I have started to see slightly more sophisticated phishing attempts that are bypassing Sophos VIP Impersonation.
Instead of the classic From: "CEO Name" [email@example.com] which gets blocked because "CEO Name" matches, we are now seeing:
From: "CEO Name <firstname.lastname@example.org>" [email@example.com]. This is not getting blocked because the Name Header contains more than just the Name, and adding the legit domain email makes it appear more legit to users.
Can VIP Impersonation be changed to search for Name Headers that include a name from the VIP list, rather than an exact match? Or perhaps provide a switch for clients that want to enable this?
Thanks for listening
Thank you for contacting the Sophos Community.
I will be passing down your feedback to our PM about this.
What would actually be good is to use a percentage match on the domain side too. So when you have VIPName@slightlymisspeltcompanydomain.com it also flags it as potentially suspect. Seeing far too many of those these days too.