an Impersonation Protection Definition page for a full details of how to configure the above identifiers and tags.
In the impersonation protection definition, you can specify the number of identifiers that must be triggered before any action is taken. The available identifiers are:
- Similar Internal Domain
- Newly Observed Domain
- Internal User Name
- Reply to Address Mismatch
- Targeted Threat Dictionary
Based on whether the required number of identifiers is triggered, you can specify the action to take if an email is identified as suspicious. The action can be:
Additionally, you can help users identify all messages as coming from an external domain regardless of whether any identifiers are triggered. This takes the form of text that can be added to a message's: