If your PMG is defending a company's email system, you have probably seen a few BEC attempts that are made to look like they were sent from the company owner, CEO, President, etc to the accountants or sales people or others. This won't protect from that person's real email account being taken over and used for BEC. However, the more common type of BEC attempt is making the From (and other header fields) mimic the name of that person. Here is a simple regex that can be setup in its own PMG mail filter to prevent at least some of these attempts.
For the following, you will use the display name of the person you're protecting, not John Doe. You will also substitute your person's real email address for jdoe@example.com in the negative lookahead in the regular expression and the tests.
1. Create a What Object named "BEC" with the description "Business email compromise"
2. Add a Match Field entry to this object with the following Field/Value pair:
Field: From
Value: John Doe(?!.+jdoe@example\.com)
3. Test it with a few permutations to know that it works in the Test String field:
From: John Doe <jdoe@example.com>
From: "John Doe" <jdoe@example.com>
From: John Doe <adversary@gmail.com>
From: "John Doe" <adversary@gmail.com>
4. Add a Mail Filter entry:
Name: Quarantine BEC
Priority: [pick what you want, but I put this near "Quarantine Dangerous Files"]
Direction: In
Active: false
5. To this new rule, add the Quarantine Action Object
6. To this new rule, add the BEC What Object
7. Enable the rule
Please let me know if you have any improvements for this filter rule.
And if you're not familiar with BEC:
https://www.fbi.gov/how-we-can-help...on-scams-and-crimes/business-email-compromise
https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
For the following, you will use the display name of the person you're protecting, not John Doe. You will also substitute your person's real email address for jdoe@example.com in the negative lookahead in the regular expression and the tests.
1. Create a What Object named "BEC" with the description "Business email compromise"
2. Add a Match Field entry to this object with the following Field/Value pair:
Field: From
Value: John Doe(?!.+jdoe@example\.com)
3. Test it with a few permutations to know that it works in the Test String field:
From: John Doe <jdoe@example.com>
From: "John Doe" <jdoe@example.com>
From: John Doe <adversary@gmail.com>
From: "John Doe" <adversary@gmail.com>
4. Add a Mail Filter entry:
Name: Quarantine BEC
Priority: [pick what you want, but I put this near "Quarantine Dangerous Files"]
Direction: In
Active: false
5. To this new rule, add the Quarantine Action Object
6. To this new rule, add the BEC What Object
7. Enable the rule
Please let me know if you have any improvements for this filter rule.
And if you're not familiar with BEC:
https://www.fbi.gov/how-we-can-help...on-scams-and-crimes/business-email-compromise
https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
Last edited: