Situation

A user of our customer's domain, received a mail from his chairman, with some instructions. The user responded to the email with the required information, before realizing that the mail was actually not from the chairman. 


Observation

While the name of the sender was the same as the chairman's name, the email id was a public email id. So technically it's a legitimate email from a valid email id. The display name can be set to anything. 

Simply speaking, there can be multiple people in the world, with the same name.

So while this is a spoof email, it cannot be detected as one by most or all email security scanners.

E.g. "Ravi Khanna"<uselessemailid@g.com>.


Most email clients simply show the display name, when you read the email. So it may be misleading. 

We confirmed the following:

  1. Mithi SkyConnect is running ATP (advanced threat protection) and uses sand-boxing to filter malware. 
  2. The mail system is checking SPF, DKIM, DMARC of inbound email traffic to identify rogue or spam email, based on the email id (and not the display name)
  3. In this case, the email is a legitimate email from a public email service, with a display name matching a person in our customer's organization. So actually this is not a spoof mail at all. It's simply a mail from a person whose name matches the name of one of the employees of the company. This is perfectly legit and cannot be blocked at any level.


Our recommendation

  1. Build awareness among the user community to be more aware before responding to an email asking for personal information, financial information, and other classified information. This should be done on an ongoing basis using classrooms, videos, FAQs, and email alerts.
  2. Report the mail as abuse on the sending platform, so they can take appropriate action
  3. We propose that you also report this to the local cyber-crime unit of your region, so they can ask the public email id provider or the sender's IT team for more information to locate the user via the IP address. 
  4. Put in a filter on the inbound mail scanner to insert a message for mail coming from external domains to alert the users.

Remember, the human is the weakest link in any security chain.