PhishER FAQ

In this article, you can find frequently asked questions about using KnowBe4's PhishER platform. If you have additional questions that this article doesn’t include, please submit a ticket to our support team.

To learn more about PhishER, see our PhishER Product Manual.

Jump to:

General Information
Getting Started
Using PhishRIP and PhishFlip
Integrations
Troubleshooting

 

General Information

For general information about PhishER, see the questions and answers below:

1. How is my information protected on the PhishER platform?
2. How do I grant and manage access to PhishER for other members of my organization?
3. How can I purchase PhishER for my organization?
4. What URL rewriters and shorteners are compatible with PhishER?
5. Can I use PhishER to process and block viruses?
6. Is the data sent to and from my PhishER platform encrypted?

 

1. Question: How is my information protected on the PhishER platform?

Answer: PhishER uses all of KnowBe4's security and privacy best practices, as detailed on our Security Statement page. For an added layer of protection, you can enable multi-factor authentication on your admin account in your KMSAT console.

Back to top

 

2. Question: How do I grant and manage access to PhishER for other members of my organization?

Answer: PhishER account admins can grant PhishER access to other members of your organization by enabling the PhishER setting in their User Profiles in the KMSAT console. KMSAT admins have access to PhishER automatically.

Account admins can also disable PhishER access from the KMSAT User Profile.

Back to top

 

3. Question: How can I purchase PhishER for my organization?

Answer: If you would like to purchase the PhishER platform, contact your Account Manager. If you're unsure who your Account Manager is, you can contact our support team.

Back to top

 

4. Question: What URL rewriters and shorteners are compatible with PhishER?

Answer: If you would like to rewrite or shorten a URL, such as a URL used to set up a webhook, we recommend that you use one of our compatible rewriters and shorteners.

For a list of supported URL shorteners, see the table below:

Name	URL
Bitly	bit.ly
Bitdo	bit.do
Capsulink	cli.re, [www.]capsulink.com
Googl	goo.gl
Owly	ow.ly
TinyURL	tinyurl.com

For a list of supported URL rewrites, see the table below:

Name	URL
Barracuda	linkprotect.cudasvc.com
Cisco	secure-web.cisco.com
FireEye	*.fireeye.com
Google (Gmail)	[www.]google.com
Mimecast	protect-*.mimecast.com
Outlook	*.safelinks.protection.outlook.com
PostOffice	clicktime.cloud.postoffice.net
Proofpoint	urldefense.proofpoint.com
Sophos	*.protection.sophos.com
Symantec	clicktime.symantec.com
TrendMicro	*.trendmicro.com
Trustwave	scanmail.trustwave.com

Back to top

 

5. Question: Can I use PhishER to process and block viruses?

Answer: No, you cannot use PhishER to process and block viruses. PhishER was not designed to be a mail filter. The purpose of PhishER is to provide your organization with a platform to evaluate all suspicious emails reported by your users. However, you can use PhishER to detect common elements in the reported emails to automate your incident response actions.

Back to top

 

6. Question: Is the data sent to and from my PhishER platform encrypted?

Answer: Yes, PhishER utilizes Transport Layer Security (TLS) encryption protocol for sending data to and from the platform.

Back to top

 

Getting Started

For information to help you get started with PhishER, see the questions below:

1. How long does it take to set up my PhishER platform?
2. Do I need to use the Phish Alert Button (PAB) to forward emails to my PhishER Inbox?
3. Is there a limit to how many reporting emails I can generate?
4. Where do I find my saved rooms?
5. Can I filter my PhishER Inbox by a specific tag?
6. How do I delete a message from my PhishER Inbox?
7. How do I permanently delete an email from my users' inboxes?
8. I created a new rule. Will this rule affect the messages that were in my PhishER Inbox before the rule was created?
9. What version of YARA does the PhishER platform support?
10. Can I use regular expressions in my YARA rule?
11. Can I open up attachments in PhishER safely?
12. Can I inform an end user when a message is tagged as spam?
13. How can I use attachment prefixes to find emails with similar attachments?
14. What are some recommendations for PhishML thresholds?

 

1. Question: How long does it take to set up my PhishER platform?

Answer: Setup time will vary based on your mail server settings and whether you forward reported emails manually or automatically with the Phish Alert Button (PAB). If your organization uses the PAB, you can get started with PhishER quickly because your reported emails will be sent to PhishER automatically. You can decrease the setup time from the Rules tab in your PhishER platform, which offers system rules to help you start dispositioning emails quickly. For information to help you get started with PhishER, see our PhishER Quickstart Guide.

Back to top

 

2. Question: Do I need to use the Phish Alert Button (PAB) to forward emails to my PhishER Inbox?

Answer: As an alternative to using the PAB, you can manually forward users’ reported emails to a reporting email address tied to your organization's PhishER platform.
You can also download the EML file of an email, attach the EML file in a new email, and then send the email to PhishER. PhishER will recognize this process as a PAB report. If the Forwarded Only check box is selected for the reporting email address in your PhishER Settings, PhishER will recognize this process as a manual report. This method of email forwarding requires that forwarded emails are transmitted in an EML format, specifically the RFC 822 format. This format includes the complete headers and email body from the original email.

For more information about these methods, see our PhishER Settings: Account article.

Back to top

 

3. Question: Is there a limit to how many reporting emails I can generate?

Answer: No. You can generate as many reporting email addresses as you would like. For example, you could create multiple reporting email addresses if your organization would like to use different reporting email addresses for different user groups, Phish Alert Button (PAB) instances, or office locations.

Back to top

 

4. Question: Where do I find my saved rooms?

Answer: After you save a room in PhishER, the room is stored under Saved Queries on the Rooms page. For more information about rooms, see our How to Create and Manage PhishER Rooms article.

Back to top

 

5. Question: Can I filter my PhishER Inbox by a specific tag?

Answer: You can use Lucene query syntax to filter your PhishER Inbox by a specific tag. For example, you can enter the query below into the search bar of your Inbox, and your Inbox will display all messages with a Threat tag attached to them.

tags: "threat"

For more information about your Inbox, see our How to Use Your PhishER Inbox article.

Back to top

 

6. Question:How do I delete a message from my PhishER Inbox?

Answer: You can select a message in your PhishER Inbox and delete the message from the Message Details page. To delete a message, follow the steps below:

1. In PhishER, navigate to the Inbox page.
2. Select the message you would like to delete. The Message Details page will open.
3. On the right side of the Message Details page, you can view the Actions and Discussion sidebar. From the Actions tab, click the Delete Message button. The Delete Message? pop-up window will open.
4. In the Delete Message? pop-up window, click Yes, delete it.

Back to top

 

7. Question: How do I permanently delete an email from my users' inboxes?

Answer: Before you can permanently delete an email from your users' inboxes, you must enable the Allow Permanent Message Deletion setting in the PhishRIP subtab of your PhishER Settings. Once the setting is enabled, the email must be quarantined by PhishRIP before it can be permanently deleted. For more information about this setting, see our How to Use PhishRIP article.

Back to top

 

8. Question: I created a new rule. Will this rule affect the messages that were in my PhishER Inbox before the rule was created?

Answer: No. Messages received prior to your rule changes will not be affected. If you would like to run your new rule against messages received prior to the rule's creation, follow the steps below:

1. In PhishER, navigate to the Inbox page.
2. Select the check box on the left side of a message to select it. The Run drop-down menu will display in the top-left corner of the Inbox page.
3. From the Run drop-down menu, select an action to run against any of your selected messages.

Back to top

 

9. Question: What version of YARA does the PhishER platform support?

Answer: PhishER currently supports version 4.1.2 of YARA. For more information about this version, see YARA’s Writing YARA rules documentation.

Back to top

 

10. Question: Can I use regular expressions in my YARA rule?

Answer: Yes, you can use regular expressions when writing YARA rules. However, not all regex commands are recognized by the YARA compiler. For a list of regex commands that are recognized by YARA, see YARA’s Regular expressions documentation.

Back to top

 

11. Question: Can I open attachments in PhishER safely?

Answer: KnowBe4 does not advise that you open attachments in PhishER, even if VirusTotal marks them as safe. We recommend that you open any attachments in a safe, secure sandbox environment for analysis.

Back to top

 

12. Question: Can I inform a user when a message is tagged as spam?

Answer: In PhishER, you can alert a user that their message has been tagged as spam by creating an action to notify them. To create this action, set steps 1, 2, and 3 to match the following settings:

1. Choose how this action should be triggered: Select the Specify Tags option. Then, select Has Any and add all of your PhishER tags that are related to spam.
2. (Optional) Choose the action to be taken on matched messages: Select the Set Status, Set Priority, and Set Category options. For the Set Status option, select Resolved from the drop-down menu. For the Set Priority option, select Low from the drop-down menu. For the Set Category option, select Spam from the drop-down menu.
3. Choose how you would like to report this action: Select the Send Email option. When this option is selected, you can create a custom email response that will automatically send to the recipients of your choice when a message is tagged as spam. For more information, see our How to Create a Custom Email Template in PhishER article.

Back to top

 

13. Question: Can I use attachment prefixes to find emails with similar attachments?

Answer: Yes, you can use the prefix if it is included. For example, if an attachment is named “randomdoc.xml”, the following prefixes would be accepted:

• random
• ran
• rando

Back to top

 

14. Question: What are some recommendations for PhishML thresholds?

Answer: To learn about recommended settings for the PhishML thresholds, see the Setting Confidence Values and Thresholds section of our How to Use PhishML article.

Back to top

 

Using PhishRIP and PhishFlip

For information to help you use PhishRIP and PhishFlip, see the questions below:

1. What permissions do I need to connect my Microsoft 365 instance to PhishRIP?
2. What permissions do I need to enable PhishRIP with Google Workspace?
3. What security measures are in place to ensure that information is not lost or stolen when using PhishRIP?
4. When a PhishFlip campaign is started, is the tracking duration always set to three days? Is there any way to modify the tracking duration?
5. Will PhishFlip work with attachments found in reported emails?

 

1. Question: What permissions do I need to connect my Microsoft 365 instance to PhishRIP?

Answer: To grant PhishRIP access to all of the mailboxes in your Microsoft 365 instance, you must have a Microsoft 365 admin account with global permissions enabled. Then, you can log in to your account and accept the permissions needed to connect to Microsoft 365. To learn more about the required permissions, see our How to Use PhishRIP article.

Back to top

 

2. Question: What permissions do I need to enable PhishRIP with Google Workspace?

Answer: To enable PhishRIP with Google Workspace, you must have a Google Workspace account admin email address.

Back to top

 

3. Question: What security measures are in place to ensure that information is not lost or stolen when using PhishRIP?

Answer: KnowBe4's InfoSec team monitors KnowBe4 services for abuse and suspicious activity. KnowBe4 has controls that prevent query tampering, wildcard searches, and access across accounts. The InfoSec team has tested these controls to ensure they are effective.

PhishRIP communicates to Microsoft using a single-use Microsoft GraphAPI token that is not saved. PhishRIP has a limited number of fixed queries that can be made to a Microsoft 365 account, and these queries must match specific criteria from a message that has been reported to PhishER. All messages, queries, and query responses are encrypted. KnowBe4 employees are not allowed to access an organization's PhishER account without the organization's permission.

PhishER provides a few ways to prevent your information from being lost or stolen when using PhishRIP.

First, you can limit the access of the users that you add to the PhishER platform by creating Security Roles. You can use Security Roles to grant limited or full access to your users for the following console areas:

• Rooms
• Inbox
• Rules
• Actions
• PhishRIP
• Settings

Using Security Roles, you can specify which admins have the access to be able to initiate PhishRIP queries.

Next, you can specify your customized criteria, which PhishER uses to remove emails that are similar to any potentially threatening emails that have been sent to PhishER through the Phish Alert Button (PAB).

Finally, if a message is quarantined and you discover that the message is actually clean, you can restore the message from your PhishER platform.

Back to top

 

4. Question: When a PhishFlip campaign is started, is the tracking duration always set to three days? Is there any way to modify the tracking duration?

Answer: Yes. By default, all PhishFlip campaigns are set to have a tracking duration of three days. Currently, this setting cannot be modified.

Back to top

 

5. Question: Will PhishFlip work with attachments found in reported emails?

Answer: Yes. PhishFlip will convert the attachment into an HTML template.

Back to top

 

Integrations

For information to help you with PhishER integrations, see the questions below:

1. What can I do when I integrate PhishER with my KMSAT console?
2. What format of the PEM TLS certification is required for the PhishER TLS connection settings for Syslog?
3. What do the VT_Scanned tags mean?

 

1. Question: What can I do when I integrate PhishER with my KMSAT console?

Answer: The integration between the PhishER platform and the KMSAT console provides you with a better understanding of how your users interact with real phishing emails. In your PhishER platform, you can configure your integration with your KMSAT console to update events on KMSAT User Timelines. Once certain PhishER actions are reported to your KMSAT console, you can create a Smart Group that targets specific users based on how they treated real phishing emails. For example, you can create a Smart Group that searches for users who did not report threats. Then, you can use this information to create a targeted training campaign and to reiterate the importance of using the Phish Alert Button (PAB).

For more information, see the KMSAT Console section of our PhishER Settings: Integrations article.

Back to top

 

2. Question: What format of the PEM TLS certification is required for the PhishER TLS connection settings for Syslog?

Answer: The format of the Privacy Enhanced Mail (PEM) Transport Layer Security (TLS) certification should include the header, a new line, the certificate information, a new line, and the footer. You can see an example of the accepted format below:
-----BEGIN CERTIFICATE----- MIIErzCCApcCFFAUmnV/yNhc8hf6aOY6wCmmh4v2MA0GCSqGSIb3DQEBCwUAMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTETMBEGA1UEBwwKQ2xlYXJ3YXRlcjEQMA4GA1UECgdsfasdfasdfjIxNTEyMDVaMIGVMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTETMBEGA1UEBwwKQ2xlYXJ3YXRlcjEQMA4GA1UECgwHS25vd0JlNDEMMAoGA1UECwwDUiZEMRswGQYDVQQDDBJzeXNsb2cuadyEC6im/QlSps3vCWAoaauSZWtKjt+3/BTn9Sm0BI8KmcEGHyn60yXXrit11g11PR9c0XUDs7ocFnnq00MMaMZh/WxqZnjRvPwV7xLdiWQxdudNgPOjqocWw7ocCuj4HnnrWOkDmHx3Tc9CTFux71azXbcR7uspndgasdfdsffdcxdAc6SoX1ielqSSbsfasdfsa4IgwGZHJGnBjlBpCqfOBBWGGjCEkpKGJLbXPKfrd2l888xgJ8Y8kvmMbMrOrBkAxNrufHKqbBQy94xeOOKvbF+lpLEKWMiXSVGXsfcklCBcUBGx/5GJdaBSz7eO2RNzMzdBoULwJAWfcAhr5IRVLP9id6IYMu5YczqLXjlXXjXkH7qFSL4/GP4mslXCQ/JXmiUpXoRKQiyFr/vsPVcpbNA2pj37GSktc+eWcbi90BGouFnyen/ABBf21Xdtttp46vpYdkVXO5ETba7VJVYdsgsadgasdgfg+fdZ/bQMezrQu4cnI1IrWoIeAxAH2spdfdsfsdfsadfgdsgsfdsfsdgsaadsgasdgasdgasndfmOPm92Wuhg7hIDEg7tGvhzyUyzUYsK+K+UCvOepQB7Ba7lmIKMQkM/USlf265I4+L8mbcL -----END CERTIFICATE-----

Back to top

 

3. Question: What do the VT tags mean?

Answer: The VT tags are VirusTotal tags, which are applied to your messages after a VirusTotal scan. To learn how to integrate your VirusTotal account with your PhishER platform, see our VirusTotal and PhishER Integration article.

For more information about each VT tag, see the list below:

• VT_Scanned: This tag is added to your message when a VirusTotal scan is completed and the message is not evaluated to be malicious.
• VT_Bypassed: This tag is added to your message when no response has been received from VirusTotal within the set timeout period.
• VT_Pending: This tag is added to your message when PhishER is waiting for a response from VirusTotal.
• VT_Bad: This tag is added to your message when VirusTotal evaluates one or more scanned items as malicious.

Back to top

 

Troubleshooting

For troubleshooting information about PhishER, see the questions below:

1. What happens when a quarantine folder is deleted?
2. Why do reported emails have null values?

 

1. Question: What happens when a quarantine folder is deleted?

Answer: When a quarantine folder is deleted, anything in that folder will be deleted. However, you can regenerate the deleted quarantine folder by running a new PhishRIP query. For more information, see our How to Use PhishRIP article.

Back to top

 

2. Question: Why do reported messages have null values?

Answer: If your organization uses Cisco Ironport spam filtering and you're seeing null values in reported messages, you may need to create an exception in Cisco Ironport. You can create this exception for outbound emails sent to your PhishER reporting email address. For more information, see Cisco's content filter documentation.

For additional assistance, we recommend reaching out to Cisco Ironport's support team.

Back to top