Getting Started

PhishER Quickstart Guide

Tip:Join the KnowBe4 Community! In the community, you can connect, share knowledge, and collaborate on new ideas with other admins, partners, and employees. For more information, see our KnowBe4 Community Guide.

In this guide, you'll learn how to get started with your PhishER platform. You can use the PhishER platform to help your organization identify potential email threats and strengthen security measures. The workflow image below represents the steps that PhishER takes to process reported emails.

Note:This guide is intended for users who have enabled PhishER and are able to access the platform. For more information about enabling and accessing PhishER, see the Getting Started section of our PhishER Product Manual.

For detailed information about your PhishER platform, see our PhishER Product Manual.

Step 1: Reporting

Before your users can report suspicious emails to PhishER, you'll need to set up a reporting email address to forward the emails to PhishER's Inbox. We recommend that you install the Phish Alert Button (PAB) to automatically forward emails, but you can also allow your users to manually forward emails to a reporting email address.

To learn more about reporting messages, see the video below.

For more information, see our PhishER Settings: Account article and our Accessing Your PhishER Platform and Setting Up Message Forwarding video.

Step 2: Identifying

After your PhishER Inbox receives reported emails, you'll need to set up PhishER to analyze and identify emails as threats, clean, or spam. Then, you can create rules and tags for PhishER to help you identify emails.

We also recommend that you enable PhishML and VirusTotal to automatically identify and tag reported emails. PhishML and VirusTotal analysis serve as a starting point to begin tagging emails in PhishER. To tag emails based on any concerns, terms, or attributes specific to your organization, you can write your own rules using the How to Create and Manage PhishER Rules article or the examples shown in the Use Cases for YARA Rules article.

To learn more about analyzing and identifying emails, see the video and subsections below.


PhishML is a machine-learning module that generates three confidence values for each message that enters your PhishER Inbox. These three values represent the percentage of certainty that a message is clean, spam, or a threat.

You can customize your threshold values using the range sliders. We recommend assigning a value of 95 for clean messages, 75 for spam messages, and 65 for threat messages. These settings will ensure accurate tagging.

Note:PhishML will apply one of the following tags to any of your messages if the active confidence threshold is met or exceeded: PML:CLEAN, PML:SPAM, or PML:THREAT.

For more information, see our How to Use PhishML article.


VirusTotal is a service that inspects and analyzes files for malicious content. We recommend integrating your VirusTotal account with PhishER. If you do not have a VirusTotal account, you can join for free on VirusTotal's website. This integration will enable you to run a VirusTotal scan on message attachments and URLs.

Tip:KnowBe4 has approval from VirusTotal to integrate with the VirusTotal Public API, which is the free version.
Note:A VirusTotal scan will apply one or more of the following tags to your messages: VT_Pending, VT_Bad, VT_Scanned, VT_Bypassed, or VT_Hash_not_found

For more information, see our How to Integrate VirusTotal with Your PhishER Platform article.

Step 3: Dispositioning

Once a message from a reported email is assigned any tags, the tags will indicate how the message should be processed in PhishER. These tags can trigger actions to run on the messages. Similarly, if tags are not assigned to messages, the lack of tags can trigger actions to run on the messages.

Once you create tags, you can create actions to automate how messages are processed. We recommended creating actions for processing messages that are clean, spam, and potential threats that need your attention. For more information about our recommended actions, see our How to Use PhishML article.

To learn more about dispositioning messages, see the video below.

Step 4: Using the Blocklists (Optional)

The PhishER Blocklist is a feature that helps your Microsoft 365 mail server prevent malicious or spam emails from reaching your users' inboxes. Using the PhishER Blocklist, you can create and manage a unique list of blocklist entries for your organization. When you review your users' reported emails, you can update your blocklist to send information about threats or spam to your mail server.

The Global Blocklist is a feature that uses crowd-sourced information about email threats to help your mail server block emails. KnowBe4's Threat Research Lab compiles data from all PhishER Blocklists and other sources to create and publish Global Blocklist entries. This feature is only available for accounts with PhishER Plus.

To learn more about the blocklists, see the video below.

For more information, see our PhishER Settings: Integrations, How to Use the PhishER Blocklist, and How to Use the Global Blocklist articles.

Step 5: Using PhishRIP (Optional)

PhishRIP is a PhishER email quarantine feature that allows your organization to search for user-reported emails across all of the mailboxes tied to your Microsoft 365 or Google Workspace instances. Using PhishRIP, you can prevent active phishing attacks by removing potential email threats from your users' inboxes. You can trigger PhishRIP manually after detecting a potential threat, or PhishRIP can be triggered by an action.

To learn more about PhishRIP, see the video below.

For more information, see our How to Use PhishRIP article.

Step 6: Using PhishFlip (Optional)

PhishFlip is a PhishER feature that allows your organization to reuse user-reported emails in phishing campaigns in your KSAT console. PhishFlip will remove all of the malicious elements from the reported emails so that they are safe to send to your users. In order to use PhishFlip, you must have PhishRIP enabled in your platform.

To learn more about PhishFlip, see the video below.

For more information, see our How to Use PhishFlip article.

Can't find what you're looking for?

Contact Support