Working with Blocklists

Global Blocklist Guide

The Global Blocklist uses crowd-sourced information about email threats to help you prevent malicious or spam emails from reaching your users’ inboxes. KnowBe4’s Threat Research Lab team compiles data from all PhishER Blocklists and other sources to create Global Blocklist entries. These entries contain information that your mail server will use to filter unwanted emails.

The Global Blocklist feature is only available for accounts with PhishER Plus. Once you enable this feature and connect it to your Microsoft 365 mail server, KnowBe4 will connect your mail server to the Global Blocklist. When the Threat Research Lab team updates the Global Blocklist, entries on your mail server's blocklist will be updated automatically.

For more information about the PhishER Blocklist, visit our How to Use the PhishER Blocklist article.

Enabling and Authorizing the Global Blocklist

Before you can use the Global Blocklist, you’ll need to enable it in your PhishER platform. You’ll also need to authorize the Global Blocklist by assigning the Exchange admin role to the Global Blocklist application in your Microsoft 365 account with Microsoft Entra ID.

Note:To enable the Global Blocklist, your organization will need to have an active Microsoft 365 mail server instance that is tied to your organization's domain. For more information about connecting a mail server, read our PhishER Settings: Integrations article.

To enable and authorize the Global Blocklist, follow the steps below:

  1. In your PhishER platform, navigate to Settings > Blocklist.
  2. If a Microsoft 365 mail server isn’t connected to your blocklist, click Connect to Microsoft 365 and add a connection.
    Note:If you’ve already enabled the PhishER Blocklist and connected to your Microsoft 365 mail server, you can skip this step and step 6.
  3. Turn on the toggle next to Global Blocklist Disabled.
  4. In the Terms and Conditions pop-up window that opens, review and accept the Privacy Policy and Terms of Service. Once you have reviewed both of these items, click I Accept.
  5. Click Save to save your Global Blocklist settings.
  6. In your Microsoft Entra ID portal, assign the Exchange Administrator role to the Global Blocklist application. For more information, visit our How to Assign the Exchange Administrator Role to the PhishER Blocklist Application article.

Monitoring Global Blocklist Entries

Once you've enabled and authorized the Global Blocklist, your organization will have access to the blocklist entries that are managed by KnowBe4’s Threat Research Lab team. You can view the full list of Global Blocklist entries by navigating to Blocklist > Your Syncing Entries and selecting Global Entries from the Filter by Entry Type options.

If you've enabled the Global Blocklist and the PhishER Blocklist for your organization, the Your Syncing Entries subtab will display your PhishER Blocklist entries and the Global Blocklist entries synced to your mail server. Entries are listed by their values. For more information about this subtab, view the screenshot and list below:

  1. Filter by Attribute: You can use these filters to view entries with a specific attribute type.
  2. Filter by Status: You can use these filters to view entries with a specific status.
  3. Filter by Entry Type: You can use these filters to view only the Global Blocklist entries or the custom entries on your PhishER Blocklist.
  4. Value: This column displays the entry's value. Values can be a sender's address, URL, or file hash. Your mail server will use this value to filter any emails that have the same value. For more information about how emails will be filtered, view the list below:
    • URL or File Hash: If an email contains a URL or file hash value that matches an entry, your mail server will move the email to the Quarantine folder automatically.
    • Sender: If an email contains a sender value that matches an entry, your mail server will move the email to the Junk folder automatically.
    Tip:You can also click a value in the column to view the Blocklist Audit Log page. For more information, read the Reviewing the Audit Log section of this article.
  5. Status: This column displays the status of the blocklist entry. For more information about the statuses, view the list below:
    • Pending: This status indicates that the entry is in the process of being added or deleted from the blocklist.
    • Active: This status indicates that the entry has been added to the blocklist and synced with the connected mail server.
    • Incomplete: This status indicates that an entry has been added and synced to one or more of the connected mail servers, but not all of them.
    • Failed: This status indicates that the entry has not been added and synced successfully. If you have multiple mail servers connected to your blocklist and an entry doesn’t sync with all of them, the entry will display as Failed.
  6. Created By: This column indicates who created the entry. Admin will display if a PhishER admin created the entry for your PhishER Blocklist. KnowBe4 will display if KnowBe4's Threat Research Lab team created the entry for the Global Blocklist.
  7. Created On: This column displays the date and time of when the entry was added to the Global Blocklist.
  8. Expires On: This column displays the date and time of when the entry will be removed from the Global Blocklist and your Microsoft 365 Tenant Allow/Block List.
    Note:The entries on your Microsoft 365 Tenant Allow/Block List may take up to 24 hours to sync with the Global Blocklist.
  9. Actions: In this column, you can click the trashcan icon to open the Delete Blocklist Entry pop-up window. Then, you can delete an entry from your PhishER Blocklist. Or, you can delete and ignore an entry to prevent it from being added to your PhishER Blocklist. To learn about ignored entries, read the Ignoring Entries subsection below.

Ignoring Entries

If you would like to prevent entries from being blocked on your mail servers, you can add them to your ignored entries. Ignored entries can't be added to your PhishER Blocklist.

When you ignore an entry, any matching entries on your PhishER Blocklist will be in the pending status to indicate that they will be deleted. You can’t create a matching entry on your blocklist unless the ignored entry is deleted on the Your Ignored Entries subtab.

To ignore an existing blocklist entry, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to Blocklist > Your Syncing Entries.
  3. Locate the entry you would like to ignore.
  4. Click the trashcan icon in the Actions column for that entry. The Delete Blocklist Entry pop-up window will open.
  5. In the pop-up window, click Delete and Ignore. An ignored entry will be added to the Your Ignored Entries subtab, and the blocklist entry will be in the pending status to indicate that it will be deleted.

To create an ignored entry from the Your Ignored Entries subtab, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to BlocklistYour Ignored Entries.
  3. Click the Create Ignored Entry button in the top-right corner of the page. The Create Ignored Entry pop-up window will open.
  4. In the pop-up window, create your ignored entry. For more information, view the screenshot and list below:
    • Attribute: Select the type of attribute that you would like to use for your ignored entry.
    • Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com" or a domain name like "domain.com" for your Value.
    • URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage" or "www.sitename.com" for your Value.
    • File Hash: Select this option to use an SHA-256 file hash as the value.
    • Value: In this field, enter the specific value that you want to prevent from being blocked on your mail server. For example, if you select Sender for the Attribute field, you would enter the sender's email address in this field.
  5. Click Save to add the entry to your ignored entries.

You can monitor all of your ignored entries on the Your Ignored Entries subtab. For more information about this subtab, view the screenshot and list below:

  1. Search...: You can use this field to filter ignored entries by using Lucene queries.
    Note:To search for entries with similar values, you must use wildcards. For example, you can search for "*yahoo.com" to find all values containing "yahoo.com". For more information, read our How to Use Lucene Query Syntax article.
  2. Filter by Attribute: You can use these filters to view entries with a specific attribute type.
  3. Value: This column displays the entry’s value.
  4. Created On: This column displays the date and time of when the ignored entry was added.
  5. Actions: In this column, you can click the trashcan icon to delete an ignored entry. If you delete an ignored entry, you can use the entry's value to create a new entry on your PhishER Blocklist.

Reviewing the Audit Log

In your PhishER platform, you can navigate to Blocklist > Audit Log to view your audit log. Your audit log includes activity for your PhishER Blocklist and Global Blocklist, such as when entries are created, deleted, and synced with your mail servers.

For more information about this subtab, view the screenshot and list below:

  1. Timestamp: This column displays the date and time of when the action in the Event Action column occurred.
  2. Event Type: This column displays the type of action that occurred. For more information about the event types, view the list below:
    • Entry Updated: This event type indicates that an entry was created or deleted.
    • Entry Synced: This event type indicates that an entry was synced to the PhishER Blocklist.
    • Blocklist Synced: This event type indicates that all entries were synced for all connected mail servers.
  3. Value: This column displays the affected entry’s value.
  4. Updated By: This column displays the source of the action. When an entry is updated, this column will display the email address of the user who updated it. When an individual entry or the blocklists are synced, this column will display the mail server ID or the name of the mail server. If the system performed the action, this column will be blank.
  5. Event Action: This column indicates what action was performed for an entry or the blocklist. Created will display when an entry is created. Synced will display when an entry or blocklist is synced to the connected mail servers. Deleted will display when an entry is deleted.
  6. Status: This column indicates whether the action succeeded or failed.

Can't find what you're looking for?

Contact Support