We help IT Professionals succeed at work.

Anti-Phishing rule on CES to stop masquerading

I'm trying to configure a rule in Cisco CES cloud platform the stops people masquerading as the CEO
for attempted Phishing. So on our previous FW we had if the mail has the sender as 'our ceo' but does not come from
our Domain, then drop. I can see where to configure this in the CES.
Comment
Watch Question

btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
May be in the mail rule
Create a Mail Flow Rule

Log-in to your Exchange admin center (https://outlook.office365.com)

Click on mail flow; You should be on the ‘rules’ tab

Click [+] to add a new rule

Select Create a new rule
Enter in a name for your new rule: Outbound to Cisco CES

For “*Apply this rule if...”, select: The sender is located...
For the “select sender location” pop-up, select: Inside the organization
Click OK

Click More options...
Click add condition button and insert a second condition

Select: The recipient...
Select: Is external/internal
For the “select sender location” pop-up, select: Outside the organization
Click OK

For “*Do the following...”, select: Redirect the message to...
Select: the following connector
And select your “Outbound to Cisco CES” connector
Click OK

Return to “*Do the following...”, and insert a second action:
Select: Modify the message properties...
Select: set the message header
Set the message header: X-OUTBOUND-AUTH
Click OK
Set the value: mysecretkey
Click OK
Click Save

see the Create a Mail Flow Rule section

https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/214812-configuring-office-365-microsoft-with.html
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
We have this kind of thing implemented. You need to create a Dictionary, as well as a Content Filter. Here are the steps:

Step 1: Create a Dictionary in CES
  1. Go to Mail Policies > Dictionaries
  2. Create a dictionary that contains the name of any executives whose names you want to check your messages for.
  3. Save the dictionary.
  4. Commit the change (makes your life easier in the next step)
Step 2: Create an Incoming Content Filter
  1. Go to Mail Policies > Incoming Content Filters
  2. Create an Incoming Content Filter.
  3. Create a condition: The condition should be Forged Email Detection, and refer to the dictionary that you created in Step 1. We have our similiarity score threshold set at 80%, but you can tune this to a threshold that makes sense to you. If you want exceptions defined (i.e. their home email addresses), then you'll need to define an Address List, and have that referred to in this section.
  4. Create action(s) that should take place: The action "Forged Email Detection" strips the From: header and replaces it with the Envelope Sender. This is the one that you should apply first. The next action is up to you. I know you want to drop the message, but I would recommend quarantining it instead just in case there's an issue of valid messages (a salesperson who happens to have the same name as your executives).
  5. Save the Content Filter. And also move it to where in order you want that content filter to run.
  6. Recommend committing the change here.
Step 3: Activate the Content Filter
  1. Turn on the Content Filter. You're going to need to edit your Incoming Mail Rules (you may have one or multiple), and check the box for your new Content Filter so that it will apply to messages coming in.
  2. Commit the change.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.