What is PhishER?
KnowBe4's PhishER is a built-in Security Orchestration, Automation, and Response (SOAR) platform that can be used to manage all of the emails that your users report as suspicious or malicious. Using third-party analysis tools, PhishER breaks down each email into different components: Raw data, headers, attachments, and body. The email components are then examined for potentially malicious content or red flags that may indicate a phishing attack. Based on your organization's customized rules and actions, PhishER will automatically disposition each email so you can prioritize reported emails and respond quickly to real-life phishing attacks.
The purpose of this platform is to provide your organization with a way to evaluate all suspicious emails making it through to the inbox of your users. Using PhishER as a detective security control, your organization can identify potential threats and strengthen your security measures and defense-in-depth plan.
Jump to:
PhishER and SOAR
Prerequisites
Enable and Access PhishER
PhishER Workflow
PhishER and SOAR
PhishER is a SOAR platform, meaning it coordinates and automates security tasks across connected security applications and processes. The use of PhishER rules and actions allow your organization to automate the review process of reported email threats making it through to the inbox of your users. Also, the PhishER platform allows integration with third-party analysis tools like VirusTotal and Syslog. The options for integration provide your organization with multiple security scans and evaluations from external security applications. KnowBe4 then displays all internal and external security results in one location - your PhishER platform.
Prerequisites
PhishER is accessible through the KnowBe4 console. This means you must have an active KnowBe4 account to use this platform. Visit here to request a demo for PhishER.
An email forwarding system for your organization is also required so that all user-reported emails can be forwarded to the PhishER inbox for analysis. Using one of the following email forwarding methods is acceptable:
- Installation of the KnowBe4 Phish Alert Button (PAB) (Recommended)
- Manually forward all suspicious emails to a PhishER generated email address tied to your organization's PhishER platform. If you plan to use this method, refer to the PhishER Settings article for more information.
Enable and Access PhishER
- Log in to your KnowBe4 account and navigate to your Account Settings screen.
- Navigate to the PhishER section and click on the Create PhishER Account button.
- If you're using the PAB to forward user-reported emails to your PhishER inbox, add your reporting email addresses to the Forward Non-Simulated Phishing Emails to field located under the Phish Alert section of your Account Settings.
- At the bottom of the page, click the Save Changes button.
Once PhishER is enabled in your account, the Go to PhishER button will be accessible through your KnowBe4 Account Settings. Clicking on this button will take you directly to your PhishER platform. Alternatively, you may access your PhishER platform by visiting: https://phisher.knowbe4.com
PhishER Workflow
Above is a diagram of the PhishER workflow. We recommend reviewing the PhishER workflow before getting started to better understand how PhishER and PhishRIP work.
The PhishER interface can be broken down into five main sections:
Dashboard
When you enter the PhishER platform, the first screen you will see is the Dashboard. Here, a quick overview of your PhishER platform will appear. Below is a description of each chart and the data it displays:
- Search A search function that allows you to find a dashboard or executive report for a specific search or campaign.
- Edit Dashboard Layout A button that allows you to add and remove widgets from the Dashboard. The widgets represent the elements of the Dashboard, which can be found in this section as numbers 4 through 13, along with their descriptions. Each item can be dragged, dropped, and resized to build a custom layout. Clicking on this icon will give you the option of Reset Dashboard Layout and Add Widget (click to view) .
Dashboard
- Last 30 days By default, the Dashboard displays data and activity over the last 30 days. However, the Dashboard view can be adjusted to reflect a different date range by clicking on the Last 30 days button in the top-right. This will open the date range pop-up window (click to view).
- Reported Messages The number of user-reported messages forwarded to your PhishER inbox.
- Automatically Resolved The number of messages that were dispositioned based on the enabled rules and actions configured in your PhishER platform.
- Manually Resolved The number of messages that were dispositioned without active rules and actions configured in your PhishER platform.
- Unresolved The number of messages that have not been dispositioned in your PhishER platform.
- Received Messages A bar graph used to display the number of user-reported messages forwarded to your PhishER inbox. The data is broken down by the number of messages reported each day or hour.
- Messages Summary A pie chart comparison of PhishER messages in the Automatically Resolved, Manually Resolved, and Pending Review status.
- Reported Messages by Category A line chart used to display how PhishER messages are being dispositioned. A message can be dispositioned in one of three ways: Clean, Spam, or Threat. Each message starts out as being Unknown until further analysis determines otherwise. The data is broken down by the number of messages reported each day or hour for each category.
- Categories A pie chart comparison of how PhishER messages are being dispositioned.
- Reported Messages by Priority A line chart used to display the priority of PhishER messages. A message can be assigned one of the following priorities: Unknown, Low, Medium, High, or Critical. The data is broken down by the number of messages reported each day or hour for each priority type.
- Priorities A pie chart comparison of how PhishER messages are prioritized.
Custom Date Range
Rooms
The Rooms section of PhishER consists of multiple filtered views of the messages in your PhishER inbox. Each filtered view will be based on your Saved Queries and system generated filters. You can view a filtered Inbox, Dashboard, and Report when clicking on the icons next to the Each PhishER system generated filter is listed below:
-
- Saved Queries A filtered view set to display all custom queries created from the inbox screen.
- Subject Lines A filtered view set to display and group messages by their subject line.
- Sender Address A filtered view set to display and group messages by the sender address tied to the message.
- Attachment Names A filtered view set to display and group messages by an attachment name found in the message.
- URL Domains A filtered view set to display and group messages by a URL domain embedded in the message.
Each group of messages inside of an emergency room is interactive, which means clicking on a specific group will take you to a filtered view of your inbox. A group of messages is established in an emergency room if a minimum of two messages meets the emergency room criteria.
Inbox
The PhishER inbox is where all user-reported messages will be displayed. From here, you have the ability to manage all of the reported messages. Below is a description of each column of your PhishER inbox:
- Category The grouping of messages based on disposition. A message can be categorized or dispositioned in one of three ways: Clean, Spam, or Threat. Each message starts out as being Unknown until further analysis determines otherwise.
- From The sender name associated with the original source of the message.
- From Email The email address associated with the original source of the message.
- Subject The text found in the Subject line of the original message.
- First Disposition Date The timestamp of when the message was first dispositioned.
- Current Disposition Date The timestamp of when the message's current disposition was applied.
- Reported At The date and time of when the message was received by the PhishER inbox.
- Reported By The name of the user who reported the message.
- Reported By (Email) The email address of the user who reported the message.
- Status The current state of PhishER analysis a message is in. A message can have a status of Received, In Review, or Resolved.
- Tags A label attached to a message based on the message's attributes. There is no limit to the number of tags a message can have. Tags can be automatically or manually assigned to a message.
- Tags are automatically assigned to a message when the message matches a rule containing that specific tag.
- An admin can manually add a tag to a message from the Inbox or Message Detail screen of the PhishER inbox. Adding multiple tags to multiple messages can also be done from the inbox by mass selecting messages.
- All tags are clickable. Clicking on a tag will create a tag-specific filtered view of the PhishER inbox.
- Priority Indicates how urgent the review of a message may be due to the potential of it having malicious content. A message can be evaluated as having a Low, Medium, High, Critical, or Unknown priority. The priority of a message is originally determined by the rules and actions put in place by your organization, but an admin has the option to change the priority of a message at any moment.
- PhishRIP This column will be available if PhishRIP is enabled in your PhishER platform (click to view). You can click on the plus sign (+) to initiate PhishRIP. If PhishRIP was already initiated on the message, a fishbone icon will display.
PhishRIP Column
Inbox CSV Download
You can download a CSV file of your inbox by clicking on the Download CSV button in the top-right. This CSV file will include all visible and hidden columns of your PhishER inbox. Expand the drop-down for more information.
| Column Name | Description |
| id | A unique string sequence used to identify the message. |
| md5 | The hash value of the message using the md5 algorithm. |
| sha1 | The hash value of the message using the sha1 algorithm. |
| sha256 | The hash value of the message using the sha256 algorithm. |
| status | A message can have a status of Received, In Review, or Resolved. See above for more information. |
| attachments_count | The number of attachments included in the message. |
| category | A message can be categorized or dispositioned in one of four ways: Clean, Spam, Threat, or Unknown. See above for more information. |
| from | The email address associated with the original source of the message. |
| from_name | The sender name associated with the original source of the message. |
| reply_to | The email address that will populate the to field of an email if the message is replied to. |
| reply_to_name | The name or email address that will populate the to field of an email if the message is replied to. |
| reported_at | The date and time of when the message was received by the PhishER inbox (UTC format). |
| reported_by | The email address of the user who reported the message. |
| reported_by_name | The name of the user who reported the message. |
| priority | A message can be evaluated as having a Low, Medium, High, Critical, or Unknown priority. See above for more information. |
| subject | The text found in the Subject line of the original message. |
| tags | All tags that are attached to the message. |
| IngestionAddress | The reporting email address used to forward the message to PhishER. |
| Current disposition date | The date and time of when the message's current disposition was applied in PhishER (UTC format). |
| First disposition date | The date and time of when the message was first dispositioned in PhishER (UTC format). |
Inbox Columns
If you would like to show or hide specific inbox columns, select the gear icon in the top-right corner of the inbox screen. This will open the Inbox Table Settings (click to view) pop-up window. Here, you have the option to show or hide columns by checking or unchecking the box to the left of the column name.
Inbox Table Settings
Selecting Messages
To select a message, click on the checkbox to the left of the message. When a message is selected, the Run drop-down (click to view) will appear in the top-left. From this drop-down, you can choose to run an option from the Replay, PhishRIP, Email, or Actions section.
All Rules
This option allows you to run all of your custom rules against the selected message(s).
All Rules and All Actions
This option allows you to run all of your custom rules and actions against the selected message(s). If enabled, VirusTotal and/or PhishML will run against the selected message(s) as well.
PhishRIP
Find Similar Messages
This option will open the Find Similar Messages pop-up which allows you to select the match criteria of your PhishRIP query.
Create KMSAT Template
This option send the selected email to KMSAT to create a new phishing template using a clean version of the email.
Send Custom Email
This option allows you to send a custom email using the Email Template Editor. Click on Send Custom
Email to open the template editor in a pop-up window. When your email is ready to be sent, click the Send button.
Actions
Example Custom Action
A list of your custom actions will populate under the Actions section. Choose one of your custom actions to run against the selected message(s).
Alternatively, you may select a custom quick action from the QuickActions bar (click to view) to run against your selected message(s). Both options may be helpful if a message was received before an action was created.
You also have the option to set a Category, Status, and Priority (click to view) for the selected message(s) and add multiple tags.
You also have the option to quickly clear the selected message(s) with the Clear Selection button (click to view).
Run drop-down
QuickActions
Clear Selection
Set a Category, Status, and Priority
Inbox Filters
At the admin level, you have the ability to filter your inbox messages by the following options:
- Clean
- Spam
- Threat
- Unknown
- Received
- In Review
- Resolved
- Low
- Medium
- High
- Critical
- Unknown
For more filter options, you can use the Search... box to filter your PhishER inbox using Lucene queries. Visit here for more information about how to use Lucene query syntax.
Also, you can save a customized filter by clicking on the Save query as room button. Visit our How to Create a PhishER Room article to learn more.
Message Details
By clicking on an individual message in your PhishER inbox, you will enter the Message Details screen. At the top of the Message Details screen, the following message information will be listed:
- From: The name or email address of the original message source.
- Reply-to: The name or email address that will populate the to field of an email if the message is replied to.
- To: The name or email address of the original message recipient.
- CC: The email address(es) copied on the original message.
- Reported The date and time of when the message was reported by a user.
- Reported by The name or email address of the user who reported the message.
All email addresses present in this section of the Message Details screen are clickable. Clicking on an email address will take you to a filtered view of your inbox and display all of the messages tied to the specific email address.
Note: The timestamp displayed in the top-right is when the message was received by the reporter. A phish hook will appear next to the date and time if the message was reported using the KnowBe4 PAB. If the message was not reported using the PAB, a forwarding arrow will show.
For more details about the message, there are seven unique tabs:
View a snapshot of the message from the Preview tab. The snapshot will include the content found in the body of the message. From this snapshot, you will also be able to see the number of attachments and URLs that exist in the message.
Use the Raw Message tab to view the raw version of the message. The raw version is the entirety of the message, including header and body.
The Headers tab provides a view of the message headers. Using the drop-down in the top-right, you may select to view:
- All Headers
- Standard Headers
- Non-Standard Headers
Search through the message headers for specific information using the search bar. By default, the following information will already be highlighted for a quick header scan:
- DKIM
- DMARC
- SPF
- IP address
Use the Attachments tab to view more information about the attachment(s) sent with the message. If available, the following information will be displayed:
- File Size
- File Type
- MD5
- SHA256
Here, you will have the option to download the attachment by clicking on the download icon to the right of the attachment name. If you would like to see all of the messages in your PhishER inbox that have this attachment, click on the title of the attachment to be taken to a filtered view of your inbox.
You can also filter your Attachment view by clicking on the All Attachments drop down button. You can narrow down your list to only seeing the attachments that were labeled as bad.
You may also run a scan through VirusTotal by clicking on the Scan with VirusTotal button. If a scan was completed, the View VirusTotal Report option will appear.
Note:
To scan with VirusTotal, your PhishER platform must be integrated with VirusTotal. Visit here to learn how to integrate your PhishER platform with VirusTotal.
Use the Domains and URLs tab to view the details of each domain and URL detected in the message. The information displayed will include two sections:
SENDER INFO
Domain: thisismyfull-link.com
LINKS INFO
| Full Link | First Seen | Last Seen | |
| https://www.thisismyfull-link.com | Dec 17, 2018 at 2:26 PM | Dec 17, 2018 at 2:26 PM | Scan with VirusTotal |
If you would like to view all of the messages in your PhishER inbox that contain this link, click on the link to be taken to a filtered view of your inbox. To copy a link, click on the copy icon to the right of the URL.
You can filter all of the redirector links found in the message from the All Urls drop-down menu. If a message does not have redirector links, the target URL will be used to filter your results. You can filter your URL view based on the following options:
You may also run a scan through VirusTotal by clicking on the Scan with VirusTotal button. If a scan was completed, the View VirusTotal Report option will appear.
Note:
To scan with VirusTotal, your PhishER platform must be integrated with VirusTotal. Visit here to learn how to integrate your PhishER platform with VirusTotal.
In addition to VirusTotal being integrated with your PhishER platform, you must also have Full Message and Message Details access in order to use the Scan with VirusTotal button. Visit here to learn more about Security Role access.
The Matched Rules tab will display a table of all of the rules that the message matched after the system runs. This will provide insight into why a certain tag was assigned to the message.
| Name | Description | Matched On | Matched Count | Tags |
| Invoice | Rule looking for Invoice | Dec 17, 2018 10:10 AM |
3 | Invoice |
Note: The Matched Count column refers to the number of times the rule has matched a message in your PhishER inbox.
The History tab will display all of the User, Action, and Rule events associated with the message. Expand the drop-downs below for more information about each type of event.
A user event is a user-initiated action that was manually applied to a message and caused the message to change. Below is a list of user events:
Field changed by User User_Name on Mon DD, YYYY at H:MM
- Status changed from ___ to ___
- Category changed from ___ to ___
- Priority changed from ___ to ___
Tag changed by User User_Name on Mon DD, YYYY at H:MM
- Tags added: ____________
- Tags removed: ____________
Marked as read by User User_Name on Mon DD, YYYY at H:MM
- Message was marked as read
VirusTotal ran by User User_Name on Mon DD, YYYY at H:MM
- VirusTotal scan initiated for Link URL or Attachment Name
- Tags added: ____________
VirusTotal Completed on Mon DD, YYYY at H:MM
- Url: ____________
- Scanned: ____________
- Positives: ____________
- Scan Date: ____________
- Permalink: ____________
- Tags added: ____________
- Tags removed: ____________
Find Similar Messages completed by User User_Name on Mon DD, YYYY at H:MM
- Query status: Complete
- Users count: ___
- Results count: ___
- Read count: ___
Find Similar Messages started by User User_Name on Mon DD, YYYY at H:MM
- New query initiated.
An action event occurs when a triggered action caused a message to change. Below is a list of action events:
Field changed by Action Action_Name on Mon DD, YYYY at H:MM
- Status changed from ___ to ___
- Category changed from ___ to ___
- Priority changed from ___ to ___
Tag changed by Action Action_Name on Mon DD, YYYY at H:MM
- Tags added: ____________
- Tags removed: ____________
Email sent by Action Action_Name on Mon DD, YYYY at H:MM
- Email sent to: ____________
- Email_Template_Name sent to: ____________
A rule event occurs when a matched rule caused a message to change. Below is a list of rule events:
Tag changed by Rule Rule_Name on Mon DD, YYYY at H:MM
- Tags added: ____________
Actions and Discussion
Located to the right of the Message Details is the Actions and Discussion sidebar.
Actions
Under the Actions tab, you have the option to:
- Run an action against the message by clicking on one of your custom QuickActions.
- Initiate a PhishRIP query, see how many PhishRIP queries were initiated and the date of the last query, or view past PhishRIP queries that were created for this message.
- Download a copy of the original email by clicking on the Download Original Email button. This download will be a .eml file. Note: If an email was manually forwarded to your PhishER inbox instead of being reported via the Phish Alert Button (PAB), the downloaded message will not include email headers.
- Using the Run drop-down, you can:
Replay Run all rules or all rules and actions against the message
PhishRIP Create a KMSAT template
Email Send a custom email
Actions Run a single action against the message - Add or remove a message's Assigned Tags.
- Review your PhishML confidence results.
- Delete the message by clicking on the Delete Message button.
Discussion
The Discussion feature provides a platform for PhishER admins to communicate with each other about a specific message. Behaving as a chat window, this method of communication may be useful for organizations with multiple admins managing the PhishER inbox. To post a comment in the Discussion tab:
- Click in the Comment here text box to write your message.
- Then, click on the Send button. Keep in mind, this comment will be visible to all admins with PhishER access.
Rules
A rule is a logical expression used to disposition emails forwarded to the PhishER inbox. Based on the rule that was created, a Tag will be added to the emails as they are forwarded to the PhishER inbox. There are two types of rules:
- Custom Rules
Rules your organization creates from scratch using the PhishER Rule Editor.
System Rules
A default set of rules provided by KnowBe4.
Note:
All PhishER rules must follow YARA Rule logic to disposition emails. Visit here to learn more about writing YARA Rules.
On the rules page, there are two tabs: Custom Rules and System Rules. Select a tab to view the Rules List. The Rules List contains all Custom or System Rules in your PhishER platform.
- Name The unique name assigned to the rule.
- Description A custom description of the rule. For best practices, we recommend providing a brief description of the rule's intended behavior.
- Rule Target The part of a message the rule is run against.
- Status The current state of the rule. A rule can be enabled or disabled. Use the toggle button to change the status of a rule. For a rule to run against emails in your PhishER inbox, it must be enabled.
- Updated At The date and time of when the rule last had changes applied to it.
- Matched Count The number of times the rule matched a message in your PhishER inbox.
- Tags All of the tags attached to a message if it matches the rule.
For a filtered view of your Enabled or Disabled rules, use the Filter By Status drop-down in the top-right.
If you would like to create a custom rule, visit our How Do I Create a Rule and Action in PhishER? article for more information.
Actions
When a message is assigned a tag, the tag will indicate how the message should be handled in PhishER. This handling process is considered an Action. All actions have to be created in your PhishER platform from the Post Actions screen.
- Name The custom name of your action. We suggest selecting a descriptive name to easily recall the action's behavior.
- Description A custom summary of the action.
- Status The current state of an action. An action can have a status of Active or Inactive.
- To change the status of an action, click on the action. Then, toggle the Active Status button in the top-right of the Action Details screen.
- Last Updated At The date and time of when a change was last made to the action.
- Trigger Tags All of the tags that will trigger this specific action to take place.
All of your actions will be listed on the Post Actions screen. Here, you have the option to arrange your actions by dragging and dropping them. It's important to arrange your actions in a meaningful order. This is because your actions will run in sequential order, from top to bottom.
If you would like to create an action, visit our How Do I Create a Rule and Action in PhishER? article for more information.
Reports
The Reports screen will display five different dashboards of information:
To view a report, click on the respective dashboard panel. Below is a description of each report and the information it provides. By default, each report displays data and activity over the last 30 days. However, the report view can be adjusted to reflect a different date range using the drop-down in the top-right of the report screen. You can also show and hide columns on the different report pages to include whether the message is Unknown, Clean, Spam, or a Threat.
You can download a CSV file of each report by clicking on the Download CSV button in the top-right. This CSV file will include all the details of the report. If a report contains a row for messages grouped as Other, those messages will be listed individually in the CSV file.
Attachments
The Attachments report includes a chart of the information listed in the table below. As well, there is a Most Common Attachment Types pie chart visible to provide a proportional representation of the data found in the table.
| File Extension | Message Count | Unknown | Clean | Spam | Threat |
| The attachment file extension type. Note: Only the top ten attachment file extension types will be displayed. The Other row indicates the number of additional attachment file extension types that were reported. |
The number of messages in your PhishER inbox that have this file extension. | The number of messages in your PhishER inbox that have this file extension and determined to be Unknown. | The number of messages in your PhishER inbox that have this file extension and determined to be Clean. | The number of messages in your PhishER inbox that have this file extension and determined to be Spam. | The number of messages in your PhishER inbox that have this file extension and determined to be a Threat. |
Reporters
The Reporters report includes a chart of the information listed in the table below. As well, there is a Most Common Reporters pie chart visible to provide a proportional representation of the data found in the table.
| Reporter | Message Count | Unknown | Clean | Spam | Threat |
| The email address of the user responsible for reporting messages to the PhishER inbox. Note: Only the top ten reporters will be displayed. The Other row indicates the number of additional reporters that reported a message. |
The number of messages the reporter has forwarded to the PhishER inbox. | The number of messages in your PhishER inbox that were forwarded by the reporter and determined to be Unknown | The number of messages in your PhishER inbox that were forwarded by the reporter and determined to be Clean. | The number of messages in your PhishER inbox that were forwarded by the reporter and determined to be Spam. | The number of messages in your PhishER inbox that were forwarded by the reporter and determined to be a Threat. |
Senders
The Senders report includes a Most Common Senders pie chart to provide a proportional representation of the data found in the table.
| Sender Domain | Message Count | Unknown | Clean | Spam | Threat |
| The sender domain tied to the original source of the reported message. Note: Only the top ten sender domains will be displayed. The Other row indicates the number of additional sender domains that were reported. |
The number of messages forwarded to your PhishER inbox with this sender domain. | The number of messages forwarded to your PhishER inbox with this sender domain and determined to be Unknown. | The number of messages forwarded to your PhishER inbox with this sender domain and determined to be Clean. | The number of messages forwarded to your PhishER inbox with this sender domain and determined to be Spam. | The number of messages forwarded to your PhishER inbox with this sender domain and determined to be a Threat. |
Domains and URLs
The Domains and URLs report includes a Most Common Domains and URLs pie chart to provide a proportional representation of the data found in the table. You can find a list of all of the supported URL rewriters and shortners that are compatible with PhishER in our PhishER FAQ article.
| Domain | Message Count | Unknown | Clean | Spam | Threat |
| The URL domain associated with a message in your PhishER inbox. Note: Only the top ten domains and URLs will be displayed. The Other row indicates the number of additional domains and URLs that were reported. |
The number of messages forwarded to your PhishER inbox with this URL domain. | The number of messages forwarded to your PhishER inbox with this URL domain and determined to be Unknown. | The number of messages forwarded to your PhishER inbox with this URL domain and determined to be Clean. | The number of messages forwarded to your PhishER inbox with this URL domain and determined to be Spam. | The number of messages forwarded to your PhishER inbox with this URL domain and determined to be a Threat. |
Tags
The Tags report includes a Most Common Tags pie chart to provide a proportional representation of the data found in the table.
| Tag | Message Count | Unknown | Clean | Spam | Threat |
| The tag applied to at least one message in your PhishER inbox. Note: Only the top ten tags will be displayed. The Other row indicates the number of additional tags that were applied. |
The number of messages in your PhishER inbox that include this tag. | The number of messages in your PhishER inbox with this tag and determined to be Unknown. | The number of messages in your PhishER inbox with this tag and determined to be Clean. | The number of messages forwarded to your PhishER inbox with this tag and determined to be Spam. | The number of messages in your PhishER inbox with this tag and determined to be a Threat. |
Additional Resources
- PhishER Settings
- How Do I Create a Rule and Action in PhishER?
- How to Create a PhishER Room
- How to Write YARA Rules
- How to Use Lucene Query Syntax
Comments
0 comments
Article is closed for comments.