Display Name Abuse

Timeline: The Cat and Mouse

2010 ← Attack emerges → 2015 ← Partial response → 2019 ← Still effective → Present

The Evolution

Key Events with Sources

Overview

Email headers have two components: the display name (human-friendly label) and the actual address. Email clients, especially on mobile, prominently show the display name while hiding or truncating the address. Attackers exploit this by putting the impersonated identity in the display name while using their own email address.

The Attack

Email Address Anatomy

From: "John Smith" <john.smith@company.com>
       └─────────┘  └──────────────────────┘
       Display Name    Actual Email Address

Email clients show:

• Desktop (expanded): John Smith <john.smith@company.com>
• Desktop (collapsed): John Smith
• Mobile: John Smith (address often hidden entirely)

The Exploit

From: "CEO Name <ceo@company.com>" <random123@gmail.com>
       └───────────────────────────┘ └──────────────────┘
       Display Name (what user sees)  Actual Address (hidden)

On mobile, user sees: CEO Name ceo@company.com

The actual sending address random123@gmail.com is nowhere visible.

Variations

Executive Impersonation:

From: "Jane Wilson - CEO" <jwilson-ceo@randomdomain.com>

IT/Security Impersonation:

From: "IT Security Team" <security.alert.12345@gmail.com>

Vendor Impersonation:

From: "Accounts Payable - Vendor Inc" <ap-vendor@attacker.com>

Email-in-Display-Name:

From: "boss@company.com" <unrelated@attacker.com>

Why It Works

Mobile-First World:

• Over 50% of emails read on mobile devices
• Mobile clients optimize for space, hide addresses
• Users trained to glance, not scrutinize

User Behavior:

• People recognize names, not addresses
• Urgency in message prevents careful inspection
• Trust in display name is reflexive

Authentication Bypass:

• SPF/DKIM/DMARC check the actual address
• Attacker’s actual address can pass all checks
• Display name is not authenticated

Classic BEC Scenario

To: accounts@company.com
From: "Michael Chen - CFO" <mchen.cfo2024@gmail.com>
Subject: Urgent Wire Transfer

Hi,

I need you to process a wire transfer today. I'm traveling and can't call.
Please wire $47,500 to the attached account details.

Reply to confirm when done.

Michael

The email passes SPF/DKIM for gmail.com. The display name impersonates the CFO. The accounts team sees “Michael Chen - CFO” and complies.

Raw Email Headers (Display Name Abuse)

The deception is in the From: header display name—everything else is legitimate:

Return-Path: <mchen.cfo2024@gmail.com>
Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178])
        by mx.company.com (Postfix) with ESMTPS id DEF456
        for <accounts@company.com>; Tue, 21 Jan 2025 14:32:15 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601;
        h=from:to:subject:date:message-id;
        bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
        b=XYZ123...
Authentication-Results: mx.company.com;
        dkim=pass header.d=gmail.com header.s=20230601;
        spf=pass (mx.company.com: domain of mchen.cfo2024@gmail.com
            designates 209.85.128.178 as permitted sender)
            smtp.mailfrom=mchen.cfo2024@gmail.com;
        dmarc=pass (p=NONE sp=QUARANTINE) header.from=gmail.com
From: "Michael Chen - CFO" <mchen.cfo2024@gmail.com>
To: accounts@company.com
Subject: Urgent Wire Transfer
Date: Tue, 21 Jan 2025 14:32:10 -0500
Message-ID: <CA+unique123@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Hi,

I need you to process a wire transfer today...

Key observations:

• dkim=pass — Valid Gmail signature
• spf=pass — Sent from legitimate Gmail servers
• dmarc=pass — Aligns with gmail.com (not company.com!)
• The display name "Michael Chen - CFO" is completely unverified
• Mobile client shows only: Michael Chen - CFO

Defenses

Email Client Improvements

Some clients now:

• Always show full address on first view
• Warn when display name contains @ symbol
• Highlight when sender is external
• Show banner for first-time senders

SEG VIP Protection

Secure Email Gateways can:

• Maintain list of executive names
• Flag external emails with matching display names
• Quarantine impersonation attempts
• Alert security team

Configuration Example:

Protected Names: "CEO Name", "CFO Name", "Controller Name"
Action: If external sender display name matches → quarantine

User Training

Train users to:

• Tap/click to reveal full address
• Verify unusual requests via phone
• Question urgency that prevents verification
• Report suspected impersonation

Technical Controls

External Email Banners:

[EXTERNAL] This email originated from outside the organization.

Display Name Policy: Some organizations strip display names from external mail entirely.

Current State

Status: Active

Display name abuse remains highly effective:

The fundamental problem: email clients prioritize usability over security, and display names are entirely unauthenticated.

Detection Guidance

Email Rules

Flag emails where:

sender.display_name CONTAINS "@"
OR sender.display_name MATCHES known_executive_pattern
AND sender.domain IS external

User Reports

Encourage reporting of:

• Emails from executives requesting unusual actions
• Messages where displayed name doesn’t match expanded address
• Requests for wire transfers, gift cards, or sensitive data

SIEM Correlation

email.display_name IN (executive_names)
AND email.sender.domain NOT IN (internal_domains)
AND email.action IN ("wire transfer", "payment", "gift card", "w2")

Metrics to Track

• Volume of external emails using internal executive names
• User click-through rate on impersonation emails
• Time-to-report for display name attacks