Email - User Impersonation

User impersonation occurs when a malicious sender pretends to be someone you trust—like a coworker, manager, or known contact—making their email look legitimate at first glance. For an end user, this can make it much harder to spot phishing attempts, increasing the risk of clicking harmful links, sharing sensitive information, or taking unintended actions (like approving payments). Because the message appears familiar and urgent, users may react quickly without questioning it, which is why recog

Overview

User impersonation protection is an advanced anti‑phishing capability designed to detect and stop phishing emails that pretend to come from a specific, trusted person (for example, a CEO, finance executive, HR manager, or vendor contact) by closely imitating their display name and email alias.

This capability is part of anti‑phishing policies and is distinct from traditional email authentication checks (SPF, DKIM, DMARC), which often cannot detect impersonation because impersonation emails typically come from real, valid domains, not spoofed ones.

Issue

Phishing and Business Email Compromise attacks are a consistently successful method for which attackers can compromise your account.  Mailbox Intelligence helps mitigate these attacks.

How it Works

User impersonation protection identifies subtle variations in sender information, such as:

• Slightly modified email aliases (e.g., rnichell@domain.com vs. michelle@domain.com)

• Matching display names paired with external or unexpected email addresses

This is particularly effective against business email compromise (BEC) tactics where attackers rely on urgency and familiarity rather than malicious links.

When enabled, Mailbox Intelligence enhances impersonation detection by using historical communication patterns to identify when:

• A “trusted” sender suddenly sends messages that deviate from normal behavior

• A known name appears from an unfamiliar sending context

This significantly improves detection accuracy and reduces reliance on static rules alone.

User Expectations or Impacts

Most end users experience no direct disruption—they simply don’t see many phishing emails that previously reached their inbox. Messages impersonating executives or colleagues are more likely to be blocked before delivery.  However, because impersonation detection is intentionally strict:

• Legitimate emails from external contacts using the same display name as an internal user

• Forwarded emails from personal accounts using a corporate display name
  may be junked.

This most commonly affects:

• Executives emailing from personal accounts

• Vendors mimicking internal naming conventions

 

Fleming College has configured policies to deliver but flag suspected impersonation emails. End users may see:

• Caution banners

• Warnings indicating “This sender may be impersonating someone you know”

This improves user awareness but can initially raise questions if not accompanied by security awareness messaging.