Menu

PhishER Quickstart Guide

Avatar
Natalie Koly
Updated
Follow

PhishER Quickstart Guide

This quickstart guide is designed to help you get started with your PhishER platform. For each step listed below, we provide specific details and recommendations.

Important:

The steps in this guide are intended for those who have PhishER enabled on their account and are able to access the platform. Visit here for more information about how to enable and access PhishER.

 

Jump to:
Step 1: Configure PhishER Settings
 Step 2: Create Rules
 Step 3: Create Actions
 Step 4: Monitor Inbox

 

Step 1: Configure PhishER Settings

ACCOUNT
Reporting Emails

Reporting Emails are all of the email addresses tied to your PhishER platform. Your reporting emails will be used to forward user-reported messages to your PhishER inbox.

There are two methods for forwarding user-reported emails to PhishER:

Automatic email forwarding with the Phish Alert Button (PAB) - RECOMMENDED

  1. Copy your reporting email address from your PhishER Settings.
  2. Paste your reporting email address into the Forward non-simulated phishing emails to field under your Phish Alert settings.

Manual email forwarding
If your organization does not have the PAB installed, all reported emails must be manually forwarded to your reporting email address(es) for the emails to reach your PhishER inbox.
INTEGRATIONS
VirusTotal

We recommend integrating your VirusTotal account with PhishER. If you do not have a VirusTotal account, you can join their Community for free here. This integration will enable you to run a VirusTotal scan on message attachments and URLs.

If automatic scanning is enabled, VirusTotal will automatically be sent a hash of all attachments and/or URLs received by your PhishER inbox.

A VirusTotal scan will apply one or more of the following tags to your email(s): VT_Pending, VT_Bad, VT_Scanned, VT_Bypassed, or VT_Hash_not_found
KNOWBE4 LABS
PhishML

We recommend enabling PhishML on your PhishER platform. PhishML is a machine-learning module that generates three confidence values for each message that enters your PhishER inbox. These three values represent the percentage of certainty that a message is clean, spam, or a threat.

Customize your threshold values using the range sliders (threshold values can range anywhere between 51-100). We recommend assigning a value of 95 for each threshold to ensure highly accurate tagging.

PhishML will apply one of the following tags to your message(s) if the active confidence threshold is met or exceeded: PML:CLEAN, PML:SPAM, or PML:THREAT

 

Related Resources:

Back to top

 

Step 2: Create Rules

Using YARA logic, create custom rules to identify and tag messages as they enter your PhishER inbox. We suggest starting with the following types of rules:

Important: Variable names are only necessary depending on the condition for that particular YARA rule. The following condition statements do not require defined variable names for them to run:

  • any of them
  • all of them

For more information about using undefined values in YARA rules, please visit this Writing YARA rules article.

Rule 1: Spam

Create a rule that detects common spam messages that are sent to your users. This can include marketing or automated software emails from an organization. You may use the following example as a base for your custom rule:

rule Spam { strings: $ = "promo@organization-1.com" $ = "promo@organization-2.com" $ = "promo@organization-3.com" $ = "promo@organization-4.com" condition: any of them }
Rule 2: Internal Messaging

Create a rule that detects all legitimate emails sent from your domain. This can include mass emails sent from your Human Resources and/or IT department. You may use the following example as a base for your custom rule:

rule Internal { strings: $ = /from.{0,20}@domain.com/ $ = /to.{0,20}@domain.com/ $ = /Authentication-Results:.[spf=pass]/ condition: all of them }
Rule 3: KnowBe4 Training Emails

Create a rule that detects all KnowBe4 Training emails. You may use the following example as a base for your custom rule:

rule KnowBe4_TrainingEmails { strings: $ = /Return-Path:.{0,20}psm.knowbe4.com>/ nocase $ = /Received:.{0,20}\[147.160.167.\]\d{1,3}/ nocase $ = /Received:.{0,20}\[23.21.109.197\]/ nocase $ = /Received:.{0,20}\[23.21.109.212\]/ nocase $ = /Received:.{0,20}psm.knowbe4.com/ nocase condition: any of them }

Related Resources:

Back to top

 

Step 3: Create Actions

When a message is assigned a tag, the tag will indicate how the message should be handled in PhishER. For each tag that is created in Step 2, create an action to automate how a message is handled.

Using automated PhishML and VirusTotal tags, here are the settings for three suggested actions:

Action 1: High Priority Messages

This action will help prioritize messages that are potentially malicious and may require your analysis. All other settings for this action can be customized based on your organization's preferences.

  1. For Choose how this action should be triggered, select the following settings:

    • Specify Tags
      • HAS ANY VT_BAD PML:THREAT

  2. For Choose the action to be taken on matched messages, select the following settings:

    • Set Priority High
Action 2: Medium Priority Messages

This action will help prioritize messages that are considered to be safe or non-threatening. All other settings for this action can be customized based on your organization's preferences.

  1. For Choose how this action should be triggered, select the following settings:

    • Specify Tags
      • HAS ALL PML:CLEAN

  2. For Choose the action to be taken on matched messages, select the following settings:

    • Set Priority Medium
Action 3: Low Priority Messages

This action will help prioritize messages that are determined to be unsolicited or unwanted but not likely to be malicious. All other settings for this action can be customized based on your organization's preferences.

  1. For Choose how this action should be triggered, select the following settings:

    • Specify Tags
      • HAS ALL PML:SPAM

  2. For Choose the action to be taken on matched messages, select the following settings:

    • Set Priority Low

Related Resources:

Back to top

 

Step 4: Monitor Inbox

Now that the dispositioning of your messages is automated through custom rules and actions, it’s important to monitor your PhishER inbox for new trends or threats. You can identify trends by analyzing the Rooms section of your PhishER platform.

Rooms are filtered views of the messages in your PhishER inbox. Each filtered view is a dynamic grouping of messages by a commonality. Use this information as a starting point to help you decide which rules to update or create for your PhishER inbox.

 

Related Resources:

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles