We are getting emails address with a 'from' address of someone inside our organisation and of course with a 'to' address to a person inside our organisation as well.
The header is inconsistent because the criminals have of course added the reply-to address with their own address.
In the inbox (in outlook / office 365) the email looks 'perfect' as the back-end directory services even add the picture of the sender. Only if you press 'reply' will you realize that it does not go back to the sender but rather to the reply-to address.
These emails do not get caught by any of the existing Sophos email filters AND do not get caught by the new impersonation filter - even after adding the 'from' address (our CEO) to the VIP list. A short discussion with a Sophos engineer explained to me that the emails are not blocked because they have a from address from inside our organisation.
We have decided that (since all else fails) we are going to blacklist our own domain on the Sophos email filters - since our own email should not come from internet sources via Sophos. I suppose this would have the same effect as adding highly restrictive DMARC policies.
Thanks
Eric.