FAQs

FAQ: PhishER

In this article, you can find frequently asked questions about using KnowBe4's PhishER platform. If you have additional questions that this article doesn’t include, please submit a ticket to our support team.

To learn more about PhishER, see our PhishER Product Manual.

General Information

For general information about PhishER, see the questions and answers below:

  1. How is my information protected on the PhishER platform?
  2. How do I grant and manage access to PhishER for other members of my organization?
  3. How can I purchase PhishER for my organization?
  4. What URL rewriters and shorteners are compatible with PhishER?
  5. Can I use PhishER to process and block viruses?
  6. Is the data sent to and from my PhishER platform encrypted?

How is my information protected on the PhishER platform?

PhishER uses all of KnowBe4's security and privacy best practices, as detailed on our Security Statement page. For an added layer of protection, you can enable multi-factor authentication on your admin account in your KSAT console.

How do I grant and manage access to PhishER for other members of my organization?

PhishER account admins can grant PhishER access to other members of your organization by enabling the PhishER setting in their User Profiles in the KSAT console. KSAT admins have access to PhishER automatically.

Account admins can also disable PhishER access from the KSAT User Profile.

How can I purchase PhishER for my organization?

If you would like to purchase the PhishER platform, contact your Account Manager. If you're unsure who your Account Manager is, you can contact our support team.

What URL rewriters and shorteners are compatible with PhishER?

If you would like to rewrite or shorten a URL, such as a URL used to set up a webhook, we recommend that you use one of our compatible rewriters and shorteners.

For a list of supported URL shorteners, see the table below:

Name URL
Bitly bit.ly
Bitdo bit.do
Capsulink cli.re, [www.]capsulink.com
Googl goo.gl
Owly ow.ly
TinyURL tinyurl.com

For a list of supported URL rewrites, see the table below:

Name URL
Barracuda linkprotect.cudasvc.com
Cisco secure-web.cisco.com
FireEye *.fireeye.com
Google (Gmail) [www.]google.com
Mimecast protect-*.mimecast.com
Outlook *.safelinks.protection.outlook.com
PostOffice clicktime.cloud.postoffice.net
Proofpoint urldefense.proofpoint.com
Sophos *.protection.sophos.com
Symantec clicktime.symantec.com
TrendMicro *.trendmicro.com
Trustwave scanmail.trustwave.com

Can I use PhishER to process and block viruses?

No, you cannot use PhishER to process and block viruses. PhishER was not designed to be a mail filter. The purpose of PhishER is to provide your organization with a platform to evaluate all suspicious emails reported by your users. However, you can use PhishER to detect common elements in the reported emails to automate your incident response actions.

Is the data sent to and from my PhishER platform encrypted?

Yes, PhishER utilizes Transport Layer Security (TLS) encryption protocol for sending data to and from the platform.

Getting Started

For information to help you get started with PhishER, see the questions below:

  1. How long does it take to set up my PhishER platform?
  2. Do I need to use the Phish Alert Button (PAB) to forward emails to my PhishER Inbox?
  3. Is there a limit to how many reporting emails I can generate?
  4. Where do I find my saved rooms?
  5. Can I filter my PhishER Inbox by a specific tag?
  6. How do I delete a message from my PhishER Inbox?
  7. How do I permanently delete an email from my users' inboxes?
  8. I created a new rule. Will this rule affect the messages that were in my PhishER Inbox before the rule was created?
  9. What version of YARA does the PhishER platform support?
  10. Can I use regular expressions in my YARA rule?
  11. Can I open up attachments in PhishER safely?
  12. Can I inform an end user when a message is tagged as spam?
  13. Can I use attachment prefixes to find emails with similar attachments?
  14. What are some recommendations for PhishML thresholds?

How long does it take to set up my PhishER platform?

Setup time will vary based on your mail server settings and whether you forward reported emails manually or automatically with the Phish Alert Button (PAB). If your organization uses the PAB, you can get started with PhishER quickly because your reported emails will be sent to PhishER automatically. You can decrease the setup time from the Rules tab in your PhishER platform, which offers system rules to help you start dispositioning emails quickly. For information to help you get started with PhishER, see our PhishER Quickstart Guide.

Do I need to use the Phish Alert Button (PAB) to forward emails to my PhishER Inbox?

As an alternative to using the PAB, you can manually forward users’ reported emails to a reporting email address tied to your organization's PhishER platform.You can also download the EML file of an email, attach the EML file in a new email, and then send the email to PhishER. PhishER will recognize this process as a PAB report. If the Forwarded Only check box is selected for the reporting email address in your PhishER Settings, PhishER will recognize this process as a manual report. This method of email forwarding requires that forwarded emails are transmitted in an EML format, specifically the RFC 822 format. This format includes the complete headers and email body from the original email.

For more information about these methods, see our PhishER Settings: Account article.

Is there a limit to how many reporting emails I can generate?

No. You can generate as many reporting email addresses as you would like. For example, you could create multiple reporting email addresses if your organization would like to use different reporting email addresses for different user groups, Phish Alert Button (PAB) instances, or office locations.

Note: All emails forwarded to your reporting email addresses are sent to your PhishER Inbox.

Where do I find my saved rooms?

After you save a room in PhishER, the room is stored under Saved Queries on the Rooms page. For more information about rooms, see our How to Create and Manage PhishER Rooms article.

Can I filter my PhishER Inbox by a specific tag?

You can use Lucene query syntax to filter your PhishER Inbox by a specific tag. For example, you can enter the query below into the search bar of your Inbox, and your Inbox will display all messages with a Threat tag attached to them.

tags: "threat"

For more information about your Inbox, see our How to Use Your PhishER Inbox article.

How do I delete a message from my PhishER Inbox?

You can select a message in your PhishER Inbox and delete the message from the Message Details page. To delete a message, follow the steps below:

  1. In PhishER, navigate to the Inbox page.
  2. Select the message you would like to delete. The Message Details page will open.
  3. On the right side of the Message Details page, you can view the Actions and Discussion sidebar. From the Actions tab, click the Delete Message button. The Delete Message? pop-up window will open.
  4. In the Delete Message? pop-up window, click Yes, delete it.

How do I permanently delete an email from my users' inboxes?

Before you can permanently delete an email from your users' inboxes, you must enable the Allow Permanent Message Deletion setting in the PhishRIP subtab of your PhishER Settings. Once the setting is enabled, the email must be quarantined by PhishRIP before it can be permanently deleted. For more information about this setting, see our How to Use PhishRIP article.

I created a new rule. Will this rule affect the messages that were in my PhishER Inbox before the rule was created?

No. Messages received prior to your rule changes will not be affected. If you would like to run your new rule against messages received prior to the rule's creation, follow the steps below:

  1. In PhishER, navigate to the Inbox page.
  2. Select the check box on the left side of a message to select it. The Run drop-down menu will display in the top-left corner of the Inbox page.
  3. From the Run drop-down menu, select an action to run against any of your selected messages.

What version of YARA does the PhishER platform support?

PhishER currently supports version 4.1.2 of YARA. For more information about this version, see YARA’s Writing YARA rules documentation.

Can I use regular expressions in my YARA rule?

Yes, you can use regular expressions when writing YARA rules. However, not all regex commands are recognized by the YARA compiler. For a list of regex commands that are recognized by YARA, see YARA’s Regular expressions documentation.

Can I open attachments in PhishER safely?

KnowBe4 does not advise that you open attachments in PhishER, even if VirusTotal marks them as safe. We recommend that you open any attachments in a safe, secure sandbox environment for analysis.

Can I inform a user when a message is tagged as spam?

In PhishER, you can alert a user that their message has been tagged as spam by creating an action to notify them. To create this action, set steps 1, 2, and 3 to match the following settings:

  1. Choose how this action should be triggered: Select the Specify Tags option. Then, select Has Any and add all of your PhishER tags that are related to spam.
  2. (Optional) Choose the action to be taken on matched messages: Select the Set Status, Set Priority, and Set Category options. For the Set Status option, select Resolved from the drop-down menu. For the Set Priority option, select Low from the drop-down menu. For the Set Category option, select Spam from the drop-down menu.
  3. Choose how you would like to report this action: Select the Send Email option. When this option is selected, you can create a custom email response that will automatically send to the recipients of your choice when a message is tagged as spam. For more information, see our How to Create a Custom Email Template in PhishER article.

Can I use attachment prefixes to find emails with similar attachments?

Yes, you can use the prefix if it is included. For example, if an attachment is named “randomdoc.xml”, the following prefixes would be accepted:

  • random
  • ran
  • rando

What are some recommendations for PhishML thresholds?

To learn about recommended settings for the PhishML thresholds, see the Setting Confidence Values and Thresholds section of our How to Use PhishML article.

Using PhishRIP and PhishFlip

For information to help you use PhishRIP and PhishFlip, see the questions below:

  1. What permissions do I need to connect my Microsoft 365 instance to PhishRIP?
  2. What permissions do I need to enable PhishRIP with Google Workspace?
  3. Why does my admin account need global permissions to enable PhishRIP?
  4. What security measures are in place to ensure that information is not lost or stolen when using PhishRIP?
  5. When a PhishFlip campaign is started, is the tracking duration always set to three days? Is there any way to modify the tracking duration?
  6. Will PhishFlip work with attachments found in reported emails?

What permissions do I need to connect my Microsoft 365 instance to PhishRIP?

To grant PhishRIP access to all of the mailboxes in your Microsoft 365 instance, you must have a Microsoft 365 admin account with global permissions enabled. Then, you can log in to your account and accept the permissions needed to connect to Microsoft 365. To learn more about the required permissions, see our How to Use PhishRIP article.

Note: The account information used to sign in to Microsoft 365 will not be stored in PhishER. This email address can also be removed by another Microsoft 365 admin.

What permissions do I need to enable PhishRIP with Google Workspace?

To enable PhishRIP with Google Workspace, you must have a Google Workspace account admin email address.

Why does my admin account need global permissions to enable PhishRIP?

Your admin account must have global permissions enabled in order to grant the access that PhishRIP needs for the initial connection to your mail server. PhishRIP does not use global permissions to function after it is enabled.

What security measures are in place to ensure that information is not lost or stolen when using PhishRIP?

KnowBe4's InfoSec team monitors KnowBe4 services for abuse and suspicious activity. KnowBe4 has controls that prevent query tampering, wildcard searches, and access across accounts. The InfoSec team has tested these controls to ensure they are effective.

PhishRIP communicates to Microsoft using a single-use Microsoft GraphAPI token that is not saved. PhishRIP has a limited number of fixed queries that can be made to a Microsoft 365 account, and these queries must match specific criteria from a message that has been reported to PhishER. All messages, queries, and query responses are encrypted. KnowBe4 employees are not allowed to access an organization's PhishER account without the organization's permission.

PhishER provides a few ways to prevent your information from being lost or stolen when using PhishRIP.

First, you can limit the access of the users that you add to the PhishER platform by creating Security Roles. You can use Security Roles to grant limited or full access to your users for the following console areas:

  • Rooms
  • Inbox
  • Rules
  • Actions
  • PhishRIP
  • Settings

Using Security Roles, you can specify which admins have the access to be able to initiate PhishRIP queries.

Next, you can specify your customized criteria, which PhishER uses to remove emails that are similar to any potentially threatening emails that have been sent to PhishER through the Phish Alert Button (PAB).

Finally, if a message is quarantined and you discover that the message is actually clean, you can restore the message from your PhishER platform.

When a PhishFlip campaign is started, is the tracking duration always set to three days? Is there any way to modify the tracking duration?

Yes. By default, all PhishFlip campaigns are set to have a tracking duration of three days. Currently, this setting cannot be modified.

Will PhishFlip work with attachments found in reported emails?

Yes. PhishFlip will convert the attachment into an HTML template.

Integrations

For information to help you with PhishER integrations, see the questions below:

  1. What can I do when I integrate PhishER with my KSAT console?
  2. What format of the PEM TLS certification is required for the PhishER TLS connection settings for Syslog?
  3. What do the VT_Scanned tags mean?
  4. Why is the VirusTotal Public API reaching the maximum number of requests when I didn’t receive emails with a total of 500 files or URLs?

What can I do when I integrate PhishER with my KSAT console?

The integration between the PhishER platform and the KSAT console provides you with a better understanding of how your users interact with real phishing emails. In your PhishER platform, you can configure your integration with your KSAT console to update events on KSAT User Timelines. Once certain PhishER actions are reported to your KSAT console, you can create a Smart Group that targets specific users based on how they treated real phishing emails. For example, you can create a Smart Group that searches for users who did not report threats. Then, you can use this information to create a targeted training campaign and to reiterate the importance of using the Phish Alert Button (PAB).

For more information, see the KSAT Console section of our PhishER Settings: Integrations article.

What format of the PEM TLS certification is required for the PhishER TLS connection settings for Syslog?

The format of the Privacy Enhanced Mail (PEM) Transport Layer Security (TLS) certification should include the header, a new line, the certificate information, a new line, and the footer. You can see an example of the accepted format below:

		-----BEGIN CERTIFICATE-----
		MIIErzCCApcCFFAUmnV/yNhc8hf6aOY6wCmmh4v2MA0GCSqGSIb3DQEBCwUAMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTETMBEGA1UEBwwKQ2xlYXJ3YXRlcjEQMA4GA1UECgdsfasdfasdfjIxNTEyMDVaMIGVMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTETMBEGA1UEBwwKQ2xlYXJ3YXRlcjEQMA4GA1UECgwHS25vd0JlNDEMMAoGA1UECwwDUiZEMRswGQYDVQQDDBJzeXNsb2cuadyEC6im/QlSps3vCWAoaauSZWtKjt+3/BTn9Sm0BI8KmcEGHyn60yXXrit11g11PR9c0XUDs7ocFnnq00MMaMZh/WxqZnjRvPwV7xLdiWQxdudNgPOjqocWw7ocCuj4HnnrWOkDmHx3Tc9CTFux71azXbcR7uspndgasdfdsffdcxdAc6SoX1ielqSSbsfasdfsa4IgwGZHJGnBjlBpCqfOBBWGGjCEkpKGJLbXPKfrd2l888xgJ8Y8kvmMbMrOrBkAxNrufHKqbBQy94xeOOKvbF+lpLEKWMiXSVGXsfcklCBcUBGx/5GJdaBSz7eO2RNzMzdBoULwJAWfcAhr5IRVLP9id6IYMu5YczqLXjlXXjXkH7qFSL4/GP4mslXCQ/JXmiUpXoRKQiyFr/vsPVcpbNA2pj37GSktc+eWcbi90BGouFnyen/ABBf21Xdtttp46vpYdkVXO5ETba7VJVYdsgsadgasdgfg+fdZ/bQMezrQu4cnI1IrWoIeAxAH2spdfdsfsdfsadfgdsgsfdsfsdgsaadsgasdgasdgasndfmOPm92Wuhg7hIDEg7tGvhzyUyzUYsK+K+UCvOepQB7Ba7lmIKMQkM/USlf265I4+L8mbcL
		-----END CERTIFICATE-----

What do the VT tags mean?

The VT tags are VirusTotal tags, which are applied to your messages after a VirusTotal scan. To learn how to integrate your VirusTotal account with your PhishER platform, see our VirusTotal and PhishER Integration article.

For more information about each VT tag, see the list below:

  • VT_Scanned: This tag is added to your message when a VirusTotal scan is completed and the message is not evaluated to be malicious.
  • VT_Bypassed: This tag is added to your message when no response has been received from VirusTotal within the set timeout period.
  • VT_Pending: This tag is added to your message when PhishER is waiting for a response from VirusTotal.
  • VT_Bad: This tag is added to your message when VirusTotal evaluates one or more scanned items as malicious.

Why is the VirusTotal Public API reaching the maximum number of requests when I didn’t receive emails with a total of 500 files or URLs?

To run a scan, PhishER sends each file or URL in each email to VirusTotal as a query to the API endpoint. Then, PhishER sends an API call for each file or URL to VirusTotal to determine if the scan results are ready for each item. If VirusTotal is not ready to provide the scan results, PhishER must send additional API calls. As a result, PhishER must send a minimum of 3 requests per file or URL before a query can be retried.

Troubleshooting

For troubleshooting information about PhishER, see the questions below:

  1. What happens when a quarantine folder is deleted?
  2. Why do reported emails have null values?

What happens when a quarantine folder is deleted?

Answer: When a quarantine folder is deleted, anything in that folder will be deleted. However, you can regenerate the deleted quarantine folder by running a new PhishRIP query. For more information, see our How to Use PhishRIP article.

Why do reported messages have null values?

 If your organization uses Cisco Ironport spam filtering and you're seeing null values in reported messages, you may need to create an exception in Cisco Ironport. You can create this exception for outbound emails sent to your PhishER reporting email address. For more information, see Cisco's content filter documentation.

For additional assistance, we recommend reaching out to Cisco Ironport's support team.

Can't find what you're looking for?

Contact Support