Combined Phish Alert Button with Report Message to Microsoft
Vastattu
The Phish Alert button is great for reporting messages to our helpdesk, and for notifying users when they report a phish test email. It does nothing for actually improving our mail filters to prevent such messages from getting through in the future though. Microsoft offers a Report Message function which submits suspicious messages to them for the purpose of improving the Office 365/Exchange Online Protection filters, but that doesn't check to see if the message is a phish test and notify the users that they caught one.
I can't tell users to submit messages using Microsoft's button if they think it's just spam, but PAB if they think it's phishing. Is there any other way to get the functionality of PAB while also submitting the message to Microsoft for review?
-
Hi Martin,
I have added a +1 on this feature for you as well. Unfortunately, I don't have any insight on if this is being implemented. Those decisions are made by our development team. That being said this has been widely requested and I know this is something we would like to do.
-
Please add me as a +1 on this.
We are likely going with the MS Outlook Report Message button. That then allows us to manage reported phishing emails in the MS 365 Exchange Security interface. But, we would like to still keep KnowBe4 training (and tracking of reported phishing emails by users)which really only works if KnowBe4 will allow the MS Outlook Report Message button. And once you are on O365 Exchange email, providing the MS Outlook Report Message button to your users is as simple as turning it on within the O365 Exchange security interface.
I see MS Exchange Phishing Security \ Advanced Threat Protection \ ProofPoint (or other Email Security Gateway) as the "Frontline" or "Defensive" side of Email Security and KnowBe4 (Including PhishER and PhishRIP as extra backup) as the "Backline" or "Responsive" side of Email Security. I may change my perception of that as I continue to learn more about them both. I don't know exactly which features are available and which ones aren't between the two. i.e. - Is the Reported Phishing Security Interface on MS 365 Exchange the same thing as PhishER? Or are they actually still something different that can still co-exist and complement each other?
I believe )365 Email security etc. and KnowBe4 can coincide and complement each other. But, I see that working only if KnowBe4 will allow emails reported by the MS Outlook Report Message button to be forwarded to an email address at KnowBe4 (or some other way?) which would serve the same functionality as the same email being reported from the KnowBe4 Phish Alert Button (PAB).
Again, please add me as a +1 on this also.
Thanks!
Todd
-
Hi
I would like to add to the request for this issue to be resolved. I am coming at it from the other side. We are running the KnowBe4 Phishing simulation program and when a user uses the M365 button to report the phishing email that KB4 has sent, it registers falsely as a clicked link. This means that my stats and the dashboard are completely wrong and the data useless for reporting to my Executive. I discovered this when I was investigating a very high CTR which turns out to be a high level of reporting. My Servicedesk wants to keep reporting phishing to M365 for all the very valid reasons listed above. I am not sure where I can go with the phishing simulation program from here
-
Hi Kate,
I have added you to this feature request. I also opened a ticket for you as well. We may have something that can work for your specific situation in the short term to help with the false clicks. Our technician that is working on this is out of the office until next week so I apologize for that but they will reach out to you when they return.
-
Walter, feel free to +1 me to this as well.
Kate: We had the same issue, but here is a KnowBe4 Link to resolve the issue about users using the Microsoft Report Phishing feature from causing failed tests.
How to Prevent False Clicks in Microsoft 365 – Knowledge Base (knowbe4.com)
- Open Exchange PowerShell and run the following command to locate the policy:
Get-OwaMailboxPolicy | Format-Table Name,ReportJunkEmailEnabled
- Set the ReportJunkEmailEnabled to False (see example below):
Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default"
-ReportJunkEmailEnabled $false - Verify your change has worked by opening a users' account and selecting the Mark as Phishing option from the drop-down menu (click to view). After you make the selection, the reporting message should not display.
- Open Exchange PowerShell and run the following command to locate the policy:
-
If you are using the report message button provided by Microsoft in Office 365 instead of the one provided by KnowBe4, you've probably noticed several issues:
- PSTs reported through "Report Messages" always get marked as clicked in the KnowBe4 console - users who report messages always fail the test.
- Reported messages start AIR investigations in Office 365.
- If you have a mail flow rule set up to forward reported messages to a sec ops mailbox, PST reports are also sent to this mailbox.
Microsoft recently released new functionality in Office 365 that, when configured properly, make this whole system work better: Advanced Delivery Policies. When properly configured:
- PSTs reported through "Report Messages" will not be reported as clicked in the KnowBe4 console.
- Reported PSTs will not trigger AIR investigations in Office 365.
- In the user submissions portal in Office 365, reported PSTs are clearly marked as being phishing simulation tests.
The guide authored by KnowBe4 on setting up Advanced Delivery Policies is fairly comprehensive, it does not mention that this will not work if you have DMI (Direct Message Injection) enabled for your KnowBe4 account. You can safely turn this off, but there are a number of other whitelist settings in Office 365 that must be set up and managed if DMI is not used.
Guidance around how exactly to receive copies of emails users report as phishing in Office 365 has changed over the years, with Advanced Delivery Policies now generally available, here is the best guidance:
- Configure a special use mailbox to receive reported messages and designate it as a SecOps mailbox in the Microsoft 365 Defender Portal.
- Use the Microsoft 365 Defender portal to configure the user submissions mailbox.
Using this method, reported PSTs (along with junk/not junk) reports will be sent to the mailbox sent above. To prevent reported PSTs from being delivered to this mailbox, you'll need to create a mail flow rule in Exchange Online:
- Apply the rule if: The recipient address includes: <your sec ops mailbox>
- and The subject matches these text patterns. You'll have three entries here (for US KnowBe4 customers, based on the current phishing IPs they use being 23.21.109.197, 23.21.109.212 and 147.160.167.0/26):
- \|147\.160\.167\.([0-9]|[1-5][0-9]|6[0-3])\|
- \|23\.21\.109\.212\|
- \|23\.21\.109\.197\|
- Do the following... Delete the message without notifying anyone
Some background on this: messages reported and sent to a sec ops mailbox always include a subject header that includes the sending IP of the server in brackets, for example: '3|39acc2de-76b2-492a-e49f-08d961df97c6|74.91.82.159|info@wealthmediamktg.com|(Claim your best deal) 8/19/2021 3:50:17 PM'. The rule above uses regex to look for KnowBe4's IP addresses in this subject line. For addresses in CIDR ranges, you could add each of KnowBe4's 64 IP addresses in the 147.160.167.0/26 subnet, or you can determine the range of addresses used in the subnet (147.160.167.0 to 147.160.167.63) and build a regular expression that can identify any of the messages in that range (([0-9]|[1-5][0-9]|6[0-3])).
If KnowBe4 created a submission mailbox that conformed to Microsoft's standards for third party reporting mailboxes or could forward messages submitted using their tool to Microsoft using this format, they could better integrate their platform with Microsoft's to enhance their customers' experience. Until then, the new workaround discussed above greatly improves usability for those of us who want to use Microsoft's message reporting tools while also using KnowBe4's phishing simulation platform.
-
Hi Alex,
Thanks for the suggested workaround. A little disclaimer from KB4 for anyone potentially wanting to try this. KB4 has not vetted this workaround and we cannot guarantee it to work. Our Phish Alert Button is currently the only way to be certain to avoid false positives on reporting and to properly track reported messages from your end-users automatically. -
Update: This works flawlessly for simulated phishing emails using links , but forwarding a simulated phishing email with an attachment seems to trigger a false click. Just a heads up for anyone trying this.
My issue might not even be related to the 'Report Message' button, but perhaps SafeAttachments or some other policy. I'll do some more testing and update with my findings
Kirjaudu sisään jättääksesi kommentin.
Kommentit
95 kommenttia