Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 5 subscribers
  • Views 48348 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Preventing phishing attack?

steagle
We've had someone impersonating an employee of our company through spear phishing attacks. It's clear to see that the email is originating from someone else, and I can easily blacklist those addresses, but they just start again with a new address. What I'd like to do is create a global rule that filters out anything from our real employee that does not have our email domain in the address. I'm having trouble putting together something that does this either in the firewall filter or the SMTP anti-spam settings. Any ideas for how to accomplish this?


This thread was automatically locked due to age.
Parents
  • 0
    The only thing I can think of would be to use the Expression Filter with https?://, thus quarantining all emails with links.  To be workable, you would need to enable the User Portal for everyone and setup the Quarantine Report if you haven't already.

    In essence, you would be forcing people to release-and-whitelist known-trusted emails with links or just release the others where they're not certain whether it's malicious.  The users can maintain their own white/blacklists in the User Portal.

    If your endusers aren't already getting Quarantine Reports or aren't familiar with the User Portal, you might get more mileage out of a regular program of fake phishing emails like the service offered by phishme and wombatsecurity.  Their emails include a link to a page that starts with something like, “Oops! The email you just responded to was a fake phishing email. Don’t worry! It was sent to you to help you learn how to avoid real attacks. Please do not share your experience with colleagues, so they can learn too.”

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    The only thing I can think of would be to use the Expression Filter with https?://, thus quarantining all emails with links.  To be workable, you would need to enable the User Portal for everyone and setup the Quarantine Report if you haven't already.

    In essence, you would be forcing people to release-and-whitelist known-trusted emails with links or just release the others where they're not certain whether it's malicious.  The users can maintain their own white/blacklists in the User Portal.

    If your endusers aren't already getting Quarantine Reports or aren't familiar with the User Portal, you might get more mileage out of a regular program of fake phishing emails like the service offered by phishme and wombatsecurity.  Their emails include a link to a page that starts with something like, “Oops! The email you just responded to was a fake phishing email. Don’t worry! It was sent to you to help you learn how to avoid real attacks. Please do not share your experience with colleagues, so they can learn too.”

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML