Users may report phishing emails where the email address does not match the person's real name. This type of spam email is called "From" Spoofing. The display name does not reflect the account information, and it cannot be caught by Message filters. However, the source of the email, so-called Message Headers, reports misalignment of the name and email address.
From: Lisa Harris <john.doe@external_domain.com>
Sent: Monday, December 17, 2018 12:32 PM
Subject: Payment status
It's a challenge to block such spam as these are not your typical spammer that sends out mass spam emails. For instance,
external_domain.com might be a legit Microsoft account domain, so the hackers are using legit mail servers, and the typical filters will not block it.
It might have happened the users' and email addresses' database was compromised, that's why the attackers have Personal data information, such as First and Last names.
The Kerio Connect Anti-spoofing feature will only prevent your domain from being spoofed. However, it does not protect from this type of Spoofing.
Educate the domain users to look at the email address when sending a reply.
Implement Greylisting and SPF features in Kerio Connect.
Greylisting - Every unique triplet (sender, sender IP, recipient) is greylisted. If the spammer keeps on changing their SMTP address, then it will always be greylisted. Though, there is a chance that even legit senders may get greylisted.
SPF - It would depend if the sender domain has implemented SPF, but enabling this can filter those senders pretending to be someone else and will reduce such spam.
Enable Kerio Anti-spam and Bayesian Filters. You need to train your Bayesian Filter by tagging such emails as spam. This may be ineffective at first, but once it learns that such emails are spam, it will be the most effective spam filter.
The Disposition notification is being received by the sender and no phishing email is coming into the legit Kerio user mailbox.