Email Sandbox Eval - whitelist/ignore IPs to prevent false clicks / phish test failures
Answered
TL;DR: create account option 'ignore clicks from' IP list (CIDR) to prevent false phish test failures from advanced email scanning solutions
We have experienced a number of email attachments in phish tests trigger advanced malware/phishing scanning with email providers and security solutions (O365). The users then report they have 'failed' a phishing test even though they haven't clicked (or even received!) the email yet. When you look in the console, you can see that the emails were 'clicked' from IP addresses belonging to the cloud infrastructure of anti-malware providers.
I know it may be nigh impossible to keep up with changing IP addresses and cloud providers, but I understand that KnowBe4 has been working hard for some time now to ensure that tests can be bypassed through security solutions to ensure valid results. This would give KB4 customers more control...
Specifically pointing the finger at O365 in this case - we don't have the ability to 'exempt' ourselves (requires E3 or E5 or APT?) from the advanced sandbox scanning when an attachment triggers processing. I'm sure there are other advanced security solutions that will process KnowBe4 emails and create false phish failures before the users receive them.
If we had a way to 'whitelist' these IP addresses (and say a click from this public cloud service (O365, Avast... McAfee... etc.) should be ignored) we wouldn't have to stop using advanced phishing templates... or manually clear failures and de-enroll users from remedial training! This non-bypass-able security filtering will likely become more and more prevalent.
(Note: we have a remote, distributed workforce and we can't just expect 'real clicks' to come from a few private IP addresses. They could come from a myriad of different private (customer) ISP addresses. We should however be able to create an 'ignore' list for clicks coming from O365/Azure/AWS/GCP infrastructure, for example.)
P.S. we have all the required O365 mail transport bypass rules in-place, verified by KB4 Support. Without being licensed for ATP, you can't skip ATP filtering... but thanks for the free security! :)
-
YES! YES! YES!!!
We've been fighting with this for 3 months, since we migrated to an O365 tenant. Put this at the TOP of the enhancement requests!
Maybe less in the console and more on the back end though. I suspect KnowBe4 knows what these IPs are much more easily and faster than us clients :)
-
Hi James,
We still do not have the ability to have admin-level exemptions of IP addresses I can add you to the feature request on this item if you would like.
If I recall correctly, our customers had several conversations with M$ and they ascertained that ATP was not whitelisting KnowBe4 emails and domains as intended. This should have been corrected in an update in June/July. If you are still seeing this behavior let me know and I'd be glad to open a ticket for you.Alternatively, you can open a ticket by calling us at the number below
- United States: +1 855-815-9494
Mexico: +52 800-283-3201
El Salvador: +503 2136-1126
Phone support is available weekdays from 6 a.m.-9 p.m. (Eastern)
Or you can submit a support request by following this link.
Let me know if that helps! - United States: +1 855-815-9494
-
We had this same problem, really frustrating. The key, is that you need to follow ALL of these guides/articles together in order to properly have ATP skip URL scanning on all platforms. The first 2 alone, will not provide adequate bypass for Windows 10 clients using Outlook as their mail client:
- https://support.knowbe4.com/hc/en-us/articles/203645138
- https://support.knowbe4.com/hc/en-us/articles/115004326408-How-to-Bypass-Safe-Link-Attachment-Processing-of-Advanced-Threat-Protection-ATP-
- https://support.knowbe4.com/hc/en-us/articles/235709247-How-to-Prevent-Microsoft-365-ATP-from-Rewriting-KnowBe4-Phishing-Links
That last/final article for skipping rewrites for specific domains, is really important because Microsoft Outlook on Windows 10 machines still perform URL scanning regardless of header rewrites in the email to skip URL scanning: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide#safe-links-settings-for-email-messages
All of that said, you MIGHT be able to avoid this maintenance headache entirely by switching your strategy to use DMI instead of dealing with Exchange policies: https://support.knowbe4.com/hc/en-us/articles/360054494394-DMI-Configuration-Guide -
Is this a feature request for KnowBe4?
Microsoft has made some changes and past methods of setting up exemptions don't work. You have to use the Advance Delivery. However, this doesn't get you out of the woods. If a user uses "Report Message", then Microsoft will scan it and you will get a false click.
KnowBe4 needs to all us to add IP Exemptions.
-
Hello Jay,
You are correct about Microsoft's changes. Here is a link to our documentation regarding setting up Advanced Delivery Policies in Microsoft 365.
We appreciate your feature request in regards to adding an IP exemption list to the KMSat console! I've submitted it to our development team for review. We base a lot of our new releases and features on customer ideas and requests, so we do appreciate your input.
Thanks!
Jim McElwain
KnowBe4
Please sign in to leave a comment.
Comments
10 comments