PhishER Rule for simulated phish

Megválaszolt

Christine Tise

2019. augusztus 20. 19:35

Messages from a phishing campaign shouldn't be coming into my PhishER Inbox, right?

Or is anyone creating Rules/Actions for these reported messages?

1

• 

  Ashley Nelson 2019. augusztus 21. 11:59

  Hello Christine,

  Thank you for contributing to the community board. I have opened a support ticket on your behalf so that the Tech Support team can assist in the phishing test from campaigns appearing in your PhishER inbox.

  Thanks!

  Ashley
  KnowBe4

  0

  Hozzászólás-műveletek Permalink
• 

  Matthew Bates 2020. november 2. 18:03

  A YARA rule like this should suffice, to apply a tag you want to base an action on:
  
  rule KNOWBE4_SIMULATED_PHISHING
  {
  meta:
  author = "LINKMJB"
  description = "Simulated phishing reported using Microsoft's reporting tool, instead of KnowBe4's Phish Alert Button, can end up in PhishER"
  date = "2020-11-01"
  strings:
  $phishtest = /(\n|\r)X-PHISHTEST:\sKnowBe4/ nocase
  $received_from_psm = /(\n|\r)Received:\sfrom psm\.knowbe4\.com.{0,200}/ nocase
  
  condition:
  all of them
  }
  
  Action could then:

  1. Mark it as clean
  2. Notify the reporter it was a simulated phishing email and congratulate for catching it
  3. Mark it as resolved
  4. Stop processing further actions

  0

  Hozzászólás-műveletek Permalink

Hozzászólások írásához jelentkezzen be.