CEO impersonation is a type of phishing attack where sophisticated attackers pretend to be senior executives to trick employees into sending money, credentials, or sensitive data. A common technique involves sending an email message where the sender’s address looks highly similar to a real or expected sender’s email address. Attackers naturally target senior staff, as messages from these executives are less likely to be questioned.

You should be aware of two main types of email impersonation:

Domain impersonation (which contains subtle differences in the domain. For example, greg@rnicrosoft.com impersonates greg@microsoft.com)

User impersonation (which contains subtle differences in the email alias. For example, vviliam@microsoft.com impersonates william@microsoft.com)

Authorised Push Payment (APP) fraud, which frequently includes CEO impersonation, remains a major threat. Attackers exploit trust and authority, tricking employees into believing they are acting on urgent instructions from senior executives, often pressuring them to make time-critical payments. APP fraud losses across the UK finance sector exceeded £450 million in 2024, with impersonation scams being a significant contributor.

How can you help protect your employees?

Exchange Online Protection (EOP)

Exchange Online Protection (EOP) provides baseline email protection and is included with most Microsoft 365 licences. It helps to block spoofed domains and suspicious senders, but it does not include advanced impersonation protection.

Even without a Defender licence, organisations can implement custom rules and banners to highlight suspicious emails that appear to come from executives. For example, you can:

• Add a warning banner to all emails originating from outside the organisation (read our guide on how to do this here).
• Create transport rules to flag messages where the sender’s display name matches your CEO’s name, but the domain is external.

While these steps are useful, they are not as robust as the advanced impersonation detection available in Microsoft Defender.

Microsoft Defender for Office 365 (Plan 1 & 2)

Microsoft Defender for Office 365 Plan 1 & 2 offers robust anti-phishing policies that are specifically designed to detect and block sophisticated impersonation attempts. Key features include:

• Impersonation Insight: This will highlight suspicious emails that mimic specific high-profile users or domains. For example, the address support@rnicrosoft.com is a form of domain impersonation. It is likely a real, registered domain, but purely with the intent to deceive. Since it is a registered domain, messages from email addresses like this are often able to pass regular email authentication checks.
• Spoof Intelligence: This provides automatic protection against spoofing attempts on all inbound emails to cloud mailboxes.

CEO impersonation often relies heavily on spoofing and other forms of deception, making advanced protection essential for business security.