Executive Tracking

Updated 2 months ago by admin

This Rule detects "whaling" attacks. A whaling attack, sometimes called a "whale phishing" attack, is a specific type of phishing attack that targets high-profile employees such as the CEO or CFO. The intention of the attack is to steal sensitive information from a company (since employees that hold high positions within the company tend to have access to sensitive data). In many such attacks, the attacker's goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.

This Rule will Quarantine any emails that are suspected of being whaling attacks.

If you are a newer Cloud USS customer, your Service Provider will probably have provided you with a set of sensible default Message Rules, one of which will be am Executive Tracking Rule. In this case, there's no need to set this up yourself.
In order for Executive Tracking to work properly, you need to be running the Cloud USS AD Connect tool, rather than AD export or LDAP export.
You can activate executive tracking for specific email addresses on the Mailboxes screen.
You can activate executive tracking for specific Active Directory groups on the Group Management screen.

To set up this Rule:

  1. Visit your USS Dashboard and click ProductsE-mail SecurityMessage Rules.
  2. Click to create a new Rule.
  3. Give the Rule a sensible name, like "Executive Tracking", and click .
  4. Add a Direction Condition, with the logic set to Matches: Inbound.
  5. Add an Executive Tracking Condition, with the value set to Matches: Exact.
  6. Do not add any Actions.
  7. Add a Quarantine - Company Final Action, with the value set to Spam.
  8. Make sure that the Active checkbox is enabled, so that your new Rule will start working immediately.
  9. Click .
  10. Drag the new Rule to a sensible position in your Message Rules window. If your Service Provider has set up your account with a set of default Rules, positioning this new Rule above the Deliver Inbound Rule is a good choice.

The completed Rule should look like this:


How did we do?