PhishER FAQ

Below are some commonly-asked questions about KnowBe4's PhishER platform. If you don't see the answer you need, submit a ticket to our support team.

Jump to:

1. How is my information protected on the PhishER platform?
2. Do I need to use the PAB to forward emails to my PhishER inbox?
3. Does PhishER have security roles?
4. Where do I find my Saved Rooms?
5. Can I filter my PhishER inbox by a specific tag?
6. How do I delete a message from my PhishER inbox?
7. Is there a limit to how many Reporting Emails I can generate?
8. I created a new rule. Will this affect the messages that were in my PhishER inbox before the rule was created?
9. Can I use regular expressions (regex commands) in my YARA rule?
10. What does the VT_Scanned tag mean?
11. How can I purchase my own PhishER platform?
12. What URL rewriters and shorteners is PhishER compatible with?
13. How quickly can we get our PhishER platform set up?
14. Can I use PhishER to process and block viruses?
15. Can I open up attachments in PhishER safely?

1) Q: How is my information protected on the PhishER platform?

A: PhishER uses all of KnowBe4's security and privacy best practices, as detailed on our Security page. For an added layer of protection, you can enable multi-factor authentication on your admin account in the KnowBe4 console.

Back to Top

2) Q: Do I need to use the PAB to forward emails to my PhishER inbox?

A: As an alternative to using the PAB, you can manually forward all user-reported emails to a PhishER-generated email address tied to your organization's PhishER platform. Visit here for more information on how to set this up.

Keep in mind, this method of email forwarding requires that forwarded emails are transmitted in a .eml format (RFC 822), which includes the complete headers and email body from the original email.

Back to Top

3) Q: Does PhishER have Security Roles?

A: No. To access PhishER, you must be set up as an admin in your organization's KMSAT console.  Account admins will have full access to all features within PhishER.

Back to Top

4) Q: Where do I find my Saved Rooms?

A: After creating a room in PhishER, the room will be stored under the Saved Queries emergency room. This can be viewed by navigating to PhishER > Rooms > Saved Queries (select from the drop-down at the top of the Rooms screen).

Back to Top

5) Q: Can I filter my PhishER inbox by a specific tag?

A: Yes. Using Lucene query syntax, you can filter your PhishER inbox by a specific tag.
Enter the query below into the search bar of your PhishER inbox. As an example, this query will filter all messages with a Threat tag attached to it.

tags: "threat"

Back to Top

6) Q: How do I delete a message from my PhishER inbox?

A: You can delete a message from the Message Details screen. To do this, follow the steps below:

1. Navigate to PhishER > Inbox
2. Click on the message you would like to delete. This will open the Message Details screen.
3. To the right of the Message Details is the Actions and Discussion sidebar. Under the Actions tab, click on the Delete Message button.

Back to Top

7) Q: Is there a limit to how many Reporting Emails I can generate?

A: No. You can generate as many reporting email addresses as you would like. This option may be beneficial to organizations who want to provide a different reporting email address across user groups, PAB instances, or office locations. Keep in mind, all emails forwarded to your reporting email addresses will empty into a single PhishER inbox.

Back to Top

8) Q: I created a new rule. Will this affect the messages that were in my PhishER inbox before the rule was created?

A: No, messages received prior to your rule change(s) will not be affected. If you would like to run your new rule against emails received prior to the rule's creation, you can do so by following the steps below:

1. Navigate to PhishER > Inbox
2. Click on the checkbox to the left of the message to select it.
3. The Run Action drop-down will appear in the top-left. From this drop-down, you may select an action to run against your selected message(s).

Back to Top

9) Q: Can I use regular expressions (regex commands) in my YARA rule?

A: Yes, you can use regex commands when writing YARA rules. However, not all regex commands are recognized by the YARA compiler. Visit here to learn more about the regex commands that are recognized by YARA.

Back to Top

10) Q: What does the VT_Scanned tag mean?

A: The VT_Scanned tag will be added to your message when a VirusTotal scan is completed and not determined to be malicious.

Back to Top

11) Q: How can I purchase my own PhishER platform?

A: If you would like to purchase the PhishER platform, please reach out to your Account Manager for assistance. If you're unsure who your Account Manager is, you can contact support.

Back to Top

12) Q: What URL rewriters and shorteners is PhishER compatible with?

A: See the table below:

Back to Top

13) Q: How quickly can we get our PhishER platform set up?

A: Setup time will vary based on your environment. If you're using KnowBe4's free Phish Alert Button in your organization, you can get started with PhishER in just a few clicks. PhishER offers System Rules to get you started with dispositioning emails fast. However, you'll want to spend some time customizing rules, tags, and actions to help you process and respond to reported emails faster.

Back to Top

14) Q: Can I use PhishER to process and block viruses?

A: No, PhishER was not designed to be a mail filter. The purpose of PhishER is to provide your organization with a platform to evaluate all suspicious emails reported by your users. However, you can use PhishER to detect commonalities in the reported emails to automate your incident response actions.

Back to Top

15) Q: Can I open up attachments in PhishER safely?

A: KnowBe4 does not advise that you open up attachments in PhishER, even if VirusTotal marks them as safe. Any attachments that you want to analyze can be opened in a safe, secure sandbox.

Back to Top