Hi, >>> These messages have different envelope ids so SPF checks always pass. >>> The header from is properly formatted exactly how it will be in a normal >>> mail >>> >>> What measures do you take for such spear phishing
- look for little anomalies that are unique to these messages and something your CEO would not do (webmail? user-agent?) - implement DKIM if possible to sign messages actually sent by your CEO - compare your sample against an actual message from the CEO and identify the differences - create body rules to look for signs of "ACH" and other "bank transfer" conversations Build meta's combining all these factors together. Also, if it wasn't then, the "originating IP" is now blacklisted.
