I have started to see slightly more sophisticated phishing attempts that are bypassing Sophos VIP Impersonation.
Instead of the classic From: "CEO Name" [firstname.lastname@example.org] which gets blocked because "CEO Name" matches, we are now seeing:
From: "CEO Name <email@example.com>" [firstname.lastname@example.org]. This is not getting blocked because the Name Header contains more than just the Name, and adding the legit domain email makes it appear more legit to users.
Can VIP Impersonation be changed to search for Name Headers that include a name from the VIP list, rather than an exact match? Or perhaps provide a switch for clients that want to enable this?
Thanks for listening
[edited by: Raphael Alganes at 6:47 AM (GMT -7) on 2 Jun 2023]