On Tue, 28 Jun 2016 15:52:10 +0300 Jari Fredriksson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > David Jones kirjoitti 28.6.2016 15:46:
> > One of my customers has been hit by at least one of these emails > > even with good RBLs in use and properly trained Bayes. The emails > > themselves are perfectly formed and score very low. They use an > > envelope-from of their own domain to pass all SPF checks but they > > use a visible From: of "Recognized Name > > <recn...@otherdomain.com>". Even DMARC checks would pass for the > > otherdomain.com. The issue is the finance person sees the > > "Recognized Name" and doesn't look closely at the otherdomain.com. > > This is pure social engineering that can't be stopped by > > technology. The AP dept has to have proper safeguards and out of > > band validation (i.e. phone call to the "Recognized Name"). > I just refuse the believe that the technology has to trust to the > From:.*xxx in the smtp payload and not reject this at once. Does the > customer use some dmarc-implementation in their mail chain at all? There's actually nothing to link it to the recipient's domain. The envelope address and header from domain are whatever the sender wants to use. It's all down to the displayed first name and surname which is all most email clients display. Almost all the phishes I've received in the last few years have done this - except that they have something like "paypal support" rather than an individual's name.
