Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Use the Global Blocklist

Updated:

Created:

Using the Global Blocklist

The Global Blocklist feature uses crowd-sourced information about email threats to help your mail server prevent malicious or spam emails from reaching your users’ inboxes. KnowBe4’s Threat Research Lab compiles data from all PhishER Blocklists and other sources to create and publish Global Blocklist entries. These entries contain values, such as specific email addresses, that your mail server will use to filter unwanted emails.

The Global Blocklist feature is only available for accounts with PhishER Plus. Once you enable this feature and connect it to your Microsoft 365 mail server, KnowBe4 will connect your mail server to the Global Blocklist. When the Threat Research Lab updates the Global Blocklist, it automatically syncs to update entries for your mail server’s blocklist.

To view the Global Blocklist entries, you can navigate to Blocklist > Global Blocklist in your platform. The Global Blocklist entries that are synced to your mail server will display along with your organization’s PhishER Blocklist entries on the Your Syncing Entries subtab. To view only the Global Blocklist entries, select Global Entries from the Filter by Entry Type options.

To learn more about the Global Blocklist, click the links below. For more information about the PhishER Blocklist, see our How to Use the PhishER Blocklist article.

Jump to:

Enabling and Authorizing the Global Blocklist

Monitoring Global Blocklist Entries

 

Enabling and Authorizing the Global Blocklist

Before you can use the Global Blocklist, you’ll need to enable it in your PhishER platform. You’ll also need to authorize the Global Blocklist by assigning the Exchange Administrator role to the Global Blocklist application in your Microsoft 365 account with Azure Active Directory (AD).

Note: In order to enable the Global Blocklist, your organization will need to have an active Microsoft 365 instance that is tied to the organizational domain. For more information about connecting a mail server, see our PhishER Settings article.

To enable and authorize the Global Blocklist, follow the steps below:

  1. From PhishER, navigate to Settings > Blocklist.
  2. If a Microsoft 365 mail server isn’t connected to your blocklist, click Connect to Microsoft 365 and add a connection.
    Note: If you’ve already enabled the PhishER Blocklist and connected to your Microsoft 365 mail server, you can skip this step.
  3. Turn on the toggle button next to Global Blocklist Disabled.
  4. In the Terms and Conditions pop-up window that opens, review and accept the Privacy Policy and Terms of Service. Once you have reviewed both items, click I Accept.
  5. Click Save to save your Global Blocklist settings.
  6. In your Azure AD console, assign the Exchange Administrator role to the Global Blocklist application.
    Note: For more information about enabling the blocklist, see our PhishER Settings article.

Back to top

 

Monitoring Global Blocklist Entries

Once the Global Blocklist is enabled and authorized, your organization will have access to the blocklist entries that are managed by KnowBe4’s Threat Research Lab. You can view the full list of Global Blocklist entries by navigating to Blocklist > Your Syncing Entries and selecting Global Entries from the Filter by Entry Type options. If the Global Blocklist and the PhishER Blocklist are enabled for your organization, the Your Syncing Entries subtab will display your PhishER Blocklist entries and the Global Blocklist entries synced to your mail server. Entries are listed by their values. For more information about the Your Syncing Entries page, see the screenshot and list below:

  1. Filter by Attribute: You can use these filters to view entries with a specific attribute type.
  2. Filter by Status: You can use these filters to view entries with a specific status.
  3. Filter by Entry Type: You can use these filters to view only the Global Blocklist entries or the custom entries on your PhishER Blocklist.
  4. Value: This column displays the entry’s value.
  5. Status: This column displays the status of the entry in the blocklist. For more information about the statuses, see the list below:
    • Pending: This status indicates that the entry is in the process of being added or deleted from the blocklist.
    • Active: This status indicates that the entry has been successfully added to the blocklist and synced with the connected mail server.
    • Incomplete: This status indicates that an entry has been successfully added and synced to one or more of the connected mail servers, but not all of them.
    • Failed: This status indicates that the entry has not been successfully added and synced. If you have multiple mail servers connected to your blocklist and an entry doesn’t successfully sync with all of them, the entry is displayed as Failed.
  6. Created By: This column indicates whether the entry was created by a PhishER admin or by KnowBe4. Admin will display if a PhishER admin created the entry for your PhishER Blocklist. KnowBe4 will display if KnowBe4's Threat Research Lab team created the entry for the Global Blocklist.
  7. Created On: This column displays the date and time when the entry was added to the Global Blocklist.
  8. Expires On: This column displays the date and time when the entry will be automatically removed from the Global Blocklist.
    Note: The entries on your Microsoft 365 Tenant Allow/Block List may take up to 24 hours to sync with the Global Blocklist. In the Expires On column, a synced entry will display the date and time when the entry will be automatically removed from both the Tenant Allow/Block List and the Global Blocklist.
  9. Action: This column displays the actions available to run on an entry. You can click the trashcan icon to open the Delete Blocklist Entry pop-up window. Then, you can delete an entry from the blocklist. Or, you can delete and ignore an entry to prevent it from being added to the blocklist. To learn about ignored entries, see the Ignoring Entries subsection below.

Your mail server uses information from active entries to filter messages from your users’ inboxes into one of two folders. When a new email contains a URL or File Hash value that matches an entry, the mail server moves the email to the Quarantine folder automatically. When a new email contains a Sender value that matches an entry, the mail server moves the email to the Junk folder automatically. You can also click on an individual entry to view the Blocklist Audit Log page. For more information, see the subsection below.

Back to top

 

Ignoring Entries

If you would like to prevent entries from being blocked on your mail servers, you can add them to Your Ignored Entries. Your Ignored Entries is a list of entries that can’t be added to your PhishER Blocklist.

From the Blocklist tab's Your Synced Entries subtab, you can ignore entries from existing blocklist entries. From the Your Ignored Entries subtab, you can create new ignored entries. When you ignore an entry, any matching entries on your PhishER Blocklist are marked as Pending to indicate that they will be deleted. You can’t create a matching entry on your blocklist unless the ignored entry is deleted from Your Ignored Entries.

To ignore an existing blocklist entry, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to Blocklist > Your Synced Entries.
  3.  Click the trashcan icon in the Actions column for the entry you would like to ignore. The Delete Blocklist Entry pop-up window will open.
  4. In the Delete Blocklist Entry pop-up window, click Delete and Ignore. An ignored entry will be added to Your Ignored Entries, and the blocklist entry will be marked as Pending to indicate that it will be deleted.

To create an ignored entry from the Your Ignored Entries subtab, follow the steps below:

  1. Log in to your PhishER platform.
  2. Navigate to BlocklistYour Ignored Entries.
  3. Click on the Create Ignored Entry button in the top-right corner of the page. The Create Ignored Entry pop-up window will open.
  4. In the Create Ignored Entry pop-up window, set up your entry. For more information, see the screenshot and list below:

    a. Attribute: Select the type of value that you would like to use as an ignored entry.
      • Sender: Select this option to use a sender’s email address or domain as the value. For example, you can enter a full email address like "username@domain.com", or a domain name like "domain.com".
      • URL: Select this option to use a full URL or a host name as the value. For example, you can enter "www.sitename.com/sitepage", or "www.sitename.com".
      • File Hash: Select this option to use an SHA-256 file hash as the value.
    b. Value: In this field, enter the specific information to prevent from being blocked on your mail server. For example, if you select Sender as the Attribute, you would enter the sender's email address in this field.
  5. Click Save to add the entry to your ignored entries.

From the Blocklist tab’s Your Ignored Entries subtab, you can monitor your ignored entries. Entries are listed by their values.
For more information about this page, see the screenshot and list below:

  1. Search: You can use the Search... box to filter the entries using Lucene queries.

    Note: To search for entries with similar values, you must use wildcards. For example, you can search for "*yahoo.com" to find all values containing "yahoo.com". For more information, see our How to Use Lucene Query Syntax article.

  2. Filter by Attribute: Use these filters to view entries with a specific attribute type.
  3. Value: This column displays the entry’s value.
  4. Created On: This column displays the date and time when the ignored entry was added.
  5. Actions: This column displays the actions available to run on an entry. You can click the trashcan icon to delete an ignored entry.

Back to top

 

Reviewing the Audit Log

From the Blocklist tab, you can click the Audit Log subtab to open the Blocklist Audit Log page. On this page, you can view activity for the PhishER Blocklist and Global Blocklist, such as when entries are created, deleted, and synced with mail servers.

You can click an entry’s value in the Value column to only display audit log information about the entry. You can also click an entry on the Blocklist Entries List page to open the Blocklist Audit Log page, which displays the entry’s audit log information.

For more information about the Blocklist Audit Log page, see the screenshot and list below:

  1. Timestamp: This column displays the date and time when the action in the Action column was performed.
  2. Event Type: This column displays the type of action performed for an entry. The following Event Types are available:
    • Entry Updated: This type indicates that an entry was created or deleted.
    • Entry Synced: This type indicated that an entry was synced to the PhishER Blocklist.
    • Blocklist Synced: This type indicates that all entries were synced for all connected mail servers.
  3. Value: This column displays the affected entry’s value.
  4. Updated By: This column shows the source of the action. When an entry is updated, this column will display the email address of the user who updated it. When an individual entry or the blocklist is synced, this column will display the mail server ID or name of the mail server. If the system performed the action, the row will be blank.
  5. Event Action: This column indicates what action was performed for an entry or the blocklist. The Created/Synced action will display when an entry is created, or when an entry is synced to the connected mail servers. The Deleted action will display when an entry is deleted.
  6. Status: This column indicates whether the action succeeded or failed.

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles