GoDMARC

An attacker will register a free email account and use any email address. Sometimes the addresses contain the name of the executive that they are trying to spoof. The attacker would then set their display name to match your CEO or some other executive, and then send phishing messages to your organization. The hope is that the recipient won’t look at the sending address, and instead just look at the sending display name. Some recipients may even assume that the sending email is the personal email of the executive and believe it to be real.

To combat this, I have had customers implement a transport rule that identifies messages that contain the names of key executives in the From field, and which originate from outside of the tenant. The transport rule would look something like that. 

1.) Login as admin to your Microsoft account and go to the                 https://admin.exchange.microsoft.com/#/transportrules

2.) Create a new Rule. Refer to the below snap.

Click on select one: select the users to apply this rule.

Prepend a disclaimer: below the text.

<div style="background-color:pink; border:0px dotted #003333; padding:.2em; "> 

<span style="font-size:12pt; font-family: sans-serif; color:black; font-weight:bold; padding:.2em">Please be cautious</span>

<div style="font-size:10pt; font-family: sans-serif; color:black; font-weight:normal; padding:.2em">This email was sent outside of your organisation</div> 

</div>

<hr>

Under exceptions, you would add the personal addresses that the executives may use to send mail to the company to ensure those messages aren’t caught by this rule.