Executive Tracking

Updated 2 weeks ago by admin

This Rule detects "whaling" attacks. A whaling attack, sometimes called a "whale phishing" attack, is a specific type of phishing attack that targets high-profile employees such as the CEO or CFO. The intention of the attack is to steal sensitive information from a company (since employees that hold high positions within the company tend to have access to sensitive data). In many such attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.

This Rule will Quarantine any emails that are suspected of being whaling attacks.

In order for Executive Tracking to work properly, you need to be running the Cloud USS AD Connect tool, rather than AD export or LDAP export.
You can activate executive tracking for specific email addresses on the Mailboxes screen.
You can activate executive tracking for specific Active Directory groups on the Group Management screen.

To set up this Rule:

  1. Visit your USS Dashboard and click ProductsE-mail SecurityMessage Rules.
  2. Click to create a new Rule.
  3. Give the Rule a sensible name, like "Executive Tracking", and click .
  4. Add a Direction Condition, with the logic set to Matches: Inbound.
  5. Add an Executive Tracking Condition, with the value set to Matches: Contains.
  6. Do not add any Actions.
  7. Add a Quarantine - Company Final Action, with the value set to Spam.
  8. Make sure that the Active checkbox is enabled, so that your new Rule will start working immediately.
  9. Click .
  10. Drag the new Rule to a sensible position in your Message Rules window. If your Service Provider has set up your account with a set of default Rules, positioning this new Rule above the Deliver Inbound Rule is a good choice.

The completed Rule should look like this:

Condition Values

Contains

If the display name contains the selected users name or a configured variant. This is a wildcard match, for example “Mr. John Doe” and “John Doe Esq” would trigger if the first name and surname attributes were "John Doe" or if a variant of "John" was added.

Exact

If the display name exactly matches the users first and last name or a configured variant.  You must add a variant for every name you wish to detect.

High

This option takes the first and last name and uses the Levenshtein Distance algorithm and Tanimoto Coefficient to automatically detect the similarity of the display name to the users real name. There is a risk of false positives associated with this option.

Medium

This is a more relaxed version of the "High" option, therefore it will match more automatically calculated variants with less accuracy. There is a significant risk of false positives associated with this option.

Excluding Email Addresses from Tracking

Navigate to Products -> Email Security -> Custom Rule Data and select the Executive Tracking Whitelist entry. Add or update the Regular Expression so that it remains in this format, specifying multiple email addresses with a pipe | character.

^(addr1@domain.com|addr2@domain.com|addr3@domain.com)$


How did we do?