Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Use PhishML

Updated:

Created:

Using PhishML

PhishML is a PhishER machine-learning module that analyzes messages forwarded to your PhishER platform. Following analysis, PhishML generates three confidence values for each message. These three values represent the percentage of certainty that a message is clean, spam, or a threat. You can view the confidence values of a message from the Action pane of the Message Details screen (click to view).

Once PhishML is enabled, you have the option to set a custom Confidence Threshold value for each category (clean, spam, and threat). PhishML's confidence values must meet or exceed the active threshold values in order for a message to be tagged as clean, spam, or a threat.

PhishML is constantly learning based on the messages that are tagged by members of the PhishER user community. This approach means that the learning model is constantly provided with new data to improve its accuracy. A higher accuracy allows more messages to be automatically prioritized or dispositioned via Rules and Actions.

During the tagging process, PhishML applies one of the following tags to qualifying messages: PML:THREAT, PML:CLEAN, or PML:SPAM. Using PhishML tags, you can create custom actions to automate the dispositioning and prioritization of messages in your PhishER Inbox.

To learn more about PhishER Settings, click the links below.

Jump to:
Setting Up PhishML

Creating Recommended PhishML Actions

Note: PhishML's confidence values are only based on analysis of the email’s contents. PhishML doesn’t inspect URLs or attachments. If you have a VirusTotal account integrated with PhishER, you can use VirusTotal to inspect URLs and attachments. Using both PhishML and VirusTotal to analyze emails allows you to better classify emails based on the available data.

Back to top

PhishML Enabled

To enable PhishML on your PhishER platform, follow the steps below:

  1. Navigate to PhishER > Settings > KnowBe4 Labs > PhishML.
  2. Toggle the PhishML Enabled button.
Note: The first time you enable PhishML, a Terms and Conditions (click to view) dialog box will appear. Prior to using PhishML, you are required to review and accept KnowBe4's Privacy Policy and Terms of Service. Once you have reviewed both items, click I Accept.

Confidence Threshold

A Confidence Threshold is the minimum percentage of certainty PhishML must meet or exceed in order to tag a message as clean, spam, or a threat. You have the option to activate or inactivate each threshold value by clicking on the toggle buttons to the left of the Clean, Spam, and Threat labels. Please note, PhishML will only apply tags to qualifying messages if the confidence threshold is active.

By default, the threshold values are: Clean 95, Spam 95, and Threat 95. However, each confidence threshold can be set to a custom value ranging anywhere between 51-100. To set a custom threshold value, click and drag the slider to the left or right (try the interactive slider below).

Clean
Spam
Threat

Back to top

 

PhishML Tags

After analysis, PhishML will apply one of the following tags to your email(s):

PhishML Tags
Tag Description
PML:CLEAN The tag added to your message when PhishML evaluates a message as being clean based on the active confidence threshold.
PML:SPAM The tag added to your message when PhishML evaluates a message as being spam based on the active confidence threshold.
PML:THREAT The tag added to your message when PhishML evaluates a message as being a threat based on the active confidence threshold.
PML:BYPASSED The tag added to your message when PhishML times out. If you re-run rules and actions against the message, PhishML will add the appropriate tag (PML:CLEAN, PML:SPAM, or PML:THREAT).

 

PhishML Tags and Actions

To learn more about some recommended settings for the PhishML thresholds, visit our PhishER FAQ article.

Listed below are the settings for three actions that we recommend using for your organization to help identify and respond to email threats faster.

PML:THREAT (High Priority Messages)

This action will help your organization identify and prioritize messages that are potentially malicious and may require further analysis.

  1. For Choose how this action should be triggered, we recommend you select the following settings:

    • Specify Tags
      • HAS ANY PML:THREAT
    To add a tag:
    1. Click on Add new tag and type in the desired name of your tag.
    2. Then, press the Enter or Return key on your keyboard.

  2. For Choose the action to be taken on matched messages, we recommend you select the following settings:

    • Set Status In Review

    • Set Priority Critical

    • Set Category Threat

  3. For Choose how you would like to report this action, we recommend using one of the following options:

    For this option, we recommend that you create a custom email response that will automatically send to the recipients of your choice. Visit our How to Create a Custom Email Template in PhishER article for more information.

    If the Send Email option is selected, we suggest the additional settings below:

    1. (Optional) For Choose whether or not to halt further actions, click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:THREAT tag before other actions are triggered.
    2. For Choose QuickActions settings, we recommend keeping the default settings.
    3. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

    For this option, we recommend that you create an additional action that sends an auto response to selected recipients when you run it manually. To do this, complete part one and two listed below.

    Part 1: Select the remaining settings for your PML:THREAT (High Priority Messages) action

    1. For Choose how you would like to report this action, select None.
    2. (Optional) For Choose whether or not to halt further actions, click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:THREAT tag before other actions are triggered.
    3. For Choose QuickActions settings, we recommend keeping the default settings.
    4. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

    Part 2: Create an Auto Response QuickAction

    1. For Choose how this action should be triggered, we recommend you select Manual Trigger Only. This will prevent the action from running automatically. Instead, you can run it manually by selecting it from the Run Action drop-down menu or the QuickActions bar (see step 5). 
    2. For Choose the action to be taken on matched messages, we recommend keeping the default settings.
    3. For Choose how you would like to report this action, we recommend you select Send Email. Using the Email Template, create a custom email response. Visit our How to Create a Custom Email Template in PhishER article for more information.

    1. For Choose whether or not to halt further actions, we recommend keeping the default settings.
    2. For Choose QuickActions settings, we recommend you click on the checkbox to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions sidebar of the Message Details screen. Visit here for more information about QuickActions.
    3. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
PML:CLEAN (Medium Priority Messages)

This action will help your organization identify and prioritize messages that are considered to be safe or non-threatening.

  1. For Choose how this action should be triggered, we recommend you select the following settings:

    • Specify Tags
      • HAS ANY PML:CLEAN
    To add a tag:
    1. Click on Add new tag and type in the desired name of your tag.
    2. Then, press the Enter or Return key on your keyboard.

  2. For Choose the action to be taken on matched messages, we recommend you select the following settings:

    • Set Status Resolved

    • Set Priority Medium

    • Set Category Clean

  3. For Choose how you would like to report this action, we recommend using one of the following options:

    For this option, we recommend that you create a custom email response that will automatically send to the recipients of your choice. Visit our How to Create a Custom Email Template in PhishER article for more information.

    If the Send Email option is selected, we suggest the additional settings below:

    1. (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:CLEAN tag before other actions are triggered.
    2. For Choose QuickActions settings, we recommend keeping the default settings.
    3. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

    For this option, we recommend that you create an additional action that sends an auto response to selected recipients when you run it manually. To do this, complete part one and two listed below.

    Part 1: Select the remaining settings for your PML:CLEAN (Medium Priority Messages) action

    1. For Choose how you would like to report this action, select None.
    2. (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:CLEAN tag before other actions are triggered.
    3. For Choose QuickActions settings, we recommend keeping the default settings.
    4. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

    Part 2: Create an Auto Response QuickAction

    1. For Choose how this action should be triggered, we recommend you select Manual Trigger Only. This will prevent the action from running automatically. Instead, you can run it manually by selecting it from the Run Action drop-down menu or the QuickActions bar (see step 5). 
    2. For Choose the action to be taken on matched messages, we recommend keeping the default settings.
    3. For Choose how you would like to report this action, we recommend you select Send Email. Using the Email Template, create a custom email response. Visit our How to Create a Custom Email Template in PhishER article for more information.

    1. For Choose whether or not to halt further actions, we recommend keeping the default settings.
    2. For Choose QuickActions settings, we recommend you click on the checkbox to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions sidebar of the Message Details screen. Visit here for more information about QuickActions.
    3. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.
PML:SPAM (Low Priority Messages)

This action will help your organization identify and prioritize messages that are determined to be unsolicited or unwanted but not likely to be malicious.

  1. For Choose how this action should be triggered, we recommend you select the following settings:

    • Specify Tags
      • HAS ANY PML:SPAM
    To add a tag:
    1. Click on Add new tag and type in the desired name of your tag.
    2. Then, press the Enter or Return key on your keyboard.

  2. For Choose the action to be taken on matched messages, we recommend you select the following settings:

    • Set Status Resolved

    • Set Priority Low

    • Set Category Spam

  3. For Choose how you would like to report this action, we recommend using one of the following options:

    For this option, we recommend that you create a custom email response that will automatically send to the recipients of your choice. Visit our How to Create a Custom Email Template in PhishER article for more information.

    If the Send Email option is selected, we suggest the additional settings below:

    1. (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:SPAM tag before other actions are triggered.
    2. For Choose QuickActions settings, we recommend keeping the default settings.
    3. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

    For this option, we recommend that you create an additional action that sends an auto response to selected recipients when you run it manually. To do this, complete part one and two listed below.

    Part 1: Select the remaining settings for your PML:SPAM (Low Priority Messages) action

    1. For Choose how you would like to report this action, select None.
    2. (Optional) For Choose whether or not to halt further actions, we recommend you click on the checkbox to the left of Stop executing further actions. This allows you to review all messages with a PML:SPAM tag before other actions are triggered.
    3. For Choose QuickActions settings, we recommend keeping the default settings.
    4. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

    Part 2: Create an Auto Response QuickAction

    1. For Choose how this action should be triggered, we recommend you select Manual Trigger Only. This will prevent the action from running automatically. Instead, you can run it manually by selecting it from the Run Action drop-down menu or the QuickActions bar (see step 5). 
    2. For Choose the action to be taken on matched messages, we recommend keeping the default settings.
    3. For Choose how you would like to report this action, we recommend you select Send Email. Using the Email Template, create a custom email response. Visit our How to Create a Custom Email Template in PhishER article for more information.

    1. For Choose whether or not to halt further actions, we recommend keeping the default settings.
    2. For Choose QuickActions settings, we recommend you click on the checkbox to the left of Include this action in the QuickAction bar. The action will now display in the QuickActions bar of your PhishER Inbox and in the Actions sidebar of the Message Details screen. Visit here for more information about QuickActions.
    3. For Choose whether or not to permanently delete matching messages, we recommend keeping the default settings.

Related Resources:

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles