Combating Display Name Spoofing

My lack of updates around these parts can be attributed to the craziness of work over the last few months. This afternoon I have some time and am typing this out as quickly as I can before someone notices and gives me something else to work on. Let’s begin.

I’ve recently seen a very big rise in display name spoofing. With technologies in place like DMARC, DKIM, and SPF, attackers are finding it harder and harder to spoof sending domains. Instead, they have reverted to something quite simple, changing their sending display name to be that of an executive in the targeted organization.

For example, an attacker will register a free email account and use any email address. Sometimes the addresses contain the name of the executive that they are trying to spoof. The attacker would then set their display name to match your CEO or some other executive, and then send phishing messages into your organization. The hope is that the recipient won’t look at the sending address, and instead just look at the sending display name. Some recipients may even assume that the sending email is the personal email of the executive and believe it to be real.

The other problem with an attacker using a consumer email account, or even their own domain, is that all checks like DMARC, DKIM, and SPF will all pass (as long as the records are set up correctly) as there is no domain name spoofing happening.

To combat this, I have had customers implement a transport rule that identifies messages that contain the names of key executives in the From field, and which originate from outside of the tenant. The transport rule would look something like that.

Under exceptions, you would add the personal addresses that the executives may use to send mail to the company to ensure those messages aren’t caught by this rule.

The rule is simple and straightforward, but I’ve had customers report having much success with it capturing phishing attempts.


Comments (6)

  1. Trilly says:

    Thanks for this great tip. Straight forward to setup, some minor change to the Recipient options but does not take long to setup and works well.

  2. Margaret A-L says:

    This is so helpful. I set up a rule like this in our organization as we can’t afford pricey software like Mimecast to do this.

  3. Chyenne M says:

    This is fantastic! Thanks so much. We needed this so badly at my org. I implemented and developed a spoof to test it. Worked perfectly.

    I routed them to Quarantine and set it up to send an incident report to the security group.

  4. eric8341 says:

    What can be done to combat Display Name Spoofing where the person being spoofed is outside our organization? We are constantly receiving messages spoofing a variety of individuals from external organizations that we work with on a regular basis. It is not feasible to create a list of all these names in an Outlook rule. The spoofed messages even include the correct e-mail address for the spoofed used in the Display Name field (as text) and if the attackers add enough spaces to the end of this they can push the actual “from” e-mail address out of view. It requires a lot of clicking or maneuvering in Outlook to reveal the actual From SMTP address- too much for the average person. Is there a way to flag or evaluate messages that include text formatted as an e-mail address (i.e. xx@xx.xx) in the text of the display name? This would be very valuable.

    1. Hi Eric, great question. Unfortunately, I don’t have a good solution for that. Even when looking at our ATP spoofing technologies, they are designed to look at spoofing of internal users. It’s easier to prevent spoofing of internal users as we know about them, but we don’t know about external senders. We can perform validation checks on the sending domains, but when only the sending name is spoofed and the sending domain passes all checks, this is much harder. End users can be educated to look at the address on the TO line after they click reply, but obviously, some users will forget about this. If anything comes to mind I’ll come post an update back here.

Skip to main content