• Cloud App Security
• Understanding Cloud App Security
  • Understanding Email Security
    • Understanding Post-Delivery Email Recheck
  • Using Data Leak Protection
  • Understanding Anomalies
  • Understanding Click-Time Protection
• Configuring Cloud App Security
  • Subscribing to Cloud App Security
  • Activating Cloud Applications for Cloud App Security
  • Activating Office 365 and Microsoft 365 Cloud Applications
    • Manually Configuring Office 365 and Microsoft 365 Cloud Applications During Activation
• Managing Quarantine for Office 365 and Microsoft 365
  • Setting Up a Quarantine Mailbox for Office 365 and Microsoft 365 Email (Exchange Online)
  • Setting Up a Quarantine Folder for Office 365 and Microsoft 365 OneDrive
  • Setting Up a Quarantine Folder for Office 365 and Microsoft 365 SharePoint
  • Using the Quarantine View for Office 365 and Microsoft 365 Email (Exchange Online)
  • Using the Quarantine Page
  • Using the Quarantined File Creator Dashboard
  • Using the User Dashboard for Office 365 and Microsoft 365
  • Managing Restore Requests
• Using the SonicWall Cloud App Security Dashboard
  • Using the Security Events Widgets
    • Changing a Security Event Widget to an Alert or Custom Query
    • Resetting a Security Event Widget
    • Hiding a Security Event Widget
    • Configuring Security Event Widget Custom Queries
    • Adjusting the Time Scale
  • Viewing the Summary of Security Events
  • Viewing Login Events
  • Viewing Secured Applications
  • Viewing the Scanned Files Summary
• Managing Security Events
  • Using the Security Event Graphs
    • Viewing Security Events by Severity
    • Viewing Security Events by State
    • Viewing Security Events by Cloud Application
  • Viewing and Acting on Security Events
    • Removing Filters
    • Acting on Security Events
  • Managing Multiple Events
• Managing Policies
  • Understanding Cloud App Security Policies
    • Before You Set Email Policies
    • Monitor only
    • Detect and Prevent
    • Protect (Inline)
  • Creating New Policy Rules
    • Creating Data Leak Protection Policy Rules
      • Using Regular Expressions in DLP Policies for Email
    • Creating Malware Policy Rules
    • Creating Threat Detection Policy Rules
    • Creating Policy Rules for Click-Time Protection
    • Creating Office 365 and Microsoft 365 Email Encryption Policy Rules
    • Creating Custom Query Policies
  • Stopping Policy Rules
  • Removing Policy Rules
  • Managing Office 365 and Microsoft 365 (Exchange Online) Mail-Flow Rules
• • Configuring Data Leak Protection Detection Rules
  • Reactivating Data Leak Protection
  • Predefined Data Leak Protection Policy Rules
    • Global Rules
    • Credentials and Secrets
    • Predefined Data Leak Protection Rules for Specific Countries
      • Argentina
      • Australia
      • Belgium
      • Brazil
      • Canada
      • Chile
      • China
      • Columbia
      • Denmark
      • Finland
      • France
      • Germany
      • Hong Kong
      • India
      • Indonesia
      • Ireland
      • Israel
      • Italy
      • Japan
      • Korea
      • Mexico
      • The Netherlands
      • Norway
      • Paraguay
      • Peru
      • Poland
      • Portugal
      • Singapore
      • Spain
      • Sweden
      • Taiwan
      • Thailand
      • Turkey
      • United Kingdom
      • United States
      • Uruguay
      • Venezuela
• Managing Spam and Anti-Phishing
  • Managing Spam
  • Managing User-Reported Phishing
  • Customizing Warning Messages
  • Managing Nickname Impersonation
  • Managing the Anti-Phishing Exceptions
    • Managing Excluded Email Addresses
      • Adding Email Addresses to the Anti-Phishing Block-List
      • Removing Email Addresses from the Anti-Phishing Block-List
    • Managing Excluded IP Addresses
      • Adding IP Addresses to the Anti-Phishing Block-List
      • Removing IP Addresses from the Anti-Phishing Block-List
    • Managing Excluded Domains
      • Adding Domains to the Anti-Phishing Block-List
      • Removing Domains from the Anti-Phishing Block-List
    • Creating Block-List Rules from Email Messages
    • Managing the Anti-Phishing Allow-List
      • Creating Anti-Phishing Allow-List Rules from the Security Events Page
      • Creating Anti-Phishing Allow-List Rules from the Anti-Phishing Allow-List Page
    • Managing the Anti-Phishing Block-List
• Using the Mail Explorer
  • Using the Mail Explorer to Search Emails
  • Using the Mail Explorer to Quarantine Items
  • Using the Mail Explorer to Add Items to the Blocked List
• Working with Office 365 and Microsoft 365 Email Encryption
• Configuring and Using Click-Time Protection
  • Activating Click-Time Protection
  • Configuring Click-Time Protection
    • Configuring the Click-Time Protection Workflow
    • Configuring Custom Click-Time Protection for Specific Domains
      • Adding Custom Click-Time Protection for Specific Domains
      • Deleting Custom Click-Time Protection for Specific Domains
  • Using Click-Time Protection
    • Viewing Security Events for Click-Time Protection
    • Managing Email Messages with Click-Time Protection
    • Creating Custom Queries for Click-Time Protection
• Using Cloud App Security Analytics
  • Viewing the Summary Report
  • Viewing the Weekly Reports
  • Viewing Email Analytics
  • Viewing Office 365 and Microsoft 365 OneDrive Analytics
  • Viewing Office 365 and Microsoft 365 SharePoint Analytics
  • Viewing Shadow SaaS Analytics
  • Viewing and Creating Custom Queries
    • Creating Custom Queries
    • Adding Custom Queries to the Dashboard
• Configuring Cloud Applications in the Cloud App Store
  • Configuring Office 365 and Microsoft 365 for Cloud App Security
  • Re-Authorizing Cloud Applications
• Managing Security Applications in the Security App Store
  • Starting Security Applications
  • Stopping Security Applications
• Managing Anomaly Exceptions
  • Creating Exceptions Based on Anomaly Events
  • Sending Anomaly Event Notifications
• Managing Security Tool Exceptions
• Using the System Log
  • Viewing the System Log
  • Exporting the System Log
• Managing Cloud App Security Licenses
  • Adding Administrator Users
  • Adding Read-Only Users
  • Managing Group Licensing
  • Unassigning Cloud App Security Licenses
• SonicWall Support
  • About This Document

Managing Nickname Impersonation

Nickname impersonation (also known as "executive spoofing") can occur when the names or email addresses of company executives are spoofed in an effort to get internal employees to disclose sensitive professional or personal information. By default, Cloud App Security automatically detects nickname impersonations for any internal user, disabled and deleted accounts, and self-impersonation. Settings can be customized based on the needs of your organization with administrator?configured actions.

To configure Cloud App Security to detect and manage nickname impersonation attempts

1. Make certain that Anti-phishing is running and enabled. (Refer to Starting Security Applications for more information.)

2. Options to manage nickname impersonation are available when you create threat detection policies. (Refer to Creating Threat Detection Policy Rules for detailed information about all of the available policy rule options.)

   In the Advanced section, under Security Tools, click Configure Anti-Impersonation and Phishing Confidence-Level.

3. From the Detect nickname impersonation attempts from list, select one of these options:
   • Important/key-people only
   • Any internal user
4. In the Except when coming from domains field, enter any domains that you want to exempt from impersonation detections.
   • Domain names are not case-sensitive.
   • You can enter more than one domain name by separating them with a comma.

5. By default, the system determines who qualifies as important or key people by referencing the job titles as they are stored in the organization's Office 365 and Microsoft 365 directories.

   Administrators can also select specific people to protect from nickname impersonation by adding them to a security group. In the Important/key-people group field, enter the security group name of people to be specifically checked for nickname impersonation.

   Enter the security group name, not the email address. The group name is case-sensitive.

6. For When a nickname impersonation is detected, select one of these options:
   • Trigger "Phishing" workflow
   • Trigger "Suspicious" workflow

7. Select Detect impersonation attempts only from new/first-time sender to limit nickname impersonation detection only to never-seen-before email addresses.

   While limiting nickname impersonation protection, selecting this option greatly reduces false positive results.

8. Select Detect impersonation to disabled accounts to activate nickname impersonation detection for email accounts that are disabled.
9. Select Detect impersonation to deleted accounts to activate nickname impersonation detection for email accounts that are deleted.

10. By default impersonation detection algorithm ignores email messages that are sent from the same name as the receiver, as these email message are very unlikely to be real nickname impersonation.

    Select Include suspected self-impersonation in impersonation-detection algorithm to detect as nickname impersonation email messages that have the same email address for both the sender and the recipient.

    Enabling this option often results in increased false positives.

11. Click Ok.

To avoid false positive detections, it is recommended that you begin with a small group of senior-level people (Important/key-people only). If you want to configure nickname impersonation detection for all internal users (Any internal user), it is best to select Trigger "Suspicious" workflow.

Protected users should be advised to not use their personal email addresses, as these will be detected as impersonations.