PhishRIP
Below is a diagram of the PhishER workflow. The PhishER platform can help you identify potential email threats in your organization through the automated process of rules, tags, and actions.
PhishRIP is a PhishER email quarantine feature that allows your organization to search for user-reported emails across all of the mailboxes tied to your Microsoft 365 or Google Workspace instance. Using PhishRIP, you can prevent active phishing attacks by removing potential email threats from your users' mailboxes.
Jump to:
How to Initiate a PhishRIP Query
PhishRIP Queries
PhishRIP Messages
How to Initiate a PhishRIP Query
In your PhishER platform, there are three ways to initiate a PhishRIP query: PhishER Inbox Column, Run Drop-down Menu, and Message Details. Click on the drop-down to view the steps for each method. Keep in mind, in order to initiate a PhishRIP query, you must have PhishRIP enabled in your PhishER platform.
- Navigate to PhishER > Inbox.
- Locate the PhishRIP column.
- Click on the plus sign (+) icon. This will open the Find Similar Messages window.
- Navigate to PhishER > Inbox.
- Click on the checkbox to the left of the message you want to select. The Run drop-down menu will display in the top-left.
- Click on the Run drop-down menu.
- Click on the Find Similar Messages option listed under the PhishRIP section. This will open the Find Similar Messages window.
- Navigate to PhishER > Inbox.
- Click on a message. This will open the Message Details screen.
- Located to the right of the Message Details is the Actions and Discussion sidebar.
- Click on the Create New Query button under the Actions tab. This will open the Find Similar Messages window.
If a PhishRIP query fails, you can retry the query using the Retry button in the Status column. This option is only visible for Failed queries regardless of Resolved or Unresolved status. Retrying a query will not create a new query.
Find Similar Messages
Each method used to initiate a PhishRIP query will open the Find Similar Messages window.
- Match Criteria Select at least two match criteria options for your PhishRIP query. PhishRIP will use this information to find all of the matching messages across all of the mailboxes tied to your Microsoft 365 or Google Workspace instance.
- Find messages received in the By default, PhishRIP will find similar messages that were received over the last 24 hours. Click on the drop-down menu to adjust the search window to one of the following options: Last 72 hours, Last Week, or Last Month.
- Automatically quarantine all found messages Check this option if you would like PhishRIP to quarantine all found messages. The quarantine folders are created when the first query is run and for each query ran after for any new users that may have been added after the last ran query. This action will only happen if the last query was more than 10 minutes prior. Messages stay in the quarantine folders until you restore them or permanently delete them.
- Customized Criteria Create a new PhishRIP query by selecting one of the following criteria: Subject, Sender, Recipient, and Attachment and modifying the text field.
The Subject field requires a minimum of four characters that were found in the original subject line for the Customized Criteria search to work. If the subject contains any quotation marks or special character, you must keep those characters in the query you wish to run.
The Sender and Recipient fields require that the search is a substring or subdomain of the original email address(es).
The Attachment field requires that the search is a substring of the original attachment name and contains a minimum of 3 characters found in the attachment line. You can also use the prefix substring of the attachment name to find similar attachments.
The Body field requires that the search is a substring of the original message and contains a minimum of 30 words or 50% of the content found in the original message. The following special characters will not appear in the Body of the Find Similar Messages modal:", #, $, (), /, <>
Currently, Microsoft graph does not support searching for blank name attachments or searching for a single asterisk. The asterisk will always be converted to a wildcard when being used as a search. We have also removed the ability to search for blank attachments under both the Actions and Find Similar Messages sections.
PhishRIP Queries
The PhishRIP Queries page will display all of the PhishRIP queries initiated inside of your PhishER platform. Each line is an individual query. When a query is selected, you can mark it as Resolved or Unresolved. Click on an individual query ID to open the PhishRIP Messages page.
- ID A unique string of characters used to identify an individual PhishRIP query.
- Started The date and time of when a PhishRIP query was initiated.
- Completed The date and time of when a PhishRIP query completed its mailbox search.
- SourceID A unique string of characters assigned to the PhishER message used to create a PhishRIP query. If you would like to go to the Source Message Details, you can click on the SourceID link for that query.
- AttackID A unique string of characters assigned to the PhishRIP message that shares a similar subject or sender to messages that have been recently PhishRIPped.
- Found The number of messages that matched the PhishRIP query criteria.
- Opened The number of found messages that were opened.
- Originator The first and last name of the user that initiated the PhishRIP query.
- Status The current state of a PhishRIP query. A query can have a status of Processing, Completed, or Failed.
- Resolution Indicates if a query was marked as Resolved or Unresolved.
- Query The match criteria that was selected for the PhishRIP query. If you click on the database icon, the Find Similar Messages window will open and display the originally selected criteria - this allows you to review the exact items that were searched for by the query.
You can filter PhishRIP queries by Processing, Completed, Failed, Resolved, or Unresolved. Use the search bar to filter your PhishRIP queries by using Lucene Query syntax. When a message is selected, you have the option to apply one of the following resolutions: Resolved or Unresolved.
PhishRIP Messages
The PhishRIP Messages page will display the matching messages found across all of the mailboxes tied to your Microsoft 365 or Google Workspace instances.
You can add and name more than one Microsoft 365 or Google Workspace instance from your PhishRIP settings. For more information, see our PhishER Settings article.
- Mailbox Email The email address of the mailbox containing a message that matched the PhishRIP query.
- Mailbox Name The name of the mailbox containing a message that matched the PhishRIP query.
- Read Indicates if the message was Read (opened) or Unread (not opened) by the recipient.
- Discovery Folder The mailbox folder in which the message was found.
- Subject The text found in the Subject line of the source message.
- Date Found The date the PhishRIP query discovered the message in the Microsoft 365 or Google Workspace mailbox.
- PhishRIP Status The last known status of a PhishRIP message. If the message is available, the message will show as Discovered, Quarantined, Restored, or Deleted. If the message is unavailable, due to actions performed outside of PhishRIP or if the message has been deleted in another query, the status will be shown as Unavailable.
- Status Updated The date of when the message last had changes applied to it.
You can filter PhishRIP messages by Discovered, Quarantined, Deleted, Pending, or Failed. When a message is selected, the Run drop-down menu will appear and display a list of PhishRIP actions.
The selectable actions shown in the Run drop-down menu will depend on the status of the PhishRIP message. If multiple messages are selected, you will only see the actions that can be run on all of the messages.
PhishRIP Actions
When a PhishRIP message is selected, the Run drop-down menu will appear. Depending on the delete option you selected under your PhishRIP settings, the Run drop-down menu will display different options.
Delete Disabled
If you disabled the delete option under your PhishRIP settings, the following options will display in the Run drop-down menu:
Quarantine
This action will move the selected message into the quarantine folder of the mailbox in which the message was discovered.
Note:
After accepting the PhishRIP permissions, KnowBe4 searches for a folder titled "Quarantine" across all available mailboxes tied to your Microsoft 365 or Google Workspace account. If a quarantine folder does not already exist, a folder titled "Quarantine" will be added to all available mailboxes tied to your Microsoft 365 or Google Workspace account. The "Quarantine" folder will be visible to the owner of the mailbox (end-user).
It’s important to note that the quarantine folder does not sanitize links found in the quarantined messages. This is expected behavior and promotes the “quarantine messages first, then analyze the messages” workflow.
Restore
This action will move the selected message from the quarantine folder of the mailbox to the original discovery folder of the message.
Send Custom Email
This option allows you to send a custom email using the Email Template Editor. Click on Send Custom Email to open the template editor in a pop-up window. When your email is ready to be sent, click the Send button.
Note:
Each action will be applied to the message(s) inside of the mailbox in which it was found.
Delete Enabled
If you enabled the delete option under your PhishRIP settings, the following options will display in the Run drop-down menu:
Quarantine
This action will move the selected message into the quarantine folder of the mailbox in which the message was discovered.
Note:
After accepting the PhishRIP permissions, KnowBe4 searches for a folder titled "Quarantine" across all available mailboxes tied to your Microsoft 365 or Google Workspace account. If a quarantine folder does not already exist, a folder titled "Quarantine" will be added to all available mailboxes tied to your Microsoft 365 or Google Workspace account. The "Quarantine" folder will be visible to the owner of the mailbox (end-user).
It’s important to note that the quarantine folder does not sanitize links found in the quarantined messages. This is expected behavior and promotes the “quarantine messages first, then analyze the messages” workflow.
Restore
This action will move the selected message from the quarantine folder of the Microsoft 365 or Google Workspace mailbox to the original discovery folder of the message.
Permanently Delete
This action will permanently remove the selected message from the Microsoft 365 or Google Workspace mailbox in which the message was discovered. A message must be quarantined before it can be permanently deleted. If a message has not been quarantined, this option will be greyed out.
Warning:
A permanently deleted item can NOT be restored by KnowBe4.
Send Custom Email
This option allows you to send a custom email using the Email Template Editor. Click on Send Custom Email to open the template editor in a pop-up window. When your email is ready to be sent, click the Send button.
Note:
Each action will be applied to the message(s) inside of the Microsoft 365 or Google Workspace mailbox in which it was found.
Comments
0 comments
Article is closed for comments.