Executive spoofing is a scam in which cybercriminals impersonate the names and emails of company executives to try and fool an internal employee into disclosing sensitive information or executing a payment.

SmartPhish has a setting that allows MPmail Avanan administrators to automatically block such spoofing attempts.

The Process

Avanan administrators can trigger their “Phishing” or “Suspicious” workflows when SmartPhish detects a nickname impersonation.

Navigate to Security Settings → Security Engines → SmartPhish → Configure
Select the scope of users:
Important/key people
Note: By default, SmartPhish will reference the job title of the user to determine are senior. Examples of senior titles are CEO, CFO, etc. Alternatively, you can define your own senior users by creating a security group (in Office 365 or Google) for senior-level users, and typing the exact name of the security group in the designated field. This field is case sensitive.
All internal users
Select the “Phishing” or “Suspicious” workflow for detections.

Best Practices

It is best to start small. You can protect a small group of senior-level people and/or use the “Suspicious” workflow.
If you wish to extend nickname impersonation workflows for all internal users, it is best to use the “Suspicious” workflow to avoid false positive detections (more below).
Protected users must be informed to not use their personal email addresses, as these will be detected as impersonations.

Note that regardless of your settings, SmartPhish will always look for nickname impersonations for all users. The configuration described here will ensure that, for the scope of users selected, at least the “Suspicious” workflow is triggered.

Handling False Positives

Many commonly used services like Salesforce or ServiceNow send legitimate emails on behalf of other users. To SmartPhish, these will be detected as nickname impersonations. Therefore, it’s important to ensure that this configuration is not generating false positive phishing/suspicious detections.

To monitor detections, create a Custom Query that filters only for detections containing nickname impersonations. You can find the fields embedded under Security Stack → SmartPhish.

Since Impersonation detection takes priority, Sometimes an Allow listed rule will be overridden due to an SPF failure. If you need to ensure that an email is not overridden by an SPF failure/ Suspected impersonation, please edit the Allow list rule to "Ignore SPF check".

Example Output: 

Ensure to whitelist legitimate services that appear in the query by navigating to Security Settings, Exceptions → Anti-Phishing

If you have any questions or would like assistance configuring, please reach out to