The SANS Internet Storm Center shares awareness article on how target attacks on executives may circumvent spoofed email controls.  These targeted attacks are on the increase in 2019

Phishing is a constant cat and mouse game. Most organizations are now doing SPF, DMARC and other technologies to prevent spoofed emails from making it into your user’s inbox.  Attackers have now been shifting to using real accounts from providers. The type of attack we are seeing recently tries to bypass these more traditional protections by using Impersonation attacks. This is where the displayed name in the email client is the same as the person of interest along with a plausible email address.

EXAMPLE — Let say your CEOs name is Tony Stark and his legitimate address is  The attacker would set a display name as Tony Stark and address has been used a lot in the past six months for these types of attacks. You can easily block any emails from the domain in your mail filters. Attackers are also using Gmail, Yahoo and other major domains with the same technique (e.g. or  Unfortunately, in most cases you will not be able to block these domains. The way many email products are fighting this is by a feature most are calling impersonation detection. Setup a profile in the product for the display name of VIP’s and it tries to detect fake accounts.  My issue with these is that you are leaving it up to a “BlackBox” to determine if your VIP’s email is going to work.