Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Use the PhishER Blocklist

Updated:

Created:

Using the PhishER Blocklist

The PhishER Blocklist feature helps your mail server prevent malicious or spam emails from reaching your users’ inboxes. When you review user-reported emails, you can update your blocklist to send information about threats or spam to your mail server.

Once you enable the blocklist and connect it to your Microsoft 365 mail server, you can create and manage a unique list of blocklist entries for your organization. Each blocklist entry contains a value, such as an email address. The blocklist will use the value to identify messages for your mail server to filter. For example, if a new email was sent from an email address that matches an entry’s value, the mail server will automatically move the email to the Junk folder.

Jump to:

Enabling and Authorizing the Blocklist

Creating Blocklist Entries

Monitoring Your Blocklist Entries

 

Enabling and Authorizing the Blocklist

Before you can create entries, you’ll need to enable the PhishER Blocklist. You’ll also need to authorize the Blocklist by assigning the Exchange Administrator role to the PhishER Blocklist application in your Microsoft 365 account with Azure Active Directory (AD).

Note: In order to enable the blocklist, your organization will need to have an active Microsoft 365 instance that is tied to the organizational domain. For more information about connecting a mail server, see our PhishER Settings article.

To enable and authorize the blocklist, follow the steps below:

  1. From PhishER, navigate to PhishER > Settings > Blocklist.
  2. If a Microsoft 365 mail server isn’t connected to your blocklist, click Connect to Microsoft 365 and add a connection.
  3. Turn on the toggle button next to Disabled, then click Save.
  4. In your Azure AD console, assign the Exchange Administrator role to the PhishER Blocklist application.

    Note: For more information about enabling the blocklist, see our PhishER Settings article.

Back to top

 

Creating Blocklist Entries

From the Blocklist tab or the Message Details page, you can create entries to add to your blocklist. If you have enabled PhishML, you can use PhishML tags to help you prioritize messages with values that you want to add to the blocklist.

Once you create entries, they will display in the Blocklist tab’s Blocklist Entries page. You can also delete entries and view the status of each entry’s sync across your mail servers.

Note: An entry cannot be modified after it is created.

To learn how to create entries from the Blocklist tab or the Message Details page, see the subsections below.

Back to top

 

Creating Entries from the Blocklist Tab

To create a new entry from the Blocklist tab, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to PhishER > Blocklist to open the Blocklist Entries page.
  3. Click on the Create New Entry button in the top-right corner of the page. The Create Entry pop-up window will open.
  4. In the Create Entry pop-up window, set up your entry. For more information, see the screenshot and list below:

    a. Attribute: Select the type of value that you would like to use as an entry.
      • Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com", or a domain name like "domain.com".
      • URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage", or "www.sitename.com".
      • File Hash: Select this option to use an SHA-256 file hash as the value.
    b. Value: In this field, enter the specific information to trigger the mail server to filter a message. For example, if you select Sender as the Attribute, you would enter the sender's email address in this field.
    c. Duration: From this drop-down menu, select the amount of time that you would like the entry to remain on your blocklist. A duration of 30 days is selected by default.

    Note: Entries are automatically removed from your blocklist after this duration. Cybercriminals can quickly change tactics, so setting a duration for your entries allows you to keep your blocklist up to date with information from the most recent user-reported messages. The PhishER Blocklist's default duration is similar to Microsoft's Tenant Allow/Block List's default expiration time. For more information, see Microsoft's Manage your allows and blocks in the Tenant Allow/Block List article.

  5. Click Save to add the entry to your blocklist.

After you've created the entry, you can monitor your entry's status and other details. For more information, see the Monitoring Your Blocklist Entries section of this article.

Back to top

 

Creating Entries from Message Details

To create a new entry from the Message Details page, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to PhishER > Inbox.
  3. Select a message to open the Message Details page.
  4. Click the Create Blocklist Entry button (click to view) next to an attribute. The Create Entry pop-up window will open.
  5. In the Create Entry pop-up window, set up your entry. For more information, see the screenshot and list below:

    a. Attribute: Select the type of value that you would like to use as an entry.
      • Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com", or a domain name like "domain.com".
      • URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage", or "www.sitename.com".
      • File Hash: Select this option to use an SHA-256 file hash as the value.
    b. Value: In this field, enter the specific information to trigger the mail server to filter a message. For example, if you select Sender as the Attribute, you would enter the sender's email address in this field.
    c. Duration: From this drop-down menu, select the amount of time that you would like the entry to remain on your blocklist. A duration of 30 days is selected by default.

    Note: Entries are automatically removed from your blocklist after this duration. Cybercriminals can quickly change tactics, so setting a duration for your entries allows you to keep your blocklist up to date with information from the most recent user-reported messages. The PhishER Blocklist's default duration is similar to Microsoft's Tenant Allow/Block List's default expiration time. For more information, see Microsoft's Manage your allows and blocks in the Tenant Allow/Block List article.

  6. Click Save to add the entry to your blocklist.

After you've created the entry, you can monitor your entry's status and other details. For more information, see the Monitoring Your Blocklist Entries section of this article.

Back to top

 

Monitoring Your Blocklist Entries

From the Blocklist tab’s Blocklist Entries page, you can monitor your blocklist entries. Entries are listed by their values.
For more information about this page, see the screenshot and list below:

a. Filter by Attribute: Use these filters to view entries with a specific attribute type.
b. Filter by Status: Use these filters to view entries with a specific status.
c. Value: This column displays the entry’s value.
d. Status: This column displays the status of the entry in the blocklist. For more information about the statuses, see the list below:

    • Pending: This status indicates that the entry is in the process of being added or deleted from the blocklist.
    • Active: This status indicates that the entry has been successfully added to the blocklist and synced with the connected mail server.
    • Incomplete: This status indicates that an entry has been successfully added and synced to one or more of the connected mail servers, but not all of them.
    • Failed: This status indicates that the entry has not been successfully added and synced. If you have multiple mail servers connected to your blocklist and an entry doesn’t successfully sync with all of them, the entry is displayed as Failed.

e. Created On: This column displays the date and time when the entry was added to the blocklist.
f. Expires On: This column displays the date and time when the entry will be automatically removed from the blocklist.

Note: The PhishER Blocklist will sync with your Microsoft 365 mail server every ten minutes. At this time, pending entries on your Microsoft 365 Tenant Allow/Block List will be added to the Blocklist Entries page. The existing entries on your Tenant Allow/Block List may take up to 24 hours to sync with your PhishER Blocklist. In the Expires On column, a synced entry will display the date and time when the entry will be automatically removed from both blocklists. If the entry did not include a date and time on the Tenant Allow/Block List, the entry will display "Never Expires".

g. Action: This column displays the actions available to run on an entry. You can click the trashcan icon to delete an entry from the blocklist.

Your mail server uses information from active entries to filter messages from your users’ inboxes into one of two folders. When a new email contains a URL or File Hash value that matches an entry, the mail server automatically moves the email to the Quarantine folder. When a new email contains a Sender value that matches an entry, the mail server will automatically move the email to the Junk folder.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles