I need Microsoft to allow us to do a two part rule "1 If sender is located Outside of the org" AND the Sender's name = (LDAP check to AD to see if it's an internal user). This would eliminate all spear phishing attempts for us, does anyone
know of an Exchange Mail-rule that would allow me to do this?
Here's what I do in the mean time....
1. Educate users (we use KnowBe4 to train end users)
2. Block emails from your domain at your spam filter (this works for those spoofing your domain, but still doesn't get the spear phishing with different domains)
3. I have a mail rule that applies the rule if "the sender is located Outside the org, AND the sender address includes (then I add each of my big wig users individually) to forward to me for approval (this is just a testing phase, but can eventually just delete the message). If we had another parameter on the rule something like "If the username contains or matches a user in this OU, or this domain, or this LDAP lookup, would be really nice.... The only potential downside here, is if those big wigs are emailing from their own personal addresses with the same "name" to their own internal email, or to an employee (which wouldn't really be best practice anyways), but then an exception will need to be created...
4. The other thing my Barracuda ESS spam filter allows is GEO filtering, so I do a lot of GEO filtering to block some of the countries we don't do business with, who are trying to email
5. So... I'm currently a Barraucda customer, and know they do not offer any time of "Spear phishing checker" where it compares from name to LDAP lookup, but I do know that Mimecast offers this. Mimecast is significantly more expensive, but appears to have the best spam/phishing blocking solution in the market right now. If Microsoft would just give us the ability to name check within mailrule though, it would greatly enhance our abilities to block this ever increasing spear phishing threats.