The Target Fraud Forensic Filter is one of three mechanisms comprising Hornetsecurity ATP.

The service is responsible for identifying and preventing spear phishing attacks that target mainly departments or single persons in the company having the authority to release any possible bank transfers.


The filter will use a multitude of different heuristics and mechanism to identify such emails:

  • Intention Recognition System: Checks the email for any content patterns (e.g. requests for bank transferral, requesting sensitive information, etc.)
  • Fraud Attempt Analysis: Checks the integrity and authenticity of meta data and mail content
  • Identity Spoofing Recognition: Identifies and blocks faked senders
  • Spy-Out Detection: Checks if any sensitive information is requested (e.g. passwords)
  • Feign Facts Identification: Checks the email for any attempts to gain information by feign facts
  • Targeted Attack Detection: Detects aimed attacks towards a specific person


The Targeted Fraud Forensic Filter as well as the URL Rewriting will need to be enabled through our customer support. Enabling the ATP filter through the Control Panel will not be sufficient.

In order to allow fast processing of your support request, the structure of the provided data for the TFFF activation is a key factor. Please provide the needed information as described in one of the following examples:

  • Providing the data via csv-file.


prename; surname; domains; email-addresses
joe; doe;;,,
jana; doe;,;
  • Providing the data via table.



 surname domain, alias domain/s
 email-address, alias-email-address/es

Which postboxes should use the TFFF?

The filter is intended to cover decision-makers within the company. It is also possible to activate the filter for all user. The customer support will need a list of email addresses to be checked on in order to enable the service for you.

Typical case studies and configuration recommendations

In order to configure the Target Forensics Fraud Filter for your individual application successfully and correctly, it is necessary to define, which email addresses may be affected by the CEO fraud attempt.

Example 1:
The attacker sends an email to the accounting department on behalf of the management with a payment instruction to a defined account. The accounting department accepts the email, opens it and processes the request, since it comes from the company's own management.

In this example, two addresses are affected by the CEO Fraud, the email address of the management and the email address of the recipient. In this example, the filter should be set up for the CEO.

Example 2:
The attacker sends an email to various employees on behalf of a department / team leader with instructions, such as a payment instruction.

In this case, an entry should be included in the filter for the corresponding department / team leader, since he or she has the authority to make decisions or issue instructions.

If it is planned to use this filter level, it is necessary to list the corresponding email addresses including all associated first and last names.

For successful setup we need a list in CSV format with the following information:
First name; Surname; Domain (as well as alias domains, if available); Email address (as well as alias addresses if available)