Cisco Cisco Email Security Appliance C370D 白書
Cisco Forged Email Detection (FED) in Action
Removal of From Value
Figure 6 shows two forged emails sent into a fictitious company named
Alpha. The message purports to be from an Alpha executive named
Chuck Robbins. The first is allowed in without any modification. The
second has been modified by the FED filter. Note that by viewing the
first in the inbox listing, you see only the name of the sender and not the
) that it was sent from. But in the second message,
the From value, Chuck Robbins, has been replaced with the Envelope
From value,
, so that the recipient knows that
this is from an external source and what that source is.
Figure 6. Forged Email Samples
BEC Evidence Shared with Recipient
In Figure 7, we show the Internet Mail Headers for the modified
message. In Outlook 2010, you can find this by opening the message
and then clicking on: File
Tab > Properties
The FED action copies the original From value into an X-header called
X-original-from. This allows the administrator to verify the effectiveness
of the filter and provides a reason to the recipient as to why the
message was acted upon.
Figure 7. X-Original-From
Watch this video for more details:
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco
and any other company. (1110R)
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco
and any other company. (1110R)
C07-738017-00 11/16
Cisco Email Security How-To Guide
How-To Enable Forged Email Detection
Cisco Public