TL;DR: create account option 'ignore clicks from' IP list (CIDR) to prevent false phish test failures from advanced email scanning solutions
We have experienced a number of email attachments in phish tests trigger advanced malware/phishing scanning with email providers and security solutions (O365). The users then report they have 'failed' a phishing test even though they haven't clicked (or even received!) the email yet. When you look in the console, you can see that the emails were 'clicked' from IP addresses belonging to the cloud infrastructure of anti-malware providers.
I know it may be nigh impossible to keep up with changing IP addresses and cloud providers, but I understand that KnowBe4 has been working hard for some time now to ensure that tests can be bypassed through security solutions to ensure valid results. This would give KB4 customers more control...
Specifically pointing the finger at O365 in this case - we don't have the ability to 'exempt' ourselves (requires E3 or E5 or APT?) from the advanced sandbox scanning when an attachment triggers processing. I'm sure there are other advanced security solutions that will process KnowBe4 emails and create false phish failures before the users receive them.
If we had a way to 'whitelist' these IP addresses (and say a click from this public cloud service (O365, Avast... McAfee... etc.) should be ignored) we wouldn't have to stop using advanced phishing templates... or manually clear failures and de-enroll users from remedial training! This non-bypass-able security filtering will likely become more and more prevalent.
(Note: we have a remote, distributed workforce and we can't just expect 'real clicks' to come from a few private IP addresses. They could come from a myriad of different private (customer) ISP addresses. We should however be able to create an 'ignore' list for clicks coming from O365/Azure/AWS/GCP infrastructure, for example.)
P.S. we have all the required O365 mail transport bypass rules in-place, verified by KB4 Support. Without being licensed for ATP, you can't skip ATP filtering... but thanks for the free security! :)
Please sign in to leave a comment.