Note: this feature is available as a part of the Email Protection package only. 

There are multiple ways on how one could try to obtain sensitive information such as credit cards, passwords, etc. from you. One of the most common ones is by sending phishing or spoofing emails that might look legitimate.

Spoofing and phishing are not synonymous: while phishing is used to trick you into giving up sensitive information resulting in financial loss for the victim, spoofing is the way to impersonate someone else in order to trick your target into doing something that they might not ordinarily do.  

Read the Knowledge Base article on How To Prevent Someone Else From Using My Email Address (Spoofing)? for more information.

Managing Anti-Phishing and Anti-Spoofing Policies:

To manage anti-phishing and anti-spoofing policies, go to Services > Email Security > Inbound policies > Default policy > Phishing.

Phishing_1

By default all checks are disabled and have to be enabled manually. If needed, you can enable multiple checks at once. They all are performed against external emails. 
The following checks can be used to help detect and protect against phishing, spear-phishing and spoofing attacks:

  1. Tag all external emails with an [EXTERNAL] subject tag
    If it is enabled, all external emails will be tagged with an [EXTERNAL] subject tag.
  2. Emails from domains that match your domain
    Checks if the sending domain matches one of your company’s email domains. 
    Note: this check requires 1:1 matching.
     
    Managing trusted senders
    Once the Emails from domains that match your domain check is enabled, you will be able to manage trusted senders by clicking Manage trusted senders. In this section you can control which senders are permitted to send emails from any of your company’s email domains.
    Managing trusted senders
    Note:
    you can provide a list of valid IP addresses, IP ranges and wildcards. New entries should be separated by commas, semi-colons, spaces and enter. Click View examples to see what it should look like.

    If you would like to import data from a file, make sure that the following file requirements are met:
    • Text file with .txt extension and line-separated values only
    • maximum number of entries is 100
    • List of IP addresses should be sorted from 1 to 0.
    Trusted senders
  3. Emails that fail the reply-to check
    Checks if the sending domain matches one of your company’s emails domains, but the reply-to is an external address.
  4. Emails from domains that are like your domain
    Checks if the sending domain is similar to one of your company’s email domains which could indicate a targeted domain impersonation attack.
    Example: if your domain is yourdomain.com, this check will consider such domains as yrdomain.com, yourdoman.com, etc. as similar ones.
    The following sensitivity levels can be set for this check:
    • Aggressive — Domains with less similarities will match. This may result in legitimate domains being detected as domain impersonation.
    • Moderate — will use a balanced matching algorithm when detecting targeted domain impersonation. Recommended level.
    • Relaxed — Domains will need to match closely. This may result in non-detection of an attacker impersonating your domain.
  5. Emails containing suspicious content
    Checks if the content of the message contains vocabulary and language that might indicate a phishing attack.
  6. Emails that attempt to impersonate your users
    Checks if the display name of the sender matches a predefined list of names.

    Managing names
    Once the Emails that attempt to impersonate your users check is enabled, you will be able to manage names by clicking Manage names. In this section you can control which names will be used for the user impersonation check.
    Managing names
    Note: you can provide a list of names (special characters and names that have greater than one word are supported) and wildcards. New entries should be separated by enter only. Click View examples to see the supported formats.

    If you would like to import data from a file, make sure that the following file requirements are met:
    • Text file with .txt extension and line-separated values only
    • maximum number of entries is 100
    • List of names should be sorted by alphabet
    Impersonation check

Possible actions are the same for all of the checks except the Tag all external emails with an [EXTERNAL] subject tag check:

  • Permanently deleted
  • Moved to User quarantine
  • Moved to Admin quarantine
  • Delivered to Inbox with [POSSIBLE PHISHING] subject tag

Note: if multiple checks are triggered for the same email, the most restrictive action will be applied. 

Phishing_2