Using the PhishER Blocklist
The PhishER Blocklist feature helps your mail server prevent malicious or spam emails from reaching your users’ inboxes. When you review user-reported emails, you can update your blocklist to send information about threats or spam to your mail server.
Once you enable the blocklist and connect it to your Microsoft 365 mail server, you can create and manage a unique list of blocklist entries for your organization. Each blocklist entry contains a value, such as an email address. The blocklist will use the value to identify messages for your mail server to filter. For example, if a new email was sent from an email address that matches an entry’s value, the mail server will automatically move the email to the Junk folder.
Jump to:
Enabling and Authorizing the Blocklist
Monitoring Your Blocklist Entries
Enabling and Authorizing the Blocklist
Before you can create entries, you’ll need to enable the PhishER Blocklist. You’ll also need to authorize the Blocklist by assigning the Exchange Administrator role to the PhishER Blocklist application in your Microsoft 365 account with Azure Active Directory (AD).
Note: In order to enable the blocklist, your organization will need to have an active Microsoft 365 instance that is tied to the organizational domain. For more information about connecting a mail server, see our PhishER Settings article.
To enable and authorize the blocklist, follow the steps below:
- From PhishER, navigate to PhishER > Settings > Blocklist.
- If a Microsoft 365 mail server isn’t connected to your blocklist, click Connect to Microsoft 365 and add a connection.
- Turn on the toggle button next to Disabled, then click Save.
- In your Azure AD console, assign the Exchange Administrator role to the PhishER Blocklist application.
Note: For more information about enabling the blocklist, see our PhishER Settings article.
Creating Blocklist Entries
From the Blocklist tab or the Message Details page, you can create entries to add to your blocklist. If you have enabled PhishML, you can use PhishML tags to help you prioritize messages with values that you want to add to the blocklist.
Once you create entries, they will display in the Blocklist tab’s Your Syncing Entries subtab. You can also delete entries and view the status of each entry’s sync across your mail servers.
Note: An entry cannot be modified after it is created.
To learn how to create entries from the Your Syncing Entries subtab or the Message Details page, see the subsections below.
Creating Entries from the Blocklist Tab
To create a new entry from the Your Syncing Entries subtab, follow the steps below:
- Log in to your PhishER platform.
- Navigate to PhishER > Blocklist > Your Syncing Entries.
- Click on the Create Blocklist Entry button in the top-right corner of the page. The Create Blocklist Entry pop-up window will open.
- In the Create Blocklist Entry pop-up window, set up your entry. For more information, see the screenshot and list below:
a. Attribute: Select the type of value that you would like to use as an entry.
-
- Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com", or a domain name like "domain.com".
- URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage", or "www.sitename.com".
- File Hash: Select this option to use an SHA-256 file hash as the value.
c. Duration: From this drop-down menu, select the amount of time that you would like the entry to remain on your blocklist. A duration of 60 days is selected by default.Note: Entries are automatically removed from your blocklist after this duration. Cybercriminals can quickly change tactics, so setting a duration for your entries allows you to keep your blocklist up to date with information from the most recent user-reported messages. The PhishER Blocklist's default duration is similar to Microsoft's Tenant Allow/Block List's default expiration time. For more information, see Microsoft's Manage your allows and blocks in the Tenant Allow/Block List article.
-
- Click Save to add the entry to your blocklist.
After you've created the entry, you can monitor your entry's status and other details. For more information, see the Monitoring Your Blocklist Entries section of this article.
Creating Entries from Message Details
To create a new entry from the Message Details page, follow the steps below:
- Log in to your PhishER platform.
- Navigate to PhishER > Inbox.
- Select a message to open the Message Details page.
- Click the Create Blocklist Entry button (click to view) next to an attribute. The Create Blocklist Entry pop-up window will open.
- In the Create Entry pop-up window, set up your entry. For more information, see the screenshot and list below:
a. Attribute: Select the type of value that you would like to use as an entry.
-
- Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com", or a domain name like "domain.com".
- URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage", or "www.sitename.com".
- File Hash: Select this option to use an SHA-256 file hash as the value.
c. Duration: From this drop-down menu, select the amount of time that you would like the entry to remain on your blocklist. A duration of 60 days is selected by default.Note: Entries are automatically removed from your blocklist after this duration. Cybercriminals can quickly change tactics, so setting a duration for your entries allows you to keep your blocklist up to date with information from the most recent user-reported messages. The PhishER Blocklist's default duration is similar to Microsoft's Tenant Allow/Block List's default expiration time. For more information, see Microsoft's Manage your allows and blocks in the Tenant Allow/Block List article.
-
- Click Save to add the entry to your blocklist.
After you've created the entry, you can monitor your entry's status and other details. For more information, see the Monitoring Your Blocklist Entries section of this article.
Monitoring Your Blocklist Entries
From the Blocklist tab’s Your Syncing Entries subtab, you can monitor your blocklist entries. Entries are listed by their values.
For more information about this page, see the screenshot and list below:
- Filter by Attribute: Use these filters to view entries with a specific attribute type.
- Filter by Status: Use these filters to view entries with a specific status.
- Filter by Entry Type: If you have enabled the Global Blocklist, you can use these filters to view only the Global Blocklist entries or the custom entries on your PhishER Blocklist.
- Value: This column displays the entry’s value.
- Status: This column displays the status of the entry in the blocklist. For more information about the statuses, see the list below:
- Pending: This status indicates that the entry is in the process of being added or deleted from the blocklist.
- Active: This status indicates that the entry has been successfully added to the blocklist and synced with the connected mail server.
- Incomplete: This status indicates that an entry has been successfully added and synced to one or more of the connected mail servers, but not all of them.
- Failed: This status indicates that the entry has not been successfully added and synced. If you have multiple mail servers connected to your blocklist and an entry doesn’t successfully sync with all of them, the entry is displayed as Failed.
- Created By: This column indicates whether the entry was created by a PhishER admin or by KnowBe4. Admin will display if a PhishER admin created the entry for your PhishER Blocklist. KnowBe4 will display if KnowBe4's Threat Research Lab team created the entry for the Global Blocklist.
- Created On: This column displays the date and time when the entry was added to the blocklist.
- Expires On: This column displays the date and time when the entry will be automatically removed from the blocklist.
Note: The PhishER Blocklist will sync with your Microsoft 365 mail server every ten minutes. At this time, pending entries on your Microsoft 365 Tenant Allow/Block List will be added to the Your Syncing Entries page. The existing entries on your Tenant Allow/Block List may take up to 24 hours to sync with your PhishER Blocklist. In the Expires On column, a synced entry will display the date and time when the entry will be automatically removed from both blocklists. If the entry did not include a date and time on the Tenant Allow/Block List, the entry will display "Never Expires".
- Action: This column displays the actions available to run on an entry. You can click the trashcan icon to open the Delete Blocklist Entry pop-up window. Then, you can delete an entry from the blocklist. Or, you can delete and ignore an entry to prevent it from being added to the blocklist. To learn about ignored entries, see the Ignoring Entries subsection below.
Your mail server uses information from active entries to filter messages from your users’ inboxes into one of two folders. When a new email contains a URL or File Hash value that matches an entry, the mail server automatically moves the email to the Quarantine folder. When a new email contains a Sender value that matches an entry, the mail server will automatically move the email to the Junk folder.
Ignoring Entries
If you would like to prevent entries from being blocked on your mail servers, you can add them to Your Ignored Entries. Your Ignored Entries is a list of entries that can’t be added to your PhishER Blocklist.
From the Blocklist tab's Your Syncing Entries subtab, you can ignore entries from existing blocklist entries. From the Blocklist tab’s Your Ignored Entries subtab, you can create new ignored entries. When you ignore an entry, any matching entries on your PhishER Blocklist are marked as Pending to indicate that they will be deleted. You can’t create a matching entry on your blocklist unless the ignored entry is deleted from Your Ignored Entries.
Note: If you have a PhishER Plus subscription and enable the Global Blocklist feature, you can also ignore entries from the Global Blocklist. For more information, see our How to Use the Global Blocklist article.
To ignore an existing blocklist entry, follow the steps below:
- Log in to your PhishER platform.
- Navigate to Blocklist > Your Syncing Entries.
- Click the trashcan icon in the Actions column for the entry you would like to ignore. The Delete Blocklist Entry pop-up window will open.
- In the Delete Blocklist Entry pop-up window, click Delete and Ignore. An ignored entry will be added to Your Ignored Entries, and the blocklist entry will be marked as Pending to indicate that it will be deleted.
To create an ignored entry from the Your Ignored Entries subtab, follow the steps below:
- Log in to your PhishER platform.
- Navigate to PhishER > Blocklist > Your Ignored Entries.
- Click on the Create Ignored Entry button in the top-right corner of the page. The Create Ignored Entry pop-up window will open.
- In the Create Ignored Entry pop-up window, set up your entry. For more information, see the screenshot and list below:
a. Attribute: Select the type of value that you would like to use as an ignored entry.
-
- Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com", or a domain name like "domain.com".
- URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage", or "www.sitename.com".
- File Hash: Select this option to use an SHA-256 file hash as the value.
-
- Click Save to add the entry to your ignored entries.
From the Blocklist tab’s Your Ignored Entries subtab, you can monitor your ignored entries. Entries are listed by their values.
For more information about this page, see the screenshot and list below:
- Search: You can use the Search... box to filter the entries using Lucene queries.
Note: To search for entries with similar values, you must use wildcards. For example, you can search for "*yahoo.com" to find all values containing "yahoo.com". For more information, see our How to Use Lucene Query Syntax article.
- Filter by Attribute: Use these filters to view entries with a specific attribute type.
- Value: This column displays the entry’s value.
- Created On: This column displays the date and time when the ignored entry was added.
- Actions: This column displays the actions available to run on an entry. You can click the trashcan icon to delete an ignored entry.
Reviewing the Audit Log
From the Blocklist tab, you can click the Audit Log subtab to open the Blocklist Audit Log page. On this page, you can view activity for the PhishER Blocklist and Global Blocklist, such as when entries are created, deleted, and synced with mail servers.
You can click an entry’s value in the Value column to only display audit log information about that entry. You can also click an entry on the Your Syncing Entries page to open the Blocklist Audit Log page, which displays the entry’s audit log information.
For more information about the Blocklist Audit Log page, see the screenshot and list below:
- Timestamp: This column displays the date and time when the action in the Action column was performed.
- Event Type: This column displays the type of action performed for an entry. The following Event Types are available:
- Entry Updated: This type indicates that an entry was created or deleted.
- Entry Synced: This type indicates that an entry was synced to the PhishER Blocklist.
- Blocklist Synced: This type indicates that all entries were synced for all connected mail servers.
- Value: This column displays the affected entry’s value.
- Updated By: This column shows the source of the action. When an entry is updated, this column will display the email address of the user who updated it. When an individual entry or the blocklist is synced, this column will display the mail server ID or name of the mail server. If the system performed the action, the row will be blank.
- Event Action: This column indicates what action was performed for a specific entry or for the blocklist. The Created/Synced action will display when an entry is created, or when an entry or blocklist is synced to the connected mail servers. The Deleted action will display when an entry is deleted.
- Status: This column indicates whether the action succeeded or failed.
Comments
0 comments
Article is closed for comments.