Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Română Русский svenska Kiswahili ไทย Türkçe Українська Tiếng Việt 简体中文 中文 (香港) 繁體中文

PhishER Quickstart Guide

Avatar
Orlandria Heggs
Updated
Follow

PhishER Quickstart Guide

This quickstart guide is designed to help you get started with your PhishER platform. For each step listed below, we provide specific details and recommendations.

Important:

The steps in this guide are intended for those who have PhishER enabled on their account and are able to access the platform. Visit our PhishER Product Manual for more information about how to enable and access PhishER.

The purpose of this platform is to provide your organization with a way to evaluate all suspicious emails making it through to the inbox of your users. Using PhishER as a detective security control, your organization can identify potential threats and strengthen your security measures and defense-in-depth plan. The image below outlines the lifecycle of a suspicious email and its disposition in PhishER.

For a thorough guide through each step, please visit the PhishER Product Manual.

 

Jump to:
Step 1: Report
 Step 2: Identify
 Step 3: Disposition
 Step 4: PhishRIP

 

Step 1: Report

After your users have reported suspicious emails, you can use automatic email forwarding or Manual email forwarding to send the emails to PhishER:

ACCOUNT
Reporting Emails

Reporting Emails are all of the email addresses tied to your PhishER platform. Your reporting emails will be used to forward user-reported messages to your PhishER inbox.

There are two methods for forwarding user-reported emails to PhishER:

Automatic email forwarding with the Phish Alert Button (PAB) - RECOMMENDED

  1. Copy your reporting email address from your PhishER Settings.
  2. Paste your reporting email address into the Forward non-simulated phishing emails to field under your Phish Alert settings.

Manual email forwarding
If your organization does not have the PAB installed, all reported emails must be manually forwarded to your reporting email address(es) for the emails to reach your PhishER inbox.

 

Related Resources:

Back to top

 

Step 2: Identify

Using PhishML, Rules, and Tags in the PhishER platform will help you identify emails that you believe to be Threats, Clean, or Spam. To get automated tagging on the emails that PhishER receives, we recommend enabling PhishML and Virus Total on your platform.

KNOWBE4 LABS
PhishML

PhishML is a machine-learning module that generates three confidence values for each message that enters your PhishER inbox. These three values represent the percentage of certainty that a message is clean, spam, or a threat.

Customize your threshold values using the range sliders (threshold values can range anywhere between 51-100). We recommend assigning a value of 85 for Clean, 75 for Spam, and 65 for Threat. This will ensure accurate initial tagging. Ranges can be adjusted to meet your specific requirements.

PhishML will apply one of the following tags to your message(s) if the active confidence threshold is met or exceeded: PML:CLEAN, PML:SPAM, or PML:THREAT
INTEGRATIONS
VirusTotal

We recommend integrating your VirusTotal account with PhishER. If you do not have a VirusTotal account, you can join their Community for free here. This integration will enable you to run a VirusTotal scan on message attachments and URLs.

If automatic scanning is enabled, VirusTotal will automatically be sent a hash of all attachments and/or URLs received by your PhishER inbox.

A VirusTotal scan will apply one or more of the following tags to your email(s): VT_Pending, VT_Bad, VT_Scanned, VT_Bypassed, or VT_Hash_not_found

 

PhishML and VirusTotal analysis serve as a starting point to begin tagging emails in PhishER. To tag emails based on any concerns, terms, or attributes specific to your organization, you can write your own rules using the How Do I Create a Rule and Action in PhishER article or the examples shown in the YARA Rule Example article.

Related Resources:

Back to top

 

Step 3: Disposition

When a message is assigned a tag, the tag will indicate how the message should be handled in PhishER. Tags can be layered and used to trigger actions when they are found, or not found, on incoming messages. With the tags created in Step 2, create actions to automate how a message is handled.

Below are the settings for three suggested actions:

Action 1: Messages that need your attention

This action will help you concentrate on messages that are potentially malicious and may require analysis by you or your infosec team. It will send an automated email to the evaluators with a link to the specific email that needs analysis.

  1. For Choose how this action should be triggered, select the following settings:

    • Specify Tags
      • HAS ANY VT_BAD PML:THREAT

  2. For Choose the action to be taken on matched messages, select the following settings:

    • Set Priority High

  3. For Choose how you would like to report this action, select the following settings:

    • Send Email
      • Specify Recipients
      • Include PhishER links and tag information
Action 2: Clean emails that should be sent back to the reporter

This action will help you automatically return to messages that are considered to be safe or non-threatening. All other settings for this action can be customized based on your organization's preferences.

  1. For Choose how this action should be triggered, select the following settings:

    • Specify Tags
      • HAS ALL PML:CLEAN

  2. For Choose the action to be taken on matched messages, select the following settings:

    • Set Priority Medium

  3. For Choose how you would like to report this action, select the following settings:

    • Send Email
      • Include Original Reporter
      • Include original email at the bottom of the body and/or attach original email
Action 3: Spam and other unwanted emails

This action will help you rule out messages that are determined to be unsolicited or unwanted but not likely to be malicious. All other settings for this action can be customized based on your organization's preferences.

  1. For Choose how this action should be triggered, select the following settings:

    • Specify Tags
      • HAS ALL PML:SPAM

  2. For Choose the action to be taken on matched messages, select the following settings:

    • Set Priority Low

Related Resources:

Back to top

 

Step 4: PhishRIP (Optional)

PhishRIP is a PhishER email quarantine feature that allows your organization to search for user-reported emails across all of the mailboxes tied to your Microsoft 365 or GSuite instance. Using PhishRIP, you can prevent active phishing attacks by removing potential email threats from the inbox of your users.

PhishRIP can be triggered manually after detection of a potential threat or as a part of an automated action.

For specific setup instructions, see our PhishER Settings article.

 

Related Resources:

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles