PhishER Quickstart Guide

This quickstart guide is designed to help you get started with your PhishER platform. For each step listed below, we provide specific details and recommendations.

Important:

The steps in this guide are intended for those who have PhishER enabled on their account and are able to access the platform. Visit our PhishER Product Manual for more information about how to enable and access PhishER.

The purpose of this platform is to provide your organization with a way to evaluate all suspicious emails making it through to the inbox of your users. Using PhishER as a detective security control, your organization can identify potential threats and strengthen your security measures and defense-in-depth plan. The image below outlines the lifecycle of a suspicious email and its disposition in PhishER.

For a thorough guide through each step, please visit the PhishER Product Manual.

Jump to:
Step 1: Report
Step 2: Identify
Step 3: Disposition
Step 4: PhishRIP
Step 5: PhishFlip

Step 1: Report

After your users have reported suspicious emails, you can use automatic email forwarding or Manual email forwarding to send the emails to PhishER:

Reporting Emails

ACCOUNT

Reporting Emails

Reporting Emails are all of the email addresses tied to your PhishER platform. Your reporting emails will be used to forward user-reported messages to your PhishER inbox.

There are two methods for forwarding user-reported emails to PhishER:

Automatic email forwarding with the Phish Alert Button (PAB) - RECOMMENDED

Copy your reporting email address from your PhishER Settings.
Paste your reporting email address into the Forward non-simulated phishing emails to field under your Phish Alert settings.

Manual email forwarding
If your organization does not have the PAB installed, all reported emails must be manually forwarded to your reporting email address(es) for the emails to reach your PhishER inbox.

You can also manually forward emails to PhishER by downloading the .eml file of the email, attaching the .eml file to an email, and send it to PhishER. PhishER will process this action as a PAB report.

Related Resources:

Step 2: Identify

Using PhishML, Rules, and Tags in the PhishER platform will help you identify emails that you believe to be Threats, Clean, or Spam. To get automated tagging on the emails that PhishER receives, we recommend enabling PhishML and Virus Total on your platform.

KNOWBE4 LABS

PhishML

PhishML is a machine-learning module that generates three confidence values for each message that enters your PhishER inbox. These three values represent the percentage of certainty that a message is clean, spam, or a threat.

Customize your threshold values using the range sliders (threshold values can range anywhere between 51-100). We recommend assigning a value of 85 for Clean, 75 for Spam, and 65 for Threat. This will ensure accurate initial tagging. Ranges can be adjusted to meet your specific requirements.

PhishML will apply one of the following tags to your message(s) if the active confidence threshold is met or exceeded: PML:CLEAN, PML:SPAM, or PML:THREAT

INTEGRATIONS

VirusTotal

We recommend integrating your VirusTotal account with PhishER. If you do not have a VirusTotal account, you can join their Community for free here. This integration will enable you to run a VirusTotal scan on message attachments and URLs.

KnowBe4 has approval from VirusTotal to integrate with the VirusTotal Public API (free version).

If automatic scanning is enabled, VirusTotal will automatically be sent a hash of all attachments and/or URLs received by your PhishER inbox.

A VirusTotal scan will apply one or more of the following tags to your email(s): VT_Pending, VT_Bad, VT_Scanned, VT_Bypassed, or VT_Hash_not_found

PhishML and VirusTotal analysis serve as a starting point to begin tagging emails in PhishER. To tag emails based on any concerns, terms, or attributes specific to your organization, you can write your own rules using the How Do I Create a Rule and Action in PhishER article or the examples shown in the YARA Rule Example article.

Related Resources:

Step 3: Disposition

When a message is assigned a tag, the tag will indicate how the message should be handled in PhishER. Tags can be layered and used to trigger actions when they are found, or not found, on incoming messages. With the tags created in Step 2, create actions to automate how a message is handled.

Below are the settings for three suggested actions:

Action 1: Messages that need your attention

This action will help you concentrate on messages that are potentially malicious and may require analysis by you or your infosec team. It will send an automated email to the evaluators with a link to the specific email that needs analysis.

For Choose how this action should be triggered, select the following settings:
- Specify Tags
  - HAS ANY VT_BAD PML:THREAT
For Choose the action to be taken on matched messages, select the following settings:
- Set Status In Review
- Set Priority High
- Set Category Choose Category
- For Set Category, we recommend choosing from the Clean, Spam, Threat, or Unknown categories based on your organization's preferences.
For Choose how you would like to report this action, select the following settings:
- Send Email
  - Specify Recipients
  - Include PhishER links and tag information

Action 2: Clean emails that should be sent back to the reporter

This action will help you automatically return messages that are considered to be safe or non-threatening. All other settings for this action can be customized based on your organization's preferences.

For Choose how this action should be triggered, select the following settings:
- Specify Tags
  - HAS ALL PML:CLEAN
For Choose the action to be taken on matched messages, select the following settings:
- Set Status Resolved
- Set Priority Medium
- Set Category Choose Category
- For Set Category, we recommend choosing from the Clean, Spam, Threat, or Unknown categories based on your organization's preferences.
For Choose how you would like to report this action, select the following settings:
- Send Email
  - Include Original Reporter
  - Include original email at the bottom of the body and/or attach original email

Action 3: Spam and other unwanted emails

This action will help you rule out messages that are determined to be unsolicited or unwanted but not likely to be malicious. All other settings for this action can be customized based on your organization's preferences.

For Choose how this action should be triggered, select the following settings:
- Specify Tags
  - HAS ALL PML:SPAM
For Choose the action to be taken on matched messages, select the following settings:
- Set Status Resolved
- Set Priority Low
- Set Category Choose Category
- For Set Category, we recommend choosing from the Clean, Spam, Threat, or Unknown categories based on your organization's preferences.

Related Resources:

Step 4: PhishRIP (Optional)

PhishRIP is a PhishER email quarantine feature that allows your organization to search for user-reported emails across all of the mailboxes tied to your Microsoft 365 or Google Workspace instance. Using PhishRIP, you can prevent active phishing attacks by removing potential email threats from the inbox of your users.

PhishRIP can be triggered manually after detection of a potential threat or as a part of an automated action.

For specific setup instructions, see our PhishER Settings article.

Related Resources:

PhishRIP

Step 5: PhishFlip (Optional)

PhishFlip is a PhishER feature that allows your organization to reuse user-reported emails in phishing campaigns in your KMSAT console. PhishFlip will remove all of the malicious elements from the reported emails so that they are safe to send to your users. In order to use PhishFlip, you must have PhishRIP enabled in your platform.

Related Resources:

PhishFlip

PhishER Quickstart Guide

Important:

Step 1: Report

Step 2: Identify

Step 3: Disposition

Step 4: PhishRIP (Optional)

Step 5: PhishFlip (Optional)

Related articles