Working with PhishRIP and PhishFlip

PhishRIP Guide

In your PhishER platform, you can use PhishRIP to remove email threats from your users’ inboxes. PhishRIP allows you to prevent active phishing attacks by searching for users’ reported emails and removing all similar emails across your Microsoft 365 mail server or your Google Workspace mail server.

Enabling PhishRIP

See the subsections below to learn how to enable PhishRIP in your Microsoft 365 mail server or your Google Workspace mail server. You can connect PhishRIP to multiple mail servers.

Important:After you accept the PhishER permissions, KnowBe4 will search for a Quarantine folder across all the available inboxes in your mail server. If a Quarantine folder doesn’t exist, it will be created in your users' inboxes when PhishRIP removes a message from their inbox. Your users will be able to see the Quarantine folder in their inboxes.

Enabling for Microsoft 365

To enable PhishRIP for Microsoft 365, follow the steps below:

Note:In order to enable PhishRIP in your PhishER platform, your organization is required to have an active Microsoft 365 instance that is connected to the organizational domain.
This feature is not compatible with Microsoft 365 operated by 21Vianet and may not be available in other environments outside of the US.
  1. Log in to your PhishER platform.
  2. Click the gear icon on the left side of the page to navigate to your settings.
  3. Navigate to the PhishRIP section.
  4. Click the Connect to Microsoft 365 button. You will be redirected to the Microsoft 365 login page.
  5. Log in to your Microsoft 365 account using your admin credentials.
  6. Once logged in, the Permissions requested pop-up window will display the first set of permissions. Read the permissions, then click Accept. You will be redirected back to PhishER.

    Note:Quarantine folders will be created after each query is run for any users added after the last query. This action will only occur if the last query was run more than 10 minutes before the next query.

  7. Under the Mail Servers section of your PhishER settings, the new instance of your Microsoft 365 mail server will display. The mail server's connection to PhishRIP is incomplete until you accept a second set of permissions to add the application to the mail server.
  8. To accept the permissions, click Continue. You will be redirected to Microsoft.
  9. Log in to your Microsoft 365 account using your admin credentials again.
  10. Once logged in, the Permissions requested will display the second set of permissions. Read the permissions, then click Accept. You will be redirected back to PhishER. Your Microsoft 365 mail server instance will be connected to PhishRIP.
  11. Under the PhishRIP section of your PhishER settings, click the Disabled toggle. Then, click Save. This action will enable PhishRIP in your PhishER platform.
  12. (Optional) Select the Allow Permanent Message Deletion check box to enable the delete option in PhishRIP. Once the delete option is enabled, admins can request PhishRIP to quarantine, restore, and permanently delete emails in your Microsoft 365 mail server.

    Important:KnowBe4 cannot restore permanently deleted emails.

Once PhishRIP is enabled in your PhishER platform, a fishbone icon will display in the navigation panel. Click this icon to access PhishRIP.

To connect another mail server, click Connect to Microsoft 365 in the Mail Servers section of your PhishER Settings again.

Tip:To customize the name of a mail server instance, navigate to your Mail Server settings, then click the pencil icon next to the mail server instance.

Enabling for Google Workspace

To enable PhishRIP for Google Workspace, follow the steps below.

Note:In order to enable PhishRIP in your PhishER platform, your organization is required to have an active Google Workspace instance that is connected to the organizational domain.
  1. Log in to your PhishER platform.
  2. Click the gear icon on the left side of the page to navigate to your settings.
  3. Navigate to the PhishRIP section.
  4. Click Connect to Google Workspace. A Google Workspace Credentials pop-up window will display with instructions.
  5. Copy your Client ID.
  6. In a separate tab of your browser, log in to your Google Workspace admin console.
  7. Once you’ve logged in, navigate to Security > API Controls > Manage Domain wide delegation.
  8. Click Add new.
  9. Paste the Client ID that you copied in step five.
  10. In the OAuth scopes field, enter "https://www.googleapis.com/auth/admin.directory.user.readonly,https://mail.google.com/"
  11. Click Authorize.
  12. Locate and copy your Google Workspace Customer ID from your Google Workspace Account Settings. To learn how to find your Customer ID, see Google’s Find your customer ID article.
  13. Return to your PhishER platform.
  14. In the Google Workspace Credentials pop-up window, enter your Account Admin email address in the Access User field.
  15. Enter the Customer ID that you copied in step 12 into the Mailserver ID field.
  16. Click Connect.

    Note:Quarantine folders will be created after each query is run for any users added after the last query. This action will only occur if the last query was run more than 10 minutes before the next query.
  17. Under the PhishRIP section of your PhishER settings, click the Disabled toggle. Then, click Save. This action will enable PhishRIP in your PhishER platform.
  18. (Optional) Select the Allow Permanent Message Deletion check box to enable the delete option in PhishRIP. Once the delete option is enabled, admins can request PhishRIP to quarantine, restore, and permanently delete messages in your Google Workspace mail server.

    Important:KnowBe4 cannot restore permanently deleted emails.

Once PhishRIP is enabled in your PhishER platform, a fishbone icon will display in the navigation panel. Click this icon to access PhishRIP.

To connect another mail server, click Connect to Google Workspace in the Mail Servers section of your PhishER Settings again.

Tip:To customize the name of a mail server instance, navigate to your Mail Server settings, then click the pencil icon next to the mail server instance.

Initiating a PhishRIP Query

In your PhishER platform, there are three places where you can initiate a PhishRIP query: the PhishER Inbox column, the Run drop-down menu, or the Message Details page. See the subsections below for the steps for each method.

Method 1: PhishER Inbox Column

To initiate a query from the Inbox column, follow the steps below:

  1. Navigate to the Inbox tab.
  2. In the PhishRIP column, click the plus icon to open the Find Similar Messages pop-up window.

    Note:If PhishRIP was already initiated on the message, a fishbone icon will display instead of the plus icon. If the PhishRIP column is not available, select the gear icon at the top-right corner of the Inbox page. Then, the Inbox Table Settings pop-up window will open. You can select the PhishRIP check box to show the column.

Method 2: Run Drop-down Menu

To initiate a query from the Run drop-down menu, follow the steps below:

  1. Navigate to the Inbox tab.
  2. Click the checkbox to the left of the message that you want to initiate a query for.
  3. Click the Run drop-down menu in the top-left corner of the page.
  4. Under the PhishRIP section, click Find Similar Messages to open the Find Similar Messages pop-up window.

Method 3: Message Details Page

To initiate a query from the Message Details page, follow the steps below:

  1. Navigate to the Inbox tab.
  2. Click a message to open the Message Details page.
  3. In the Actions and Discussion sidebar on the right of the page, click the Create New Query button under the Actions tab. When you click this button, the Find Similar Messages pop-up window will open.

If a PhishRIP query fails, you can retry the query by clicking Retry in the Status column of the PhishRIP Queries page. This option is only visible for failed queries regardless of the resolution status. Retrying a query will not create a new query.

Find Similar Messages

Each method used to initiate a PhishRIP query will open the Find Similar Messages pop-up window. For more information about this pop-up window, see the screenshot and list below:

  1. Match Criteria: Select at least two criteria options for your PhishRIP query. PhishRIP will use this information to find all of the matching messages across your mail server.
  2. Find messages received in the: By default, PhishRIP will find similar messages that were received over the last 24 hours. Click on the drop-down menu to select one of the following options: Last 72 hours, Last Week, or Last Month.
  3. Automatically quarantine all found messages: Select this check box if you want PhishRIP to quarantine all found messages. Messages stay in the Quarantine folder until you restore them or permanently delete them.

    Note:PhishRIP does not scan the Quarantine folder when searching for messages.
  4. Customized Criteria: Create a new PhishRIP query by selecting one of the following criteria and modifying the text field. To modify the text field, click the pencil icon.
    • Subject: In this field, you can narrow your search criteria by entering text from the original subject line. You’ll need to enter at least four characters. If the subject contains any special characters, you’ll need to keep those characters in the query for it to search successfully.
    • Sender and Recipient: In these fields, you can narrow the search criteria by entering part of the string or subdomain of the original email addresses.
    • Attachment: In this field, you can narrow the search criteria by entering part of a string in the original attachment name. You’ll need to enter at least three characters. You can also use part of the string in the prefix of the attachment name to find similar attachments.
    • Body: In this field, you can narrow the search criteria by entering part of a string in the original message. You’ll need to either enter at least 30 words or 50 percent of the content found in the original message. The following special characters will not appear in the Body field of the Find Similar Messages pop-up window: quotation marks ["], number signs [#], dollar signs [$], parentheses [()], slashes [/], and angle brackets [<>].
Note:Currently, Microsoft Graph does not support searching for blank name attachments or searching for a single asterisk [*]. The asterisk will always be converted to a wildcard character when being used for a search. We have also removed the ability to search for blank attachments in this section.

PhishRIP Queries

Your PhishRIP Queries page contains all of the PhishRIP queries initiated inside of your PhishER platform. When a query is selected, you can mark it as Resolved or Unresolved. You can click an individual query ID to open the PhishRIP Messages page.

For more information about the PhishRIP Queries page, see the screenshot and list below:

  1. ID: This column displays a unique string of characters that identify a PhishRIP query.
  2. Started: This column displays the date and time of when a PhishRIP query was initiated.
  3. Completed: This column displays the date and time of when a PhishRIP query completed its mailbox search.
  4. SourceID: This column displays a unique string of characters assigned to the PhishER message used to create a PhishRIP query. Click the Source ID link to view the Message Details page for the message.
  5. AttackID: This column displays a unique string of characters assigned to the PhishRIP message that shares a similar subject or sender to messages that have been recently affected by PhishRIP.
  6. Found: This column displays the number of messages that matched the PhishRIP query criteria.
  7. Opened: This column displays the number of found messages that were opened.
  8. Originator: This column displays the first and last name of the user that initiated the PhishRIP query.
  9. Status: This column displays the status of a PhishRIP query. A query can have a status of Processing, Completed, or Failed.
  10. Resolution: This column displays whether a query was marked as Resolved or Unresolved.
  11. Query: This column displays the match criteria that was selected for the PhishRIP query. If you click the database icon, the View PhishRIP Details pop-up window will open and display the originally selected criteria. This allows you to review the exact items that were searched for by the query.

You can filter PhishRIP queries by the Processing, Completed, or Failed statuses. You can also filter by the Resolved or Unresolved resolutions. Use the search bar to filter your PhishRIP queries by using Lucene Query syntax. When a message is selected, you can apply the Resolved or Unresolved resolutions to the message.

PhishRIP Messages

The PhishRIP Messages page will display the matching messages found across all of the inboxes in your mail server. For more information about this page, see the screenshot and list below:

  1. Mailbox Email: This column displays the email address of the mailbox containing a message that matched the PhishRIP query.

    Note:You can limit the mailboxes that PhishRIP scans by creating a list of domains or regexes in your Mail Servers settings. For more information, visit our PhishER Settings: Integrations article.
  2. Mailbox Name: This column displays the name of the inbox containing a message that matched the PhishRIP query.
  3. Read: This column displays whether the message was Read or Unread by the recipient.
  4. Discovery Folder: This column displays the inbox folder where the message was found.
  5. Subject: This column displays the text found in the subject line of the message.
  6. Date Found: This column displays the date the PhishRIP query discovered the message.
  7. PhishRIP Status: This column displays the last known status of a PhishRIP message. If the message is available, the message will be in the Discovered, Quarantined, Deleted, or Pending status. If the message is unavailable due to actions performed outside of PhishRIP or if the message has been deleted in another query, the message will be in the Unavailable status.
  8. Status Updated: This column displays the date when the message last had changes applied to it.

You can filter PhishRIP messages by Discovered, Quarantined, Deleted, Pending, or Failed statuses.

Note:The selectable actions shown in the Run drop-down menu will depend on the status of the PhishRIP message. If multiple messages are selected, you will only see the actions that can be run on all of the messages.

PhishRIP Actions

When you select a PhishRIP message from the PhishRIP Messages page, the Run drop-down menu will display. Depending on the delete option you selected under your PhishRIP settings, the Run drop-down menu will display different options.

For more information, see the subsections below.

Permanent Message Deletion Disabled

If you disabled Allow Permanent Message Deletion in your PhishRIP settings, options will display in the Run drop-down menu. For more information about these options, see the screenshot and list below:

  1. Quarantine: This action will move the selected message into the Quarantine folder of the inbox where the message was discovered.
  2. Restore: This action will move the selected message from the Quarantine folder of the inbox to the original discovery folder of the message.
  3. PhishFlip: This action will create an automatic PhishFlip campaign based on users' reported emails. For more information, see the Creating Automatic PhishFlip Campaigns section of our PhishFlip Guide.
  4. Create KSAT Template: This action will automatically create a KSAT phishing template that you can use in your phishing campaigns. For more information, see the Creating KSAT Templates with PhishFlip section of our PhishFlip Guide.
  5. Send Custom Email: This option allows you to send a custom email using the Email Template Editor. Click Send Custom Email to open the template editor in a pop-up window. When your email is ready to be sent, click the Send button.
Note:Each action will be applied to the messages in the inbox that the message was found in.

Permanent Message Deletion Enabled

If you enabled the delete option under your PhishRIP settings, options will display in the Run drop-down menu. For more information about these options, see the screenshot and list below:

  1. Quarantine: This action will move the selected message into the Quarantine folder of the inbox in which the message was discovered.
  2. Restore: This action will move the selected message from the Quarantine folder of the Microsoft 365 inbox or the Google Workspace inbox to the original discovery folder of the message.
  3. Permanently Delete: This action will permanently delete the selected message from the Microsoft 365 inbox or the Google Workspace inbox in which the message was discovered. A message must be quarantined before it can be permanently deleted. If a message has not been quarantined, this option will be grayed out.

    Important:KnowBe4 cannot restore permanently deleted emails.
  4. PhishFlip: This action will create an automatic PhishFlip campaign based on users' reported emails. For more information, see the Creating Automatic PhishFlip Campaigns section of our PhishFlip article.
  5. Create KSAT Template: This action will automatically create a KSAT phishing template that you can use in your phishing campaigns. For more information, see the Creating KSAT Templates with PhishFlip section of our PhishFlip article.
  6. Send Custom Email: This option allows you to send a custom email using the Email Template Editor. Click Send Custom Email to open the template editor in a pop-up window. When your email is ready to be sent, click the Send button.
Note:Each action will be applied to the messages in the inbox that the message was found in.

Can't find what you're looking for?

Contact Support