PhishER FAQ

Below are some commonly-asked questions about KnowBe4's PhishER platform. If you don't see the answer you need, submit a ticket to our support team.

Jump to:

1. How is my information protected on the PhishER platform?
2. Do I need to use the PAB to forward emails to my PhishER inbox?
3. How do I provide PhishER access to my users?
4. Where do I find my Saved Rooms?
5. Can I filter my PhishER inbox by a specific tag?
6. How do I delete a message from my PhishER inbox?
7. How do I permanently delete a message from my users' inboxes?
8. Is there a limit to how many Reporting Emails I can generate?
9. I created a new rule. Will this affect the messages that were in my PhishER inbox before the rule was created?
10. Can I use regular expressions (regex commands) in my YARA rule?
11. What does the VT_Scanned tag mean?
12. How can I purchase my own PhishER platform?
13. What URL rewriters and shorteners is PhishER compatible with?
14. How quickly can we get our PhishER platform set up?
15. Can I use PhishER to process and block viruses?
16. Can I open up attachments in PhishER safely?
17. Is the data sent to and from my PhishER platform encrypted?
18. How is PhishER access managed?
19. Can I inform an end user when a message is tagged as Spam?
20. What are some best practices for PhishML Thresholds?
21. What security levels are required to enable PhishRIP with Google Workspace?
22. What can I do when I integrate PhishER with my KnowBe4 Security Awareness Console?
23. What permissions and account rights do I need to connect my Microsoft 365 instance to PhishRIP?
24. What version of YARA does the PhishER platform support?
25. What security measures are in place to ensure that information is not lost or stolen when using PhishRIP?
26. What format of the PEM TLS certification is required for the PhishER TLS connection settings for Syslog?
27. When a PhishFlip campaign is started, is the tracking duration always set to 3 days? Is there any way to modify it?
28. Will PhishFlip defang any attachments found on reported emails?
29. How can I use attachment prefixes to find emails with similar attachments?
30. What happens if a quarantine folder is deleted?
31. Why do reported emails have null or empty values?

 

1) Q: How is my information protected on the PhishER platform?

A: PhishER uses all of KnowBe4's security and privacy best practices, as detailed on our Security page. For an added layer of protection, you can enable multi-factor authentication on your admin account in the KnowBe4 console.

Back to top

 

2) Q: Do I need to use the PAB to forward emails to my PhishER inbox?

A: As an alternative to using the PAB, you can manually forward all user-reported emails to a PhishER-generated email address tied to your organization's PhishER platform.

With this method, you can download the .eml file, attach the .eml file to an email, and send it to PhishER. PhishER will recognize this process as a PAB report.

Keep in mind, this method of email forwarding requires that forwarded emails are transmitted in a .eml format (RFC 822), which includes the complete headers and email body from the original email.

Visit the PhishER Settings article for more information on how to set this up.

Back to top

 

3) Q: How do I provide PhishER access to users?

A: To provide access to a user to manage PhishER, you must Enable PhishER access in their KnowBe4 Security Awareness Training platform User Profile. Security Awareness Training platform admins will automatically have access to PhishER.

Back to top

 

4) Q: Where do I find my Saved Rooms?

A: After creating a room in PhishER, the room will be stored under the Saved Queries emergency room. This can be viewed by navigating to PhishER > Rooms > Saved Queries (select from the drop-down at the top of the Rooms screen).

Back to top

 

5) Q: Can I filter my PhishER inbox by a specific tag?

A: Yes. Using Lucene query syntax, you can filter your PhishER inbox by a specific tag.
Enter the query below into the search bar of your PhishER inbox. As an example, this query will filter all messages with a Threat tag attached to it.

tags: "threat"

Back to top

 

6) Q: How do I delete a message from my PhishER inbox?

A: You can delete a message from the Message Details screen. To do this, follow the steps below:

1. Navigate to PhishER > Inbox
2. Click on the message you would like to delete. This will open the Message Details screen.
3. To the right of the Message Details is the Actions and Discussion sidebar. Under the Actions tab, click on the Delete Message button.

Back to top

 

7) Q: How do I permanently delete a message from my users' inbox?

A: You can permanently delete a message from your users' inboxes by enabling the PhishRIP Delete option in your PhishRIP Settings. Once that is enabled, the message must be quarantined by PhishRIP before it can be permanently deleted. For more information on how to enable PhishRIP and the permanently delete feature, visit our PhishRIP article.

Back to top

 

8) Q: Is there a limit to how many Reporting Emails I can generate?

A: No. You can generate as many reporting email addresses as you would like. This option may be beneficial to organizations who want to provide a different reporting email address across user groups, PAB instances, or office locations. Keep in mind, all emails forwarded to your reporting email addresses will empty into a single PhishER inbox.

Back to top

 

9) Q: I created a new rule. Will this affect the messages that were in my PhishER inbox before the rule was created?

A: No, messages received prior to your rule change(s) will not be affected. If you would like to run your new rule against emails received prior to the rule's creation, you can do so by following the steps below:

1. Navigate to PhishER > Inbox
2. Click on the checkbox to the left of the message to select it.
3. The Run Action drop-down will appear in the top-left. From this drop-down, you may select an action to run against your selected message(s).

Back to top

 

10) Q: Can I use regular expressions (regex commands) in my YARA rule?

A: Yes, you can use regex commands when writing YARA rules. However, not all regex commands are recognized by the YARA compiler. Visit here to learn more about the regex commands that are recognized by YARA.

Back to top

 

11) Q: What do the VT_ tags mean?

A: The VT_Scanned tag will be added to your message when a VirusTotal scan is completed and not determined to be malicious. The VT_Bypassed tag will be added to your message when no response has been received from VirusTotal within the set timeout period. The VT_Pending tag will be added to your message when we are waiting for a response from VirusTotal. The VT_Bad tag will be added to your message when one or more scanned items have been marked as malicious by VirusTotal.

Back to top

 

12) Q: How can I purchase my own PhishER platform?

A: If you would like to purchase the PhishER platform, please reach out to your Account Manager for assistance. If you're unsure who your Account Manager is, you can contact support.

Back to top

 

13) Q: What URL rewriters and shorteners are compatible with PhishER?

A: See the table below:

Supported URL Shorteners
Name	URL
Bitly	bit.ly
Bitdo	bit.do
Capsulink	cli.re, [www.]capsulink.com
Googl	goo.gl
Owly	ow.ly
TinyURL	tinyurl.com

Supported URL Rewriters
Name	URL
Barracuda	linkprotect.cudasvc.com
Cisco	secure-web.cisco.com
FireEye	*.fireeye.com
Google (Gmail)	[www.]google.com
Mimecast	protect-*.mimecast.com
Outlook	*.safelinks.protection.outlook.com
PostOffice	clicktime.cloud.postoffice.net
Proofpoint	urldefense.proofpoint.com
Sophos	*.protection.sophos.com
Symantec	clicktime.symantec.com
TrendMicro	*.trendmicro.com
Trustwave	scanmail.trustwave.com

Back to top

 

14) Q: How quickly can we get our PhishER platform set up?

A: Setup time will vary based on your environment. If you're using KnowBe4's free Phish Alert Button in your organization, you can get started with PhishER in just a few clicks. PhishER offers System Rules to get you started with dispositioning emails fast. However, you'll want to spend some time customizing rules, tags, and actions to help you process and respond to reported emails faster.

Back to top

 

15) Q: Can I use PhishER to process and block viruses?

A: No, PhishER was not designed to be a mail filter. The purpose of PhishER is to provide your organization with a platform to evaluate all suspicious emails reported by your users. However, you can use PhishER to detect commonalities in the reported emails to automate your incident response actions.

Back to top

 

16) Q: Can I open up attachments in PhishER safely?

A: KnowBe4 does not advise that you open up attachments in PhishER, even if VirusTotal marks them as safe. Any attachments that you want to analyze can be opened in a safe, secure sandbox.

Back to top

 

17) Q: Is the data sent to and from my PhishER platform encrypted?

A: Yes, PhishER utilizes TLS protocol for communication in and out of the platform.

Back to top

 

18) Q: How is PhishER access managed?

A: An account admin can enable or disable PhishER access for any admin or user from the individual's User Profile settings in the KnowBe4 console.

 

19) Q: Can I inform an end-user when a message is tagged as SPAM?

A: In PhishER, you can alert an end-user when a message is tagged as SPAM by creating an Action that includes the following settings for steps 1, 2, and 3 on the Action Details screen:

1. For Choose how this action should be triggered, select the Specify Tags option. Then, select HAS ANY and add all of your spam-related PhishER tags.
2. (Optional) For Choose the action to be taken on matched messages, we recommend that you select the Set Status, Set Priority, and Set Category actions. For the Set Status action, select Resolved from the drop-down menu. For the Set Priority action, select Low from the drop-down menu. For the Set Category action, select Spam from the drop-down menu.
3. For Choose how you would like to report this action, select the Send Email option. When this option is selected, you can create a custom email response that will automatically send to the recipients (end-users) of your choice when a message is tagged as SPAM. Visit our How to Create a Custom Email Template in PhishER article for more information.

 

20) Q: What are some recommendations for PhishML thresholds?

A: Here are some recommended settings when it comes to using the PhishML thresholds:

• A lower confidence threshold value (<80) will lead to an increase in the number of messages that are automatically tagged by PhishML as being clean, spam, or a threat. We suggest setting a lower confidence threshold for PhishML to identify messages that are either spam or a threat. This will allow PhishER admins to quickly resolve or eliminate non-threatening messages, and then prioritize messages that need further analysis or review before taking an action.
• A higher confidence threshold value (>85) will lead to a decrease in the number of messages that are tagged by PhishML as being clean, spam, or a threat. We suggest setting a higher confidence threshold for PhishML to identify messages that are clean. This will allow PhishER admins to prioritize messages that need further analysis or review before taking an action.

 

21) Q: What security levels are required to enable PhishRIP with Google Workspace?

A: In order to enable PhishRIP with Google Workspace, you must have a Google Workspace Account Admin email address.

 

22) Q: What can I do when I integrate PhishER with my KnowBe4 Security Awareness Console?

A: The integration between PhishER and the KnowBe4 Security Awareness Console provides you with a better understanding of how your users interact with real phishing emails. With certain Actions being reported to your Security Awareness Console, you can create a Smart Group that targets specific users based on how they treated real phishing emails. For example, you can create a smart group that searches for users that did not report threats and then use this information to create a targeted training campaign and to reiterate the importance of using the Phish Alert Button.

 

23) Q: What permissions do I need to connect my Microsoft 365 instance to PhishRIP?

A: In order to grant PhishRIP access to all of the mailboxes in your Microsoft 365 instance, you must have a Microsoft 365 Admin account with global permissions enabled. This account can then accept the permissions needed to connect to Microsoft 365. The account information used to sign in to Microsoft 365 will not be stored in PhishER. This email address can also be removed by another Microsoft 365 admin. You can find the required permissions in our PhishER Settings article.

 

24) Q: What version of YARA does the PhishER platform support?

A: The PhishER platform currently supports YARA version 3.11.0.

 

25) Q: What security measures are in place to ensure that information is not lost or stolen when using PhishRIP?

A: PhishRIP uses the information entered into the Customized Criteria feature to pull any emails that are similar to any potentially threatening emails that have been sent to PhishER through the Phish Alert Button.

You can also limit the access of the users that you add to the PhishER platform by using the new Security Roles feature. With Security Roles, you can grant Limited or Full access to the following console areas:

• Rooms
• Inbox
• Rules
• Actions
• PhishRIP
• Settings

Using security roles, you can specify which admins have the access to be able to initiate PhishRIP queries.

Finally, if there is ever anything quarantined and later you discover that message to be clean, you can easily restore the message from inside PhishER.

 

26) Q: What format of the PEM TLS certification is required for the PhishER TLS connection settings for Syslog?

A: The format of the PEM TLS certification should include the header, a new line, the certificate information, a new line, and the footer. Below is an example of the accepted format:
-----BEGIN CERTIFICATE----- MIIErzCCApcCFFAUmnV/yNhc8hf6aOY6wCmmh4v2MA0GCSqGSIb3DQEBCwUAMIGRMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTETMBEGA1UEBwwKQ2xlYXJ3YXRlcjEQMA4GA1UECgdsfasdfasdfjIxNTEyMDVaMIGVMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTETMBEGA1UEBwwKQ2xlYXJ3YXRlcjEQMA4GA1UECgwHS25vd0JlNDEMMAoGA1UECwwDUiZEMRswGQYDVQQDDBJzeXNsb2cuadyEC6im/QlSps3vCWAoaauSZWtKjt+3/BTn9Sm0BI8KmcEGHyn60yXXrit11g11PR9c0XUDs7ocFnnq00MMaMZh/WxqZnjRvPwV7xLdiWQxdudNgPOjqocWw7ocCuj4HnnrWOkDmHx3Tc9CTFux71azXbcR7uspndgasdfdsffdcxdAc6SoX1ielqSSbsfasdfsa4IgwGZHJGnBjlBpCqfOBBWGGjCEkpKGJLbXPKfrd2l888xgJ8Y8kvmMbMrOrBkAxNrufHKqbBQy94xeOOKvbF+lpLEKWMiXSVGXsfcklCBcUBGx/5GJdaBSz7eO2RNzMzdBoULwJAWfcAhr5IRVLP9id6IYMu5YczqLXjlXXjXkH7qFSL4/GP4mslXCQ/JXmiUpXoRKQiyFr/vsPVcpbNA2pj37GSktc+eWcbi90BGouFnyen/ABBf21Xdtttp46vpYdkVXO5ETba7VJVYdsgsadgasdgfg+fdZ/bQMezrQu4cnI1IrWoIeAxAH2spdfdsfsdfsadfgdsgsfdsfsdgsaadsgasdgasdgasndfmOPm92Wuhg7hIDEg7tGvhzyUyzUYsK+K+UCvOepQB7Ba7lmIKMQkM/USlf265I4+L8mbcL -----END CERTIFICATE-----

 

27) Q: When a PhishFlip campaign is started, is the tracking duration always set to 3 days? Is there any way to modify it?

A: Yes. By default, all PhishFlip campaigns are set to have a tracking duration of 3 days. Currently, this setting cannot be modified.

 

28) Q: Will PhishFlip work with attachments found in reported emails?

A: Yes. PhishFlip will convert the attachment into an HTML template.

 

29) Q: How can I use attachment prefixes to find emails with similar attachments?

A: Yes, you can use the prefix if it is filled out. For example, if an attachment is named randomdoc.xml, the following prefixes would be accepted:

• random
• ran
• rando

Back to top

 

30) Q: What happens when a quarantine folder is deleted?

A: When a quarantine folder is deleted, anything within that folder will be deleted similarly to any other folder. However, you can regenerate the deleted quarantine folder if necessary.

Back to top

 

31) Q: Why do reported messages have null values?

A: If your organization uses Cisco Ironport spam filtering and you're seeing null values in reported messages, you may need to create an exception in Cisco Ironport. 

You can create this exception for outbound emails sent to your PhishER reporting email address. For more information, see Cisco's content filter documentation.

For additional assistance, we recommend reaching out to Cisco Ironport.

Back to top