We are getting multiple spoofed email so we are trying to build any of the following App rule/feed/watch list/ESA alert to monitor the same. Below is an example of what we are looking for,
If there is an email sent to our environment from Suresh Thanikachalam (sthanikachalam@companydomain) is fine but if it’s from Suresh Thanikachalam (email@example.com) or Suresh Thanika (firstname.lastname@example.org) we need to get an notification/alert so that we can monitor and block the sender.
In this case we have a set of uses names to be add as a feed or watch list so that it can trigger an alert if it’s not matching our actual domain, also kindly advise if this can be achieved in any other ways.
We are even ok if there is more of manual task(like updating regularly) need to archive this.
Thanks in advance