The Target Fraud Forensic Filter is one of three mechanisms comprising Hornetsecurity ATP.

The service is responsible for identifying and preventing spear phishing attacks that target mainly departments or single persons in the company having the authority to release any possible bank transfers.


The filter will use a multitude of different heuristics and mechanism to identify such emails:

  • Intention Recognition System: Checks the email for any content patterns (e.g. requests for bank transferral, requesting sensitive information, etc.)
  • Fraud Attempt Analysis: Checks the integrity and authenticity of meta data and mail content
  • Identity Spoofing Recognition: Identifies and blocks faked senders
  • Spy-Out Detection: Checks if any sensitive information is requested (e.g. passwords)
  • Feign Facts Identification: Checks the email for any attempts to gain information by feign facts
  • Targeted Attack Detection: Detects aimed attacks towards a specific person


The Target Fraud Forensic Filter as well as the URL Rewriting will need to be enabled through our customer support. Enabling the ATP filter through the Control Panel will not be sufficient.

The mechanism is only intended to cover a few decision-makers within the company. There will be no global check on the domain. The customer support will need a list of email addresses to be checked on in order to enable the service for you.

Typical case studies and configuration recommendations

In order to configure the Target Forensics Fraud Filter for your individual application successfully and correctly, it is necessary to define, which email addresses may be affected by the CEO fraud attempt.

Example 1:
The attacker sends an email to the accounting department on behalf of the management with a payment instruction to a defined account. The accounting department accepts the email, opens it and processes the request, since it comes from the company's own management.

In this example, two addresses are affected by the CEO Fraud, the email address of the management and the email address of the recipient. In this example, the filter should be set up for the CEO.

Example 2:
The attacker sends an email to various employees on behalf of a department / team leader with instructions, such as a payment instruction.

In this case, an entry should be included in the filter for the corresponding department / team leader, since he or she has the authority to make decisions or issue instructions.

If it is planned to use this filter level, it is necessary to list the corresponding email addresses including all associated first and last names.

For successful setup we need a list in CSV format with the following information:
First name; Surname; Domain (as well as alias domains, if available); Email address (as well as alias addresses if available)