On 10/5/2017 7:19 AM, Jakob Curdes wrote:
Not a lot, but the trick is that Outlooks displays both parts, and users think that it is an internal mail because the "Firstname Lastname" is real in the company and the "recipient-domain.com" is the real recipient domain. So it is a trick to circumvent SPF denials which prevent a spammer from sending "internal" mails from external addresses. So I think it is not a mistake, I suppose this is carefully crafted to achieve exactly this result.
I can also confirm user behavior consistent with your description of this issue as well where it tricked them into thinking it was an internal message. We had 1 case as well that this thread coincidentally hit.
So while the spam engine rule is nice, a rule to work on 2 email address in the from header that is generic is likely still an indicator of spam that is a "good idea"(tm).
Regards, KAM
