One method of impersonating individuals within an organization is to modify the email message's From display name value to show an email address which is not the actual return address of the message.
From: "CEO - [email protected]" <[email protected]>
To: "All staff" <[email protected]>
Subject: ACTION REQUIRED!
Many email clients will display "CEO - [email protected]" but not the actual from addres value which can confuse recipients regarding the actual source of the email. Since the From header contains a valid return address, messages like this can successfully pass a DMARC sender authentication check while still deceiving unwary end users based on the mail client not displaying the full contents of the email From header.
To mitigate this risk, Messaging Gateway administrators can create a content policy to confirm that if the friendly display name in the From header contains an email address that it matches the domain of the email address in the From field.
".*@(.\S+)"\s+<\S+@\1>
"The example rule above will first check whether there are two @ symbols in the From header. If two @ symbols are detected, the second condition attempts to match the domain following the first @ symbol in the friendly display name with the domain in the sender email address.
This is a simple example and the conditions for matching messages which attempt to spoof a sender address in the friendly display name of the email message can be made both domain and recipient specific as is needed.
The information above is purely for example purposes and SMG administrators should carefully test any content filtering rules to ensure that they do not match messages unexpectedly.