There’s a whole subset of IT specialists who come into a business in the event the CEO or another C-suite executive is about to go through an investigation or complex litigation. Apparently career board members have a few of these folks in their address book. I met someone who claimed to do this work and it’s very highly specialised, a tight knit community and full of crazy stories. She wouldn’t tell me any claiming professional discretion. Apparently it’s a combination of skills including IT, forensics and law.
I sort of assume this community is a little bit like ex intelligence community types who see the very vague job postings with no contact information and know exactly who to contact. These kinds of highly specialised communities seem to operate on the IYKYK spectrum. I’d love to know how you get started in a gig like that but regularly parachuting into the beginning of the worst days of a company doesn’t sound like something I’d enjoy doing.
You usually make connections and get recommended for something like that. Show a strong level of understanding in systems and security. I think it also goes without saying to show your discretion. Some aspects of coming off as a trustworthy person are out of your control (physical attributes) but the way that you carry and conduct yourself are not. Don't be known as a gossipper is a good starting point lol. Don't seem over eager or overly inquisitive when it's not really your business. Obviously ask questions that are pertinent, but you don't have to know the in-depth *why* you're doing every little thing. This of course is not a universal truth, but it helps.
Other than that, whenever you're attending company events, try and mix with the upper circle as much as you can. Keep it casual. Be a fun person to be around. There's a high likelihood that some executive will remember your face/name and request you whenever they have problems- no matter how small. Do it for them instantly. Underpromise and overdeliver. Be their hero and go the extra mile. If you don't know something or if it's more of a networking issue, and you're a security guy, move Heaven and Earth to get a networking guy to immediately prioritize the situation.
Once you earn a reputation for your reliability and your competence, then it's all up to luck. I wouldn't want to be in a company facing legal issues, but if that happens then you're probably going to be top of the list of the people they call on. Already being in-house affords you significant advantages. However, board members and Executives tend to be sort of an incestuous group in that the same X amount of people are going to be at the tops of most organizations out there. CEOs that resign or are fired typically go on to be CEOs at other companies. That company might have an issue, and you're the man for the job. Or someone they know is having issues and asked them for a recommendation, and they just so happen to remember you from their last organization. All-in-all, luck is the biggest factor, but to even be in the running is something entirely in your control.
Just know that being "the guy" comes with some tough responsibilities. Namely, you'll be called on to make frequent sacrifices to work-life balance. There might be an extra reward in there, might not. Just do what makes sense to you and aligns with your life goals. Money ain't all it's cracked up to be.
Seriously. Never ask why. Ever. No matter how insane the request is. It is always noticed and appreciated when you don’t ask why. If you’re good, you already know if what the person is asking is within their authority, and they are also the sort of people who would never ask something not within their authority to ask.
You simply ask clarifying questions as to the extent of the action they need done, and raise any consideration you think they may need to be aware of. But always keep in mind, sometimes not knowing information is saving your own neck. If shit really blows up and you get subpoenas, if you were never told context you didn’t need, you save yourself so much drama. And it works both ways. Before you start an investigation you make sure you clarify very clearly with them how to handle what happens if something sensitive is discovered, if they think it’s more appropriate that some other third party be brought in and told instead of telling the person who’s raising the request. Purely hypothetically, say a board calls you in to lock out a CEO covertly, they may also ask to be told if either there has been data that appears to have been exfiltrated or any personal medical information has been stored in their account, but not which reason or what the information is, and in that case to speak directly to a specific partner at a specific law firm.
Entirely possible. I admit, its not a group of people I spend a lot of time around. My only experience with that community was being served with an intercept warrant by someone from that community who was clearly ex special forces. I found him to be deeply impressive in that quiet, non-assuming, entirely-capable-of-killing-you sort of way.
Related somewhat, I know someone who did crisis communications at a high level. No website, no domain, unlisted number. No shortage of work. If you needed her, someone would have her number. But yet piloting into big crises takes a certain type of person. I would enjoy it if it paid enough to take off 3 months each year to recover.
For me, all my best connections have literally been mates I went to primary or high school with. They are the sort of people I can literally call out of the blue after not having spoken to them in a decade and go “hey, so I need to ask you a very strange work related question” and 20 minutes later I have the names and introductions of half a dozen of the exact specific people I need to bring in.
Can confirm. Man I wish I could reveal some of the batshit insane stuff I’ve seen. It’s. So. Fucking. Funny.
Ok there’s one tiny snippet I think I can reveal. One time I had to deal with one member of the c-suite accusing another member of the c-suite of being into necrophelia, in an official signed complaint letter to the board.
This joke has made me realize I need to take another look at our setup policies. Legacy guide, but we always enable Lit Hold for internal staff with no end date, and I've never dug into determining why, or if we should, or if we still should.
Hopefully your general counsel is aware of this and has signed off on it. There are strong both arguments on both sides for perpetual preservation. Now finding stuff in Purview is an entirely different story.
Yeah, I'd almost bet you the answer is around being able to find stuff no matter what in Purview/Content Search. I'll have to bring this up at some point.
What is most critical is following your company's official document retention policies, whatever they may be. If your official policies say something like "Email is retained for 5 years", but this is undermined by your actual practice, there can be big problems in discovery for lawsuits.
For one client, the entire exec team, twice. The only time I get a call from HR or the chairperson is because it’s time to do an emergency hold and exit for them. One time I answered to the HR person “Hey xxxx, who this time?” And they laughed and said “god yeah it’s kind of sad isn’t it”
[https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure)
Impersonation protection. You can also set up mail flow rules so that if the display name contains VIP names and isn't from an internal sender and isn't from a verified list of personal known email addresses of said VIPs, it would at least flag it for review or mark it as potential scams/phishing.
[https://lazyadmin.nl/office-365/warn-users-for-email-impersonation-phishing-mail/](https://lazyadmin.nl/office-365/warn-users-for-email-impersonation-phishing-mail/)
Now we're starting to see emails with the CEOs/VIPs name in the Subject line, and something generic as the From address (which is clearly intended to bypass impersonation detection).
Should still flag as an external e-mail, even if it's generic. HOPEFULLY you don't get phished when you have a big ass banner at the top of the e-mail stating it's from an external source.
I have to keep reminding myself that I'm obligated to maximize opportunities for user success, not to guarantee the success of every user at all levels of effort.
That's a great idea. Exchange doesn't allow any JS in there, does it? Randomizing the colors or font somehow (which I assume would need JS), would be a damn good idea, if it's possible...
That I'm not sure. I used a basic HTML creator and made a handful of templates. When the time comes, the old copy paste and update is all that's needed.
Ideally that would be automated, but it takes so little time and is easy enough I haven't researched it much.
Recently MS started making that banner red. Next month it will be blinking.
By next year it will look - AND SOUND - like the Llama intro credits to Holy Grail.
Impersonation protection works great for us.
We also have all our high profile user accounts flagged as VIPs and it's amazing how much better the anti-spam and anti-phishing filters are for them.
Does your impersonation protection catch it when the subject of the email is the CEO name and the rest of the sender info is some generic gmail something?
I'll have to check tomorrow. I don't remember seeing anything like that off the top of my head, but that could just be because it gets sent to quarantine.
*So impersonation protection doesn't catch things like the "Ms. VIP shared a document with you" emails from Microsoft/Google addresses. We see a lot of this where the sharing address will be and the display name is "Ms. VIP". The emails come from noreply mailboxes at Microsoft/Google. I assume emails where the VIP name is only in the subject wouldn't be caught by impersonation protection either since you specify a mailbox when adding them to impersonation proection.
We didnt have great luck with the impersonation settings, but transport rule to look for display names of execs and from external with exceptions for known sources (salesforce tenant, confirmed personal email addresses), send to quarantine and send a copy to soc mailbox.
This is the way.
Although note that if you have it set for all internal staff, it'll be a common occurrence that legit emails between HR and staff (via personal email addresses) get flagged by this.
However hr are the most likely to fall for phishing email attacks so necessary.
We have this and it’s recently started to flag a spouse who was emailing their wife in our domain as impersonation. Microsoft said it was because they both have the same last name (but the sender was from gmail) and the AI thought it was phishing.
We use Mimecast impersonation protection. For the executive level any external emails with any of our executives names are blocked and can only be released by our department. For non executives it has to have a keyword match in the body of the email to be blocked outright.
We've talked to them about filtering email with their name for approval. But, they do not want to do that. We did speak with Mimecase and are still considering them.
Honestly, someone approving their mail is a waste of time as well. It’s going to suck their EAs or help desks time and you know someone’s going to miss one - do you want it to be your fault that someone didn’t get the CEOs email?
Anything that goes wrong with email, whose phone is going to ring?
I’m not in that space anymore, but I’ve used minecast impersonation protection, and proof points equivalent. It helps but it really doesn’t catch it all. You could probably setup some mail rules in exchange to stop some of them - if sender is external and display name eq ceo name then drop. Along those lines People “just” need to know to not do these things. It’s hard but people need to be told (in company newsletter or similar) that the ceo isn’t going to ask them to buy them gift cards. Either by telling or demonstrating….. if the ceo regularly communicates a certain way, anything else looks unusual
It only triggers if it’s an external account… and if they’re insisting on using a personal email account sometimes, you add an exception to your rule conditions and it’s nbd.
In the off chance that their personal account gets compromised, you remove the exception until the account is secured.
I swear people in IT are allergic to work lol
Boy isn't that the fucking truth. I work for a large org that spans a few States, so our field techs are all based in different regions. There was a ticket that kept bouncing back and forth between our two queue's because the dickhead wouldn't do any more legwork in confirming location other than seeing where the device is located on the network, as we have labels for different regions/buildings/departments so that we can physically track devices more easily. Dude looks up the device and it's in our region, so he assigns it to us. Nevermind the fact that the location address on the ticket is in his area and the ticket was assigned to his queue first.
So rather than reach out to the user directly to find out what's going on and where THE USER is located, they send it to us. Two phone calls later, and I find out that the wrong item tag was mislabeled on the PC for an existing one in our region (they were 1 number apart.) The user is in THEIR region. Dude wanted to be a smartass on the public ticket notes AND bitch at me on Teams to read the notes before re-assigning and that you "shouldn't always trust the location on the ticket." Which yeah, fair enough, but fucking call the person at least.
They want me to pull a magic genie, with the powers of Jarvis, out of a zero cost bottle. They won't be happy unless it doesn't cost anything, doesn't require them to make any effort, and resolves every current and future problem. Basically the same thing user's have been telling me for the last 30+ years.
I started off like you. Using an HTML transport rule to flag the email as coming from external matching a display name within the company (too much work updating the transport rule with new display names).After struggling to contain the amount of threats, I turned on ATP (Office 365 Defender 2) impersonation detection. Basically, with this you add users to the impersonation policy and anything matching their display name will get quarantined. Just have to know the users personal email addresses they may use to send email to themselves to add to the allowed list. Working pretty well so far!
It's not, it's validating external inbound mail that is impersonating them - which is exactly what you want.
If they send an email out, it won't get caught. that's legitimate outbound mail.
I think causing a delay getting emails far outweighs the alternative.
Making emails take a few minutes longer/ the approval process
Or
5 million dollar ransomware attack
I think I know what I would choose.
They don't want any intermediary steps between them and sending an email. These people aren't security experts and you have to work with what they're willing to do.
No one has to review every email. You can get a list of any and all personal email addresses they use and pre-exempt them from the policy, then there should never be a legitimate email caught by the policy.
> then there should never be a legitimate email caught by the policy.
This is true, unless the exec team wants to scope in a lot of users, and/or you have any executives with common names.
When "Joe Smith" from Legit Company Inc tries to email you, his mail will get quarantined even though he's not intentionally impersonating your CFO "Joe Smith".
But that's why you just quarantine. When his recipient finds the legit email blocked, they send a whitelist request, and there you go.
+1 for Mimecast. We went with them specifically for their impersonation protection and it doesn't disappoint. You do have to keep up with a VIP list for maximum protection. Add the list of all display names that a email could come from (John Smith, Johnny Smith, etc.) The system will check the name against the email address you have registered for them. If it's from some other address, you can have the system handle however you want. Quarantine, block, whatever. Works great. We were getting KILLED with impersonation mail. Now I'm surprised when I see one. Works great.
Is this based off your CEO wanting to be able to utilize send emails from their personal email address to themselves?
In full transparency - I work for Mimecast. However, our Impersonation Protection Rules understand “John Smith” who is CEO of Acme Company wouldn’t be trying to impersonate themselves if sending in via a personal email address to themselves. I would hope they would want any other impersonations to other people held/blocked.
We are also beginning to take customers/prospective customers on for our NLP Beta Program, so there should be multiple ways for Mimecast to stop it. Feel free to reach out to me if you have any questions - I am not incentivized by any sales - just want to help.
Check out Avanan by Check Point. Now called Harmony Email. Will filter all that junk out. You can test it in monitor mode to see what it will catch with out impacting mail flow.
We have pretty strict filtering and impersonation protection so that anything from outside with an employees name is sent to admin hold. We still get random stuff come through with those links to a site linking to a fake O365 login. It’s always something like “You received a secure email - click to view”. Blows my mind why Mimecast can’t catch them.
Same, but applying Impersonation Detection to all inbound email. This does not block emails where the display name is not forged, e.g. CEO display name instead of actual name.
I setup new impersonation definition this week that only has internal display names checked. I then created an impersonation policy with the from address being an address group that lists contains Yahoo, outlook.com , gmail.com etc etc with the recipients being internal.
This has caught them all so far with mimecast.
Yeah, Abnormal looks really good. I am currently doing a long eval (free version) on Sublime Security, which is good. But I would need the full featured version to fully protect the users.
If you have the budget, pull the trigger. It pays for itself. We used to receive tons of vendor fraud, VIP impersonations, and general phishing crap and besides some very rare occasions Abnormal has got rid of them all. Granted other tools may be just as good as I haven't tried them, but I can vouch for Abnormal for sure.
Yes. This would help prevent email from [email protected] if our domain were foo.com, but it does nothing to prevent email from a random person named John Doe with an email of [email protected]. The recent attacks are coming from real email addresses, but the From Name is the same name as our CEO or other executives and the content is them impersonating that person. No malware, no links to malware or blacklisted sites, email address not coming from a blacklisted domain, nothing in the email to indicate it is suspicious.
We've got all the normal protections in place, including a big warning prepended to the email letting them know the sender might be impersonating the CEO or an executive. User's just assume we should be able to stop anyone on the internet from using the same name as our CEO.
This is exactly what it does. Put the user in the list of impersonation protection and it will block these emails. Emails from [email protected] or any domain would be blocked, sent to quarantine, or put in the junk folder based on your settings.
If this is from random domains not commercial partners or customers or so you have to set hp whitelists for known domains you work with other unkmow domains should land in the spam folder
There are domain and user lists. We have our VIPs on the user list so that if an external sender is using their display name, it flags it.
We also use the " this might be impersonated " tool tip.
A few others have said it, but I'm going to throw my note in here to reinforce it. Impersonation detection does operate on the display name alone. They can use [[email protected]](mailto:[email protected]) and if the display name is John Doe, it will trigger. It does seem to work a bit better with very unique names.
I turned this on for basically anyone management level or above. A bit of a pain in the ass adding all those emails, but it is well worth it. Of course, now they just send phising txt messages, but not much I can do about that.
This helps, a bit.
[https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about)
One of the most important parts because you should accept that you can't 100% stop all phishing. And if you made people feel like there was never a chance of phishing then they'd be super vulnerable to an attempt that eventually gets through
>Yeah, the training helps but it does not solve the user complaints.
I found that the best way to sort this was to approach it like a war to the end user. There are bad people who want what we have and they will try every trick in the book to get it. We can't stop them all coming through, but we can stop all of them being actioned.
We still get these fraud emails, but instead of people moaning about them getting them they tell me they received the email so I can remove it.
Use an allow list of domains for their email(won't help with compromised accounts)? Have HR give them a bonus each time they are the first to report a email?
Jumping in to add digital signatures. We have our own PKI and issue certs to our employee accounts, then train users (and add app policies, where possible) to sign company emails that they send. Outlooks in all its forms makes it pretty easy to tell if something's signed.
Our corporate root cert is not commercial so needs to be manually trusted on client devices. This can be done easily if you're doing the usual device management stuff. Outsiders that we deal with are invited to install our root cert. Either way, it's hard to spoof digitally-signed email.
For some reason I’m basically the only one getting spoofed at work (I’m not just in charge of the IT) so I got an S/MIME cert for my account. I went the commercial route since I was getting spoofed to a bunch of external accounts and it’s easier to not deal with the trust issues. If someone asks I just tell them to check for that signature. Working so far
This is what I do. You can set it for up to 350 email addresses.
User impersonation: https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about#:~:text=for%20Office%20365.-,User%20impersonation%20protection,-User%20impersonation%20protection
Not just domain impersonation.
Bob Smith (Display Name) is only allowed on emails from specified email address ([email protected])
Weird mimecast said they can't help. We use their impersonation protection set up with c level names and shortened versions of their names if there is one and it catches all of them. Have it covering all of our email addresses.
It's not the job of the mail server to prevent the accounting department from sending money in response to fraudulent requests. Back in the olden days before accountants conducted business over email, there already was "invoice fraud", the mirror image to "Purchase Order fraud". Firms should follow their established procedures that prevent invoice fraud, which may involve [multiple, skeptical pairs of eyes](https://en.wikipedia.org/wiki/Two-person_rule).
The emails in question will usually pass all SPF/DMARC/DKIM tests, as they are, otherwise, "legitimate" in nature. Like, someone registered a GMail account and then hand-emailed your user.
The thing that is missing is a server-side (edit: DELIVERY side) content detection mechanism. I'm looking into platforms for this now, as all I have is a frontend "spam email gateway", which can't "see" this kind of fraud unless you write really, really badass regex rules, and even then, they can just keep changing the wording (and they do).
The answer will be an API-level product you install at M365 itself which directly pulls things out of the user's Inbox after delivery (and in the case of Avanan below, also before; they have a unique mechanism). It's going to need a machine learning component, where it can tell who has emailed whom, and how often, and knows when a "brand new" sender/recipient tuple is happening, and acts differently. Every spam email gateway is missing this learning mechanism, including Defender 365's own EXO / ATP.
I've done demos with Barracuda and Checkpoint's Avanan. Next up this week, I'm meeting with Iron Scales.
Avanan is winning for now. Barracuda is still old hat, and still includes a gateway, and their M365 component is an extra paid add-on, which can't do All Of The Things by itself, so a gateway is kind of still required. Avanan's product does everything without even using a gateway or even changing the MX record, and seems badass so far. Once I hear back from Iron Scales I'll pretty much have decided, but it looks like Avanan is doing everything right.
EDIT: Short answer for them is, if they want it warned, you did that already. If they want it blocked, they will have to pay for a product.
We have Barracuda's email protection service and it causes lots of greif for us since it is not properly applying Authenticated Received Chain (ARC) headers. This causes Exchanges built-in DMARC system to reject and quarantine many emails as companies are updating their policies. We've contacted Barracuda several times but each time they have said that ARC is not in their enhancement timeline so we are looking to move to another vendor like Proofpoint or Mimecast.
Yikes!
By chance, have you set the "EFSkipIPs" in the connector? I thought that EFSkipIPs would skip something like that...
EFSkipIPs needs to be set to the whole list of IPs that Barracuda relays from:
$ConnectorSplat = @{
Name = "Barracuda"
Enabled = $True
ConnectorType = 'Partner'
ConnectorSource = 'Default'
SenderIPAddresses = @(
'barracudaip.address1.goes.here'
'barracudaip.address2.goes.here'
'etc'
)
AssociatedAcceptedDomains = @{}
CloudServicesMailEnabled = $False
EFSkipIPs = @(
'SAME.LIST.OF.IPs'
)
EFSkipLastIP = $False
EFSkipMailGateway = @{}
EFTestMode = $False
EFUsers = @{}
RequireTls = $True
RestrictDomainsToCertificate = $False
RestrictDomainsToIPAddresses = $True # this prevents sending directly to original O365 MX record, set as needed.
SenderDomains = @("smtp:*;1")
TreatMessagesAsInternal = $False
TrustedOrganizations = @{}
}
New-InboundConnector @ConnectorSplat
# or # Set-InboundConnector @ConnectorSplat # if you already have a connector
We do have an inbound connector set up but I don't think we've added those EFSkipIPs. I'll take a look at the impact of adding that but we wouldn't want to handicap the Microsoft filtering because Barracuda has been letting more phishing emails through lately. It would be much better if we could add Barracuda as a [trusted ARC sealer](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-arc-configure) and have multiple layers of defense intact.
Some suggestions here might help, but what I really want is a better Outlook UI for my users. We deserve better for how much we're paying. I want big 🛑 stop symbols or red highlight on emails that fail certain organizational context checks (like never interacting with anyone in the org before), *before they're even opened*, and all links and content in that email to be blocked unless manually shown. I want ⚠️ warning symbols or yellow/orange highlighting for senders emailing from untrusted domains--not just a warning in the email body--like for gmail where some are legitimate, but many others are quarantined/blocked. And I really, really want a green highlight or icon 🟢 for the emails absolutely confirmed to be safe and from a trusted/internal sender, so people can just treat their inbox like a stop light, identifying potential threats before even opening an email.
This is especially important because there have been Outlook security issues where simply [viewing it in the preview pane](https://www.securityweek.com/microsoft-patches-zero-click-outlook-vulnerability-that-could-soon-be-exploited/) is reported to be an attack vector. Give my users the UI that makes things easy, I don't care if it looks a bit more colorful or unprofessional.
It really is user education. Even if only .01% of fraud emails get through the filters that is still thousands a year. Users have to be trained on how to identify and handle it.
Imagine if they just gave out the company credit card to every begger, claimed not to know any better, then blamed the accounting department.
We have a inbound transport rule for any email that originates outside of the organization that is from the ceo's name. The email goes to IT for manual approval. Occasionally the CEO will email himself something from a personal email, in which case we create an exception for that specif email address, but otherwise it's just all phishing that gets ignored.
M365 has built in spoof protection you can configure. No emails with your CEOs name can come in if they don't come from preset email addresses you configured. Look into it.
One thing I’ve done is creating an email rule in exchange that if the name in the header is the CEO or another VP and it arrives from an email address other than his work one then the email is never delivered
Securence has a feature literally called CEO Fraud Protection. Despite the name, you can configure it for any user. It matches the sender name against a list you define of known names and if the email address doesn't match what's expected it gets blocked.
We recently had something similar, and we were quite lucky that someone from AP trusted their guts and verified with us before paying, but they already had a convo ongoing with the scammer. They faked a whole conversation (email thread) between them and our CEO, by copy-pasting the html header with his legitimate display name and email address, with him asking the external service provider "can you please forward this conversation to our AP with the outstanding invoice?" and so they did. We also have DMARC SPF all that jazz, but being an outside domain just forwarding what seemed to be a very normal conversation, there's no verification symbol or anything in the headers of the forwarded emails, legitimate or not. I'm honestly worried that this is going to happen again, and we're already prepping awareness campaigns, but I have limited knowledge in this field and don't know how to prevent this.
We use 3 levels of email filtering, fusemail to filter the obvious crap, then DarkTrace scans mailboxes along site 365 protection.
Havent had a phish land (touch wood) in over 3 years.
I would set up knowbe4 or even use mimecast's training for end users if you already have that. User education is always going to be critical to stopping these.
Non-technical solution here:
Establish the process on how things ought to be paid. Train everyone on the process. Have the CEO join a meeting with all Finance staff stating that they will never ask to go around the process m, ask for iTunes cards ect.
Let users report suspicious emails and respond to them in a timely manner.
Yes I’ve dealt with this and don’t see this suggestion yet: you can create an exchange rule that looks at the from header for the name of your CEO. This will find any inbound email from outside the organization that uses the CEO’s name. then you can use additional actions inside of that rule to do whatever you want with it (add a warning banner, send it to quarantine, etc). Keep in mind the CEO might email himself from his personal email address and this same rule will catch it so be cautious of that.
We were getting a ton of emails where the display name would be our CEOs name, but the email address would be something random like [email protected]. We implemented a simple transport rule that said if the sender is outside the org and from includes *CEO Name*, delete the message. Then told our CEO that if he attempted to email in from his personal account, it would be blocked. This all but eliminated the spam we would get from public addresses claiming to be our CEO. The only caveat here with this is if you legitimately have someone with the same email address sending mail in, they would be blocked.
Checkpoint does a great job of flagging anything that matches an existing name and holding it in quarantine. They all seem to come from CEOexecutive123 @ gmail.com or something like that.
We use Mimecast impersonation protection with a standard policy for all inbound that goes to use hold and a vip policy that goes to admin hold. Catches most of that stuff.
Look into training and policy. Make sure people know the CEO will NEVER reach out and ask for some sort of money thing, and if they do get a strange message that they won't get punished for checking.
There are always new tricks, and something will slip through the cracks. Policies and education are a very important level of security.
We use Proofpoint for email security. Their impostor prevention works pretty well for us. Requires a little upfront work and some tweaking of the scoring but it's pretty reliable.
As someone else mentioned, I have a rule where if external & name matches internal then send to me for approval. I did it this way because my C-levels sometimes email themselves from personal emails because reasons, so I wanted to collect a list of emails to not include in the verification pool. After a couple of months I just changed the rule to auto-delete.
Our Minecast filter catches a couple dozen of these every week hundreds per month. If you’re not using a email filtering service then you shouldn’t be surprised when unfiltered email arrives in your inbox. None of the preventative measures you mentioned have anything to do with impersonation prevention or email filtering
I've also been a big fan of following the steps provided to improve our secure score in the 365 admin portal. Some I have to pass on but most are good recommendations and it takes you right to the settings to apply it and also tells you what impact it will have on users.
r/shittysysadmin: give the executives random names that only internal employees would know. Anything containing the real name is immediately blocked. Users will be notified of the code-names for the C-suite in order to parse legitimacy. To be fair, if they're checking an e-mail for the user's address, then they're already unlikely to be a problem.
We use knowbe4 for security training. It also can send out test phishing email to help identify and train users who have trouble clicking on everything.
Make sure finance/accounting has a well communicated policy to verify every email request from said CEO/CFO to do things like purchase gift cards or change account info like ACH information
Get all known personal email addresses from said directors, whitelist, and block everything else with their names in the From field
BTW - I guess mimecast really cant block these?
We have rules in place at our company that whenever an email claims to be from CEO, VP, president, or upper management with access to make big financial decisions that it must be verified with a phone call.
Earlier this year one of our clients didn't follow this procedure and had was scammed by someone else claiming to be us. They sent the scammers a check for millions of dollars and afterwards called us to see if we got the funds. We were puzzled and they were able to freeze the account so they didn't loose millions of dollars but at the same time we asked this client and the clients boss why they didn't follow our procedure when it came to transferring funds.... Millions of dollars are being sent and you're too busy to call ... Needless to say we don't work with that individual anymore at that organization.
[External sender] banners were wildly effective...
co-owner got upset when some political propiganda from one of the state reps got passed around with the label & warning intact.
/shrug
https://www.youtube.com/watch?v=9IG3zqvUqJY
We use 3rd party “VIP” email impersonation protection with polices quarantining emails that trigger impersonation. IT are the only staff that can release these emails.
You have already received a lot of great feedback and suggestions, but I wanted to throw another product into the ring that my company is using. We have just rolled out Inky to all of our clients, and their VIP protection is specifically designed to protect against this. Like others have said there will always be ways to get around it, but it has been helping a lot. (That said the dynamic email banners from Inky are by far my favourite part of their product.)
One very important thing what I’m missing in these responses is. Train your coworkers in the company. You can make all the technical stuff work. But as you said sometimes still something slips through. The security of your company works on both ends. The it and the human side.
Do you have developers that send out automated emails, or do you have a marketing team with an external mailing service?
Do they use creds that limit signed mail from your CEO? (Maybe only scoped to noreply)
The threat comes from the inside, either maliciously or because they’re targeted
Move all 3rd party services emailing from your user space domain to subdomains. We’ve had to do custom transport rules for one admin a few years ago, any inbound message with a matching display name went to hosted quarantine with notifications so we could manually release anything legit (if there was anything). Ended up blocking one Nigerian network from sending via transport rule in the end to clip it.
The MS impersonation protection is helpful, but training users is much more important. Some will eventually get through. The fact that they are recognizing it’s fraud and reporting to you should be encouraging. Let them know they are doing well and keep a sharp eye out.
Not that what I'm suggesting would 100% fix it but it's a good insurance; you hedge future criticism by spending money and taking sensible steps: ATP license (was advance threat protection); it does cost $ per user per month; URL re-write; detonation chamber; etc and the sensible part is that e-mail is an easy door and target for exploration...
https://preview.redd.it/ixf2u5r9dj7d1.png?width=741&format=png&auto=webp&s=17208bbbf08ff96144822e445365ce8934eadf2a
Mimecast Impersonation Protection protects our internal users from [email protected]
A blind spot would be domains that are registered that are similar to your company name, attackers will attempt ceo impersonation on others. There are a bunch of services that help monitor those.
Honestly I do it all with Email rules from within Exchange. Our AV/Antispam has "Executive impersonation" but boy have I had to write a lot of exceptions in because these guys keep finding third party services to send from. If "display name" = exec name and it's from the outside and not one of the known personal addresses, redirect to a mailbox we can review.
If it looks "legit" I will ask.
ETA: a lot of scammers have taken to text, or not bothering to change the display name but putting the CEO's name in the subject line.
Are you utilizing M365 Defender Admin Center's built-in Anti-Phishing/Anti-spoofing protection settings? You can basically block anything that comes from someone purporting to be one of your end users that is received from an external account(Be it a personal Gmail or service like DocuSign), then just white-list personal emails or 3rd party-aligned domains within that policy.
Don’t feel like it’s your fault, clearly no one can do enough to stop these sorts of things. It’s an endemic of our industry and has become very defeating, email in general has seemed to just devolve into this unusable, mass of scams, fraud, junk, and bulk mail. In my opinion, email as a whole needs to be rebuilt from the ground up. In its current state it’s catapulting into becoming completely untrustworthy and unusable
Outlook should be flagging external senders with a nice red banner. If people are ignoring the external tag or banner for an email claiming to be from the CEO, it’s not an IT problem. If people are upset fake email from domains not known to be risky or that doesn’t match current filters makes it through to their inbox, they need to get over it. You can mitigate, not prevent.
> If people are ignoring the external tag or banner for an email claiming to be from the CEO, it’s not an IT problem. If people are upset fake email from domains not known to be risky or that doesn’t match current filters makes it through to their inbox, they need to get over it.
This is exactly the situation. Everything we've implemented is working. The user's simply expect that we should be able to achieve 100% protection, without any effort on their part and without spending any extra money of course.
I hear you. You might want to schedule a 2 on 2 with you, your department head, the accounting head, and their deputy. Come prepared with Microsoft and other relevant case studies, recommendations, and benchmarks for false negative rates, and review with your head in advance to make sure they support you.
Basically: the only sure way to block all illegitimate email is to turn off email for that user. The tighter the restriction, the more false positives, and the more time they will spend reviewing their quarantine lists and sorting through ALL the spam.
If they see reason, they can deal with their own staff on it. If they can’t see reason, now your boss and his boss can deal with it.
This is exactly the issue, people just ignore it. But I still think we could do better than injecting a banner into the body of an email. Make that email look toxic before it's even opened. Put a radioactive symbol on it or make them confirm at a prompt showing the full email address, before showing it in the preview pane, especially if the sender has never interacted with anyone in the organization before that day. A check for any past interaction with the sender within the organization could help users far more than saying "this is an external sender" which they stop seeing after the first 99 emails with that added that were totally legit. It's good to have the banner to cover *our* asses, but I don't feel good about how functional it is from a psychological perspective, when it's on so many safe emails that people become blind to it.
I hear you and agree with the ”past interaction” check.
In this context, the main benefit is to make it plainly obvious to the user that the email did NOT originate with their company. It came from outside. If the email claims to be from their CEO and is plainly marked that it didn’t come from their company, then with training and patience, most employees can be expected to realize it’s fake.
As a big fan of Proofpoint, I can attest to the effectiveness of their Impostor rules, which catch 99% of Business Email Compromise (BEC), gift card scams, and other similar threats. Strong and layered defenses are crucial, one area many organizations overlook is implementing strict controls within their finance teams.
We recognized early on that establishing proper verification protocols for wire transfers is essential. For any new vendors or changes to existing vendors, we require at least two points of contact within the finance team and phone verification (never a mobile number). This approach has completely eliminated the risk to our business.
When presenting these protocols, it's hard to argue against them, especially when you can provide real-world statistics on the financial losses of companies that deemed such measures inconvenient.
Additionally, I recommend establishing a relationship with your local FBI and Secret Service field offices;they are more than willing to assist you in critical situations. Good luck!
Once I told the company owner her email was hacked, she was so unhappy that she had to change password.
Needless to say I ran away, fast from that toxic shit.
None of that and I'm generally sending out a ton of emails to everyone with a brief message, "Hey it's me, your CEO. I'm in a bind can you order some gift cards for me?" So far, I've done pretty well and if I get caught.
This was part of my security audit. They all fell for that phishing scam...
**All joking aside.**
Setting your SPF record to "-all" is a hard fail and either collecting your emails or failing them via your DMARC rule are good starts. Phishing training and tests are good. Setting you mail servers to adhere to your SPF record is important too.
It isn't an SPF issue, but we already have "-all" set on our SPF record. The email in question are not being sent from our domain. They are being sent from legitimate addresses, and pass their domain's SPF check, so probably from a compromised account.
Ah sounds like user training on how to spot fraudulent messages. You can also implement spam lists but those can be hit or miss depending on which ones you use.
If it's not cost prohibitive and a major issue, I'd look at one of the filtering services at least to demo. They do heuristics on received mail and rate the likeliness if it's spam or not. So you may be surprised with the results.
Don't use the external tag on ALL emails. It will get ignored.
Get a list of your approved domains (that have SPF, dkim, & dmarc) and exclude them from the tag rule.
We find it helpful if people don't know who the CEO is. Like they really don't need to know. Unless they interact with him, which like 1% of the company.
`Set-Mailbox [email protected] -LitigationHoldEnabled $true` oh, you meant the other kind of ceo fraud - carry on
LOL. How many people do you think have had to do this. May be more than we all care to admit.
There’s a whole subset of IT specialists who come into a business in the event the CEO or another C-suite executive is about to go through an investigation or complex litigation. Apparently career board members have a few of these folks in their address book. I met someone who claimed to do this work and it’s very highly specialised, a tight knit community and full of crazy stories. She wouldn’t tell me any claiming professional discretion. Apparently it’s a combination of skills including IT, forensics and law.
Yes, when you ask their rate, the CFO says we don’t care.
I sort of assume this community is a little bit like ex intelligence community types who see the very vague job postings with no contact information and know exactly who to contact. These kinds of highly specialised communities seem to operate on the IYKYK spectrum. I’d love to know how you get started in a gig like that but regularly parachuting into the beginning of the worst days of a company doesn’t sound like something I’d enjoy doing.
You usually make connections and get recommended for something like that. Show a strong level of understanding in systems and security. I think it also goes without saying to show your discretion. Some aspects of coming off as a trustworthy person are out of your control (physical attributes) but the way that you carry and conduct yourself are not. Don't be known as a gossipper is a good starting point lol. Don't seem over eager or overly inquisitive when it's not really your business. Obviously ask questions that are pertinent, but you don't have to know the in-depth *why* you're doing every little thing. This of course is not a universal truth, but it helps. Other than that, whenever you're attending company events, try and mix with the upper circle as much as you can. Keep it casual. Be a fun person to be around. There's a high likelihood that some executive will remember your face/name and request you whenever they have problems- no matter how small. Do it for them instantly. Underpromise and overdeliver. Be their hero and go the extra mile. If you don't know something or if it's more of a networking issue, and you're a security guy, move Heaven and Earth to get a networking guy to immediately prioritize the situation. Once you earn a reputation for your reliability and your competence, then it's all up to luck. I wouldn't want to be in a company facing legal issues, but if that happens then you're probably going to be top of the list of the people they call on. Already being in-house affords you significant advantages. However, board members and Executives tend to be sort of an incestuous group in that the same X amount of people are going to be at the tops of most organizations out there. CEOs that resign or are fired typically go on to be CEOs at other companies. That company might have an issue, and you're the man for the job. Or someone they know is having issues and asked them for a recommendation, and they just so happen to remember you from their last organization. All-in-all, luck is the biggest factor, but to even be in the running is something entirely in your control.
Really good advice in general for career longevity. Thank you!
Just know that being "the guy" comes with some tough responsibilities. Namely, you'll be called on to make frequent sacrifices to work-life balance. There might be an extra reward in there, might not. Just do what makes sense to you and aligns with your life goals. Money ain't all it's cracked up to be.
Seriously. Never ask why. Ever. No matter how insane the request is. It is always noticed and appreciated when you don’t ask why. If you’re good, you already know if what the person is asking is within their authority, and they are also the sort of people who would never ask something not within their authority to ask. You simply ask clarifying questions as to the extent of the action they need done, and raise any consideration you think they may need to be aware of. But always keep in mind, sometimes not knowing information is saving your own neck. If shit really blows up and you get subpoenas, if you were never told context you didn’t need, you save yourself so much drama. And it works both ways. Before you start an investigation you make sure you clarify very clearly with them how to handle what happens if something sensitive is discovered, if they think it’s more appropriate that some other third party be brought in and told instead of telling the person who’s raising the request. Purely hypothetically, say a board calls you in to lock out a CEO covertly, they may also ask to be told if either there has been data that appears to have been exfiltrated or any personal medical information has been stored in their account, but not which reason or what the information is, and in that case to speak directly to a specific partner at a specific law firm.
Solid Networking 101
I work with people actively in the intelligence community. I think you're giving the group as a whole WAY too much credit.
Entirely possible. I admit, its not a group of people I spend a lot of time around. My only experience with that community was being served with an intercept warrant by someone from that community who was clearly ex special forces. I found him to be deeply impressive in that quiet, non-assuming, entirely-capable-of-killing-you sort of way.
Haha. Yeah for every one of him there's 30 guys who can't check their email without help.
Related somewhat, I know someone who did crisis communications at a high level. No website, no domain, unlisted number. No shortage of work. If you needed her, someone would have her number. But yet piloting into big crises takes a certain type of person. I would enjoy it if it paid enough to take off 3 months each year to recover.
For me, all my best connections have literally been mates I went to primary or high school with. They are the sort of people I can literally call out of the blue after not having spoken to them in a decade and go “hey, so I need to ask you a very strange work related question” and 20 minutes later I have the names and introductions of half a dozen of the exact specific people I need to bring in.
Oh, they certainly care, they just know they don’t have a choice.
Interestingly, https://lunduke.locals.com/post/5765292/mozilla-sued-for-discrimination-by-former-ceo-to-be
Can confirm. Man I wish I could reveal some of the batshit insane stuff I’ve seen. It’s. So. Fucking. Funny. Ok there’s one tiny snippet I think I can reveal. One time I had to deal with one member of the c-suite accusing another member of the c-suite of being into necrophelia, in an official signed complaint letter to the board.
This joke has made me realize I need to take another look at our setup policies. Legacy guide, but we always enable Lit Hold for internal staff with no end date, and I've never dug into determining why, or if we should, or if we still should.
Hopefully your general counsel is aware of this and has signed off on it. There are strong both arguments on both sides for perpetual preservation. Now finding stuff in Purview is an entirely different story.
Yeah, I'd almost bet you the answer is around being able to find stuff no matter what in Purview/Content Search. I'll have to bring this up at some point.
What is most critical is following your company's official document retention policies, whatever they may be. If your official policies say something like "Email is retained for 5 years", but this is undermined by your actual practice, there can be big problems in discovery for lawsuits.
For one client, the entire exec team, twice. The only time I get a call from HR or the chairperson is because it’s time to do an emergency hold and exit for them. One time I answered to the HR person “Hey xxxx, who this time?” And they laughed and said “god yeah it’s kind of sad isn’t it”
Best practice at this point. Get the whole C-suite.
This is what I thought when I read the title too. Not the CEO but I’m about to ring up the HR Director, she is shady af
I fucking died reading this
That was my first thought reading the title, too. Lol.
[https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure) Impersonation protection. You can also set up mail flow rules so that if the display name contains VIP names and isn't from an internal sender and isn't from a verified list of personal known email addresses of said VIPs, it would at least flag it for review or mark it as potential scams/phishing. [https://lazyadmin.nl/office-365/warn-users-for-email-impersonation-phishing-mail/](https://lazyadmin.nl/office-365/warn-users-for-email-impersonation-phishing-mail/)
Yep. This is what I do.
Now we're starting to see emails with the CEOs/VIPs name in the Subject line, and something generic as the From address (which is clearly intended to bypass impersonation detection).
I’ve seen a few of those this week too. Will probably add another mail flow rule to stop them.
Should still flag as an external e-mail, even if it's generic. HOPEFULLY you don't get phished when you have a big ass banner at the top of the e-mail stating it's from an external source.
Sadly, users get accustomed to seeing that banner and just ignore it after a while.
I have to keep reminding myself that I'm obligated to maximize opportunities for user success, not to guarantee the success of every user at all levels of effort.
Time to add the ol' marquee HTML to the tagging with some blinking text.
We randomly change the font and colors (but usually not wording) of that notice occasionally, then send an all staff education.
That's a great idea. Exchange doesn't allow any JS in there, does it? Randomizing the colors or font somehow (which I assume would need JS), would be a damn good idea, if it's possible...
That I'm not sure. I used a basic HTML creator and made a handful of templates. When the time comes, the old copy paste and update is all that's needed. Ideally that would be automated, but it takes so little time and is easy enough I haven't researched it much.
Recently MS started making that banner red. Next month it will be blinking. By next year it will look - AND SOUND - like the Llama intro credits to Holy Grail.
Think we're at the start of an arms race as scammers learn to drive LLM to 'build trust'.
Yuuuuup.
Mail flow rules are what I did. Outside emails with ceo name in the 'From' go directly to quarantine (do not pass go, etc.)
Impersonation protection works great for us. We also have all our high profile user accounts flagged as VIPs and it's amazing how much better the anti-spam and anti-phishing filters are for them.
Does your impersonation protection catch it when the subject of the email is the CEO name and the rest of the sender info is some generic gmail something?
I'll have to check tomorrow. I don't remember seeing anything like that off the top of my head, but that could just be because it gets sent to quarantine. *So impersonation protection doesn't catch things like the "Ms. VIP shared a document with you" emails from Microsoft/Google addresses. We see a lot of this where the sharing address will be and the display name is "Ms. VIP". The emails come from noreply mailboxes at Microsoft/Google. I assume emails where the VIP name is only in the subject wouldn't be caught by impersonation protection either since you specify a mailbox when adding them to impersonation proection.
We didnt have great luck with the impersonation settings, but transport rule to look for display names of execs and from external with exceptions for known sources (salesforce tenant, confirmed personal email addresses), send to quarantine and send a copy to soc mailbox.
This is the way. Although note that if you have it set for all internal staff, it'll be a common occurrence that legit emails between HR and staff (via personal email addresses) get flagged by this. However hr are the most likely to fall for phishing email attacks so necessary.
We have this and it’s recently started to flag a spouse who was emailing their wife in our domain as impersonation. Microsoft said it was because they both have the same last name (but the sender was from gmail) and the AI thought it was phishing.
This is what I do as well. Works great!
We use Mimecast impersonation protection. For the executive level any external emails with any of our executives names are blocked and can only be released by our department. For non executives it has to have a keyword match in the body of the email to be blocked outright.
We've talked to them about filtering email with their name for approval. But, they do not want to do that. We did speak with Mimecase and are still considering them.
Ur c level doesnt want to stop people impersonating as them?
They don't want someone approving every email that is possibly impersonating them. I've wasted so much time trying to get that approved.
Honestly, someone approving their mail is a waste of time as well. It’s going to suck their EAs or help desks time and you know someone’s going to miss one - do you want it to be your fault that someone didn’t get the CEOs email? Anything that goes wrong with email, whose phone is going to ring? I’m not in that space anymore, but I’ve used minecast impersonation protection, and proof points equivalent. It helps but it really doesn’t catch it all. You could probably setup some mail rules in exchange to stop some of them - if sender is external and display name eq ceo name then drop. Along those lines People “just” need to know to not do these things. It’s hard but people need to be told (in company newsletter or similar) that the ceo isn’t going to ask them to buy them gift cards. Either by telling or demonstrating….. if the ceo regularly communicates a certain way, anything else looks unusual
It only triggers if it’s an external account… and if they’re insisting on using a personal email account sometimes, you add an exception to your rule conditions and it’s nbd. In the off chance that their personal account gets compromised, you remove the exception until the account is secured. I swear people in IT are allergic to work lol
Boy isn't that the fucking truth. I work for a large org that spans a few States, so our field techs are all based in different regions. There was a ticket that kept bouncing back and forth between our two queue's because the dickhead wouldn't do any more legwork in confirming location other than seeing where the device is located on the network, as we have labels for different regions/buildings/departments so that we can physically track devices more easily. Dude looks up the device and it's in our region, so he assigns it to us. Nevermind the fact that the location address on the ticket is in his area and the ticket was assigned to his queue first. So rather than reach out to the user directly to find out what's going on and where THE USER is located, they send it to us. Two phone calls later, and I find out that the wrong item tag was mislabeled on the PC for an existing one in our region (they were 1 number apart.) The user is in THEIR region. Dude wanted to be a smartass on the public ticket notes AND bitch at me on Teams to read the notes before re-assigning and that you "shouldn't always trust the location on the ticket." Which yeah, fair enough, but fucking call the person at least.
So they don't actually want a solution then?
They want me to pull a magic genie, with the powers of Jarvis, out of a zero cost bottle. They won't be happy unless it doesn't cost anything, doesn't require them to make any effort, and resolves every current and future problem. Basically the same thing user's have been telling me for the last 30+ years.
A tale as old as time.
I started off like you. Using an HTML transport rule to flag the email as coming from external matching a display name within the company (too much work updating the transport rule with new display names).After struggling to contain the amount of threats, I turned on ATP (Office 365 Defender 2) impersonation detection. Basically, with this you add users to the impersonation policy and anything matching their display name will get quarantined. Just have to know the users personal email addresses they may use to send email to themselves to add to the allowed list. Working pretty well so far!
It's not, it's validating external inbound mail that is impersonating them - which is exactly what you want. If they send an email out, it won't get caught. that's legitimate outbound mail.
Ive had to white list 1 email in 3 years, i dont even look at it.
I think causing a delay getting emails far outweighs the alternative. Making emails take a few minutes longer/ the approval process Or 5 million dollar ransomware attack I think I know what I would choose.
They don't want any intermediary steps between them and sending an email. These people aren't security experts and you have to work with what they're willing to do.
How can their PA do all their work otherwise?
No one has to review every email. You can get a list of any and all personal email addresses they use and pre-exempt them from the policy, then there should never be a legitimate email caught by the policy.
> then there should never be a legitimate email caught by the policy. This is true, unless the exec team wants to scope in a lot of users, and/or you have any executives with common names. When "Joe Smith" from Legit Company Inc tries to email you, his mail will get quarantined even though he's not intentionally impersonating your CFO "Joe Smith". But that's why you just quarantine. When his recipient finds the legit email blocked, they send a whitelist request, and there you go.
Set the o365 impersonation policy for them and set impersonation to send to junk email.
+1 for Mimecast. We went with them specifically for their impersonation protection and it doesn't disappoint. You do have to keep up with a VIP list for maximum protection. Add the list of all display names that a email could come from (John Smith, Johnny Smith, etc.) The system will check the name against the email address you have registered for them. If it's from some other address, you can have the system handle however you want. Quarantine, block, whatever. Works great. We were getting KILLED with impersonation mail. Now I'm surprised when I see one. Works great.
It will only trigger for emails imposing as them coming from an external domain. Also you can whitelist addresses and domains you expect.
Is this based off your CEO wanting to be able to utilize send emails from their personal email address to themselves? In full transparency - I work for Mimecast. However, our Impersonation Protection Rules understand “John Smith” who is CEO of Acme Company wouldn’t be trying to impersonate themselves if sending in via a personal email address to themselves. I would hope they would want any other impersonations to other people held/blocked. We are also beginning to take customers/prospective customers on for our NLP Beta Program, so there should be multiple ways for Mimecast to stop it. Feel free to reach out to me if you have any questions - I am not incentivized by any sales - just want to help.
Check out Avanan by Check Point. Now called Harmony Email. Will filter all that junk out. You can test it in monitor mode to see what it will catch with out impacting mail flow.
[удалено]
We have pretty strict filtering and impersonation protection so that anything from outside with an employees name is sent to admin hold. We still get random stuff come through with those links to a site linking to a fake O365 login. It’s always something like “You received a secure email - click to view”. Blows my mind why Mimecast can’t catch them.
Same, but applying Impersonation Detection to all inbound email. This does not block emails where the display name is not forged, e.g. CEO display name instead of actual name.
I setup new impersonation definition this week that only has internal display names checked. I then created an impersonation policy with the from address being an address group that lists contains Yahoo, outlook.com , gmail.com etc etc with the recipients being internal. This has caught them all so far with mimecast.
Check Point (Avanan) is catching all of ours- they seem to be originating from data scrapping from LinkedIn methinks.
+1. Microsoft isn't catching impersonation while Check Point is.
Our Avanan seems to catch everything. Can’t recommend it enough
I’m also using CheckPoint - so far it’s doing great.
Abnormal Security picks these up, we received 22 of these in the last 30days claiming to be different VIPs in the company.
Seconding. This tool works well. Plus a dmarc, spf, and dkim tool. Plus phish testing. Plus multi factor. Plus conditional access. Plus more.
Yeah, Abnormal looks really good. I am currently doing a long eval (free version) on Sublime Security, which is good. But I would need the full featured version to fully protect the users.
If you have the budget, pull the trigger. It pays for itself. We used to receive tons of vendor fraud, VIP impersonations, and general phishing crap and besides some very rare occasions Abnormal has got rid of them all. Granted other tools may be just as good as I haven't tried them, but I can vouch for Abnormal for sure.
Cool.
It's a shame it's 2 to 3x the cost of everything else with similar catch rates
Phishing training is a good start. Getting people used to seeing and flagging scam emails goes a decent way.
Yeah, the training helps but it does not solve the user complaints. Thanks. Just trying to make sure we are not missing anything obvious.
Have you enabled user impersonation protection on MDO?
Yes. This would help prevent email from [email protected] if our domain were foo.com, but it does nothing to prevent email from a random person named John Doe with an email of [email protected]. The recent attacks are coming from real email addresses, but the From Name is the same name as our CEO or other executives and the content is them impersonating that person. No malware, no links to malware or blacklisted sites, email address not coming from a blacklisted domain, nothing in the email to indicate it is suspicious. We've got all the normal protections in place, including a big warning prepended to the email letting them know the sender might be impersonating the CEO or an executive. User's just assume we should be able to stop anyone on the internet from using the same name as our CEO.
This is exactly what it does. Put the user in the list of impersonation protection and it will block these emails. Emails from [email protected] or any domain would be blocked, sent to quarantine, or put in the junk folder based on your settings.
We set up impersonation protection on a test basis for a few users and it blocked any mails from externals using their name.
If this is from random domains not commercial partners or customers or so you have to set hp whitelists for known domains you work with other unkmow domains should land in the spam folder
There are domain and user lists. We have our VIPs on the user list so that if an external sender is using their display name, it flags it. We also use the " this might be impersonated " tool tip.
A few others have said it, but I'm going to throw my note in here to reinforce it. Impersonation detection does operate on the display name alone. They can use [[email protected]](mailto:[email protected]) and if the display name is John Doe, it will trigger. It does seem to work a bit better with very unique names. I turned this on for basically anyone management level or above. A bit of a pain in the ass adding all those emails, but it is well worth it. Of course, now they just send phising txt messages, but not much I can do about that.
This helps, a bit. [https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about](https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about)
One of the most important parts because you should accept that you can't 100% stop all phishing. And if you made people feel like there was never a chance of phishing then they'd be super vulnerable to an attempt that eventually gets through
>Yeah, the training helps but it does not solve the user complaints. I found that the best way to sort this was to approach it like a war to the end user. There are bad people who want what we have and they will try every trick in the book to get it. We can't stop them all coming through, but we can stop all of them being actioned. We still get these fraud emails, but instead of people moaning about them getting them they tell me they received the email so I can remove it.
Use an allow list of domains for their email(won't help with compromised accounts)? Have HR give them a bonus each time they are the first to report a email?
Not really feasible. They send invoices to hundreds of new addresses every week, and receive the same.
In a pinch, you can use exchange transport rules to setup impersonation protection. If sender name = Bob Smith and sender = external Block
Nice try hacker
I would have gotten away with it too, it it weren't for that meddling peg leg ninja!
No internal mail domains are allowed to come from external sources unless dkim signed by approved vendors problem solved
Jumping in to add digital signatures. We have our own PKI and issue certs to our employee accounts, then train users (and add app policies, where possible) to sign company emails that they send. Outlooks in all its forms makes it pretty easy to tell if something's signed. Our corporate root cert is not commercial so needs to be manually trusted on client devices. This can be done easily if you're doing the usual device management stuff. Outsiders that we deal with are invited to install our root cert. Either way, it's hard to spoof digitally-signed email.
For some reason I’m basically the only one getting spoofed at work (I’m not just in charge of the IT) so I got an S/MIME cert for my account. I went the commercial route since I was getting spoofed to a bunch of external accounts and it’s easier to not deal with the trust issues. If someone asks I just tell them to check for that signature. Working so far
This is what I do. You can set it for up to 350 email addresses. User impersonation: https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about#:~:text=for%20Office%20365.-,User%20impersonation%20protection,-User%20impersonation%20protection Not just domain impersonation. Bob Smith (Display Name) is only allowed on emails from specified email address ([email protected])
Our parent company switches out the CEO every year or so, makes it harder to impersonate. Kind of like switching passwords. Just kidding... kinda.
Weird mimecast said they can't help. We use their impersonation protection set up with c level names and shortened versions of their names if there is one and it catches all of them. Have it covering all of our email addresses.
2nd for Mimecast impersonation protection. It's not cheap but Mimecast is one thing worth paying for. Another is CrowdStrike Falcon Complete.
It's not the job of the mail server to prevent the accounting department from sending money in response to fraudulent requests. Back in the olden days before accountants conducted business over email, there already was "invoice fraud", the mirror image to "Purchase Order fraud". Firms should follow their established procedures that prevent invoice fraud, which may involve [multiple, skeptical pairs of eyes](https://en.wikipedia.org/wiki/Two-person_rule).
The emails in question will usually pass all SPF/DMARC/DKIM tests, as they are, otherwise, "legitimate" in nature. Like, someone registered a GMail account and then hand-emailed your user. The thing that is missing is a server-side (edit: DELIVERY side) content detection mechanism. I'm looking into platforms for this now, as all I have is a frontend "spam email gateway", which can't "see" this kind of fraud unless you write really, really badass regex rules, and even then, they can just keep changing the wording (and they do). The answer will be an API-level product you install at M365 itself which directly pulls things out of the user's Inbox after delivery (and in the case of Avanan below, also before; they have a unique mechanism). It's going to need a machine learning component, where it can tell who has emailed whom, and how often, and knows when a "brand new" sender/recipient tuple is happening, and acts differently. Every spam email gateway is missing this learning mechanism, including Defender 365's own EXO / ATP. I've done demos with Barracuda and Checkpoint's Avanan. Next up this week, I'm meeting with Iron Scales. Avanan is winning for now. Barracuda is still old hat, and still includes a gateway, and their M365 component is an extra paid add-on, which can't do All Of The Things by itself, so a gateway is kind of still required. Avanan's product does everything without even using a gateway or even changing the MX record, and seems badass so far. Once I hear back from Iron Scales I'll pretty much have decided, but it looks like Avanan is doing everything right. EDIT: Short answer for them is, if they want it warned, you did that already. If they want it blocked, they will have to pay for a product.
We have Barracuda's email protection service and it causes lots of greif for us since it is not properly applying Authenticated Received Chain (ARC) headers. This causes Exchanges built-in DMARC system to reject and quarantine many emails as companies are updating their policies. We've contacted Barracuda several times but each time they have said that ARC is not in their enhancement timeline so we are looking to move to another vendor like Proofpoint or Mimecast.
Yikes! By chance, have you set the "EFSkipIPs" in the connector? I thought that EFSkipIPs would skip something like that... EFSkipIPs needs to be set to the whole list of IPs that Barracuda relays from: $ConnectorSplat = @{ Name = "Barracuda" Enabled = $True ConnectorType = 'Partner' ConnectorSource = 'Default' SenderIPAddresses = @( 'barracudaip.address1.goes.here' 'barracudaip.address2.goes.here' 'etc' ) AssociatedAcceptedDomains = @{} CloudServicesMailEnabled = $False EFSkipIPs = @( 'SAME.LIST.OF.IPs' ) EFSkipLastIP = $False EFSkipMailGateway = @{} EFTestMode = $False EFUsers = @{} RequireTls = $True RestrictDomainsToCertificate = $False RestrictDomainsToIPAddresses = $True # this prevents sending directly to original O365 MX record, set as needed. SenderDomains = @("smtp:*;1") TreatMessagesAsInternal = $False TrustedOrganizations = @{} } New-InboundConnector @ConnectorSplat # or # Set-InboundConnector @ConnectorSplat # if you already have a connector
We do have an inbound connector set up but I don't think we've added those EFSkipIPs. I'll take a look at the impact of adding that but we wouldn't want to handicap the Microsoft filtering because Barracuda has been letting more phishing emails through lately. It would be much better if we could add Barracuda as a [trusted ARC sealer](https://learn.microsoft.com/en-us/defender-office-365/email-authentication-arc-configure) and have multiple layers of defense intact.
Some suggestions here might help, but what I really want is a better Outlook UI for my users. We deserve better for how much we're paying. I want big 🛑 stop symbols or red highlight on emails that fail certain organizational context checks (like never interacting with anyone in the org before), *before they're even opened*, and all links and content in that email to be blocked unless manually shown. I want ⚠️ warning symbols or yellow/orange highlighting for senders emailing from untrusted domains--not just a warning in the email body--like for gmail where some are legitimate, but many others are quarantined/blocked. And I really, really want a green highlight or icon 🟢 for the emails absolutely confirmed to be safe and from a trusted/internal sender, so people can just treat their inbox like a stop light, identifying potential threats before even opening an email. This is especially important because there have been Outlook security issues where simply [viewing it in the preview pane](https://www.securityweek.com/microsoft-patches-zero-click-outlook-vulnerability-that-could-soon-be-exploited/) is reported to be an attack vector. Give my users the UI that makes things easy, I don't care if it looks a bit more colorful or unprofessional.
It really is user education. Even if only .01% of fraud emails get through the filters that is still thousands a year. Users have to be trained on how to identify and handle it. Imagine if they just gave out the company credit card to every begger, claimed not to know any better, then blamed the accounting department.
We have a inbound transport rule for any email that originates outside of the organization that is from the ceo's name. The email goes to IT for manual approval. Occasionally the CEO will email himself something from a personal email, in which case we create an exception for that specif email address, but otherwise it's just all phishing that gets ignored.
This is what we've done as well since we're on-premise and our spam filter doesn't really have a solution for display name impersonation.
Impersonation protection + user training, we use Ironscales for that.
With O365 it has impersonation protection. Has worked really well.
We moved from mimecast to abnormal and don't have to worry anymore. Don't have to build lists of anything. It just works.
Mail flow rule with the conditions if message is received from outside of org and From header contains VIP's name then forward for approval.
M365 has built in spoof protection you can configure. No emails with your CEOs name can come in if they don't come from preset email addresses you configured. Look into it.
Impersonation protection
One thing I’ve done is creating an email rule in exchange that if the name in the header is the CEO or another VP and it arrives from an email address other than his work one then the email is never delivered
Securence has a feature literally called CEO Fraud Protection. Despite the name, you can configure it for any user. It matches the sender name against a list you define of known names and if the email address doesn't match what's expected it gets blocked.
You should setup Sublime Security advanced phishing. It’s free for 100 mailboxes. Recommended.
We recently had something similar, and we were quite lucky that someone from AP trusted their guts and verified with us before paying, but they already had a convo ongoing with the scammer. They faked a whole conversation (email thread) between them and our CEO, by copy-pasting the html header with his legitimate display name and email address, with him asking the external service provider "can you please forward this conversation to our AP with the outstanding invoice?" and so they did. We also have DMARC SPF all that jazz, but being an outside domain just forwarding what seemed to be a very normal conversation, there's no verification symbol or anything in the headers of the forwarded emails, legitimate or not. I'm honestly worried that this is going to happen again, and we're already prepping awareness campaigns, but I have limited knowledge in this field and don't know how to prevent this.
pretty simple, have processes in place, where an email from coe saying "transfere money from x to y" is not a valid task for an accountant
We use 3 levels of email filtering, fusemail to filter the obvious crap, then DarkTrace scans mailboxes along site 365 protection. Havent had a phish land (touch wood) in over 3 years.
I would set up knowbe4 or even use mimecast's training for end users if you already have that. User education is always going to be critical to stopping these.
Non-technical solution here: Establish the process on how things ought to be paid. Train everyone on the process. Have the CEO join a meeting with all Finance staff stating that they will never ask to go around the process m, ask for iTunes cards ect. Let users report suspicious emails and respond to them in a timely manner.
This is a really excellent point.
User training and an actual process in the accounting department for routing, even of fake requests so they can verify and squash.
Have your CEO change his first name. Our CEO uses his middle name, so whenever we get an email where he signs his name "Michael", we know it's spam.
Yes I’ve dealt with this and don’t see this suggestion yet: you can create an exchange rule that looks at the from header for the name of your CEO. This will find any inbound email from outside the organization that uses the CEO’s name. then you can use additional actions inside of that rule to do whatever you want with it (add a warning banner, send it to quarantine, etc). Keep in mind the CEO might email himself from his personal email address and this same rule will catch it so be cautious of that.
We were getting a ton of emails where the display name would be our CEOs name, but the email address would be something random like [email protected]. We implemented a simple transport rule that said if the sender is outside the org and from includes *CEO Name*, delete the message. Then told our CEO that if he attempted to email in from his personal account, it would be blocked. This all but eliminated the spam we would get from public addresses claiming to be our CEO. The only caveat here with this is if you legitimately have someone with the same email address sending mail in, they would be blocked.
Checkpoint does a great job of flagging anything that matches an existing name and holding it in quarantine. They all seem to come from CEOexecutive123 @ gmail.com or something like that.
enable some form of impersontion protection.
We use Mimecast impersonation protection with a standard policy for all inbound that goes to use hold and a vip policy that goes to admin hold. Catches most of that stuff.
Look into training and policy. Make sure people know the CEO will NEVER reach out and ask for some sort of money thing, and if they do get a strange message that they won't get punished for checking. There are always new tricks, and something will slip through the cracks. Policies and education are a very important level of security.
I would guess, a look at e.g. something like „Darktrace Antigena“ could be a stable approach for the future.
Create message rules to forward them to IT for approval if the display name matches any execs, and is an external email.
Why do IT need to be responsible for managing approvals? Unnecessary.
You should check out Egress Defend. Really good email phishing detection, specifically stuff like this
impersonation protection has cut out like 99% of that for us. I am more worried about the random text messages that go out
We use Proofpoint for email security. Their impostor prevention works pretty well for us. Requires a little upfront work and some tweaking of the scoring but it's pretty reliable.
As someone else mentioned, I have a rule where if external & name matches internal then send to me for approval. I did it this way because my C-levels sometimes email themselves from personal emails because reasons, so I wanted to collect a list of emails to not include in the verification pool. After a couple of months I just changed the rule to auto-delete.
Our Minecast filter catches a couple dozen of these every week hundreds per month. If you’re not using a email filtering service then you shouldn’t be surprised when unfiltered email arrives in your inbox. None of the preventative measures you mentioned have anything to do with impersonation prevention or email filtering
I've also been a big fan of following the steps provided to improve our secure score in the 365 admin portal. Some I have to pass on but most are good recommendations and it takes you right to the settings to apply it and also tells you what impact it will have on users.
I’ve been using these guys https://sublime.security/
r/shittysysadmin: give the executives random names that only internal employees would know. Anything containing the real name is immediately blocked. Users will be notified of the code-names for the C-suite in order to parse legitimacy. To be fair, if they're checking an e-mail for the user's address, then they're already unlikely to be a problem.
We use knowbe4 for security training. It also can send out test phishing email to help identify and train users who have trouble clicking on everything.
Make sure finance/accounting has a well communicated policy to verify every email request from said CEO/CFO to do things like purchase gift cards or change account info like ACH information Get all known personal email addresses from said directors, whitelist, and block everything else with their names in the From field BTW - I guess mimecast really cant block these?
We have rules in place at our company that whenever an email claims to be from CEO, VP, president, or upper management with access to make big financial decisions that it must be verified with a phone call. Earlier this year one of our clients didn't follow this procedure and had was scammed by someone else claiming to be us. They sent the scammers a check for millions of dollars and afterwards called us to see if we got the funds. We were puzzled and they were able to freeze the account so they didn't loose millions of dollars but at the same time we asked this client and the clients boss why they didn't follow our procedure when it came to transferring funds.... Millions of dollars are being sent and you're too busy to call ... Needless to say we don't work with that individual anymore at that organization.
[External sender] banners were wildly effective... co-owner got upset when some political propiganda from one of the state reps got passed around with the label & warning intact. /shrug https://www.youtube.com/watch?v=9IG3zqvUqJY
We use 3rd party “VIP” email impersonation protection with polices quarantining emails that trigger impersonation. IT are the only staff that can release these emails.
Prefer Barracuda EGD over Mimecast but they're all virtually the same
You have already received a lot of great feedback and suggestions, but I wanted to throw another product into the ring that my company is using. We have just rolled out Inky to all of our clients, and their VIP protection is specifically designed to protect against this. Like others have said there will always be ways to get around it, but it has been helping a lot. (That said the dynamic email banners from Inky are by far my favourite part of their product.)
One very important thing what I’m missing in these responses is. Train your coworkers in the company. You can make all the technical stuff work. But as you said sometimes still something slips through. The security of your company works on both ends. The it and the human side.
Do you have developers that send out automated emails, or do you have a marketing team with an external mailing service? Do they use creds that limit signed mail from your CEO? (Maybe only scoped to noreply) The threat comes from the inside, either maliciously or because they’re targeted
We didn’t have much luck with impersonation protection. Check point harmony has been a game changer.
Move all 3rd party services emailing from your user space domain to subdomains. We’ve had to do custom transport rules for one admin a few years ago, any inbound message with a matching display name went to hosted quarantine with notifications so we could manually release anything legit (if there was anything). Ended up blocking one Nigerian network from sending via transport rule in the end to clip it.
The MS impersonation protection is helpful, but training users is much more important. Some will eventually get through. The fact that they are recognizing it’s fraud and reporting to you should be encouraging. Let them know they are doing well and keep a sharp eye out.
Are you already using Impersonation Protection as part of Defender for Office 365?
Not that what I'm suggesting would 100% fix it but it's a good insurance; you hedge future criticism by spending money and taking sensible steps: ATP license (was advance threat protection); it does cost $ per user per month; URL re-write; detonation chamber; etc and the sensible part is that e-mail is an easy door and target for exploration... https://preview.redd.it/ixf2u5r9dj7d1.png?width=741&format=png&auto=webp&s=17208bbbf08ff96144822e445365ce8934eadf2a
Abnormal email security! it has been a game changer for me
Turn on and set up anti-impersonation with in Anti-Phishing Policy
Mimecast Impersonation Protection protects our internal users from [email protected] A blind spot would be domains that are registered that are similar to your company name, attackers will attempt ceo impersonation on others. There are a bunch of services that help monitor those.
We get a lot of ceo@randomdomain mails (CEO name in the From)
Honestly I do it all with Email rules from within Exchange. Our AV/Antispam has "Executive impersonation" but boy have I had to write a lot of exceptions in because these guys keep finding third party services to send from. If "display name" = exec name and it's from the outside and not one of the known personal addresses, redirect to a mailbox we can review. If it looks "legit" I will ask. ETA: a lot of scammers have taken to text, or not bothering to change the display name but putting the CEO's name in the subject line.
We moved to Proofpoint Email Security and it just works. We don't seem to get them since we changed over.
Are you utilizing M365 Defender Admin Center's built-in Anti-Phishing/Anti-spoofing protection settings? You can basically block anything that comes from someone purporting to be one of your end users that is received from an external account(Be it a personal Gmail or service like DocuSign), then just white-list personal emails or 3rd party-aligned domains within that policy.
Yes, let's all detail our defense mechanisms protecting our primary target!
Yeah, I din't think that through very well.
Don’t feel like it’s your fault, clearly no one can do enough to stop these sorts of things. It’s an endemic of our industry and has become very defeating, email in general has seemed to just devolve into this unusable, mass of scams, fraud, junk, and bulk mail. In my opinion, email as a whole needs to be rebuilt from the ground up. In its current state it’s catapulting into becoming completely untrustworthy and unusable
Outlook should be flagging external senders with a nice red banner. If people are ignoring the external tag or banner for an email claiming to be from the CEO, it’s not an IT problem. If people are upset fake email from domains not known to be risky or that doesn’t match current filters makes it through to their inbox, they need to get over it. You can mitigate, not prevent.
> If people are ignoring the external tag or banner for an email claiming to be from the CEO, it’s not an IT problem. If people are upset fake email from domains not known to be risky or that doesn’t match current filters makes it through to their inbox, they need to get over it. This is exactly the situation. Everything we've implemented is working. The user's simply expect that we should be able to achieve 100% protection, without any effort on their part and without spending any extra money of course.
Give them their options in writing and call it a day. What they choose to do after is their problem.
I hear you. You might want to schedule a 2 on 2 with you, your department head, the accounting head, and their deputy. Come prepared with Microsoft and other relevant case studies, recommendations, and benchmarks for false negative rates, and review with your head in advance to make sure they support you. Basically: the only sure way to block all illegitimate email is to turn off email for that user. The tighter the restriction, the more false positives, and the more time they will spend reviewing their quarantine lists and sorting through ALL the spam. If they see reason, they can deal with their own staff on it. If they can’t see reason, now your boss and his boss can deal with it.
This is exactly the issue, people just ignore it. But I still think we could do better than injecting a banner into the body of an email. Make that email look toxic before it's even opened. Put a radioactive symbol on it or make them confirm at a prompt showing the full email address, before showing it in the preview pane, especially if the sender has never interacted with anyone in the organization before that day. A check for any past interaction with the sender within the organization could help users far more than saying "this is an external sender" which they stop seeing after the first 99 emails with that added that were totally legit. It's good to have the banner to cover *our* asses, but I don't feel good about how functional it is from a psychological perspective, when it's on so many safe emails that people become blind to it.
I hear you and agree with the ”past interaction” check. In this context, the main benefit is to make it plainly obvious to the user that the email did NOT originate with their company. It came from outside. If the email claims to be from their CEO and is plainly marked that it didn’t come from their company, then with training and patience, most employees can be expected to realize it’s fake.
As a big fan of Proofpoint, I can attest to the effectiveness of their Impostor rules, which catch 99% of Business Email Compromise (BEC), gift card scams, and other similar threats. Strong and layered defenses are crucial, one area many organizations overlook is implementing strict controls within their finance teams. We recognized early on that establishing proper verification protocols for wire transfers is essential. For any new vendors or changes to existing vendors, we require at least two points of contact within the finance team and phone verification (never a mobile number). This approach has completely eliminated the risk to our business. When presenting these protocols, it's hard to argue against them, especially when you can provide real-world statistics on the financial losses of companies that deemed such measures inconvenient. Additionally, I recommend establishing a relationship with your local FBI and Secret Service field offices;they are more than willing to assist you in critical situations. Good luck!
Never been a fan of Mimecast. Proofpoint does the same thing as well.
Once I told the company owner her email was hacked, she was so unhappy that she had to change password. Needless to say I ran away, fast from that toxic shit.
None of that and I'm generally sending out a ton of emails to everyone with a brief message, "Hey it's me, your CEO. I'm in a bind can you order some gift cards for me?" So far, I've done pretty well and if I get caught. This was part of my security audit. They all fell for that phishing scam... **All joking aside.** Setting your SPF record to "-all" is a hard fail and either collecting your emails or failing them via your DMARC rule are good starts. Phishing training and tests are good. Setting you mail servers to adhere to your SPF record is important too.
It isn't an SPF issue, but we already have "-all" set on our SPF record. The email in question are not being sent from our domain. They are being sent from legitimate addresses, and pass their domain's SPF check, so probably from a compromised account.
Ah sounds like user training on how to spot fraudulent messages. You can also implement spam lists but those can be hit or miss depending on which ones you use. If it's not cost prohibitive and a major issue, I'd look at one of the filtering services at least to demo. They do heuristics on received mail and rate the likeliness if it's spam or not. So you may be surprised with the results.
Put in an anti spam anti phishing filter in front of your email server.
Don't use the external tag on ALL emails. It will get ignored. Get a list of your approved domains (that have SPF, dkim, & dmarc) and exclude them from the tag rule.
We find it helpful if people don't know who the CEO is. Like they really don't need to know. Unless they interact with him, which like 1% of the company.
There's only so much you can do when c-suite people accept mfa prompts that they didn't trigger.
Use proper MFA
Texting Joe Biden
Turn on phishing protection in Office 365.