Different Reporting Email filters?
I know you have the ability to create multiple reporting email addresses for messages to go into PhishER, but I'm having trouble getting it to be useful. The documentation states that it can be useful for giving different organizational units or locations different addresses. There doesn't appear to be anything you can do with that information after the messages have been received.
Is there some way to create rules around which PhishER mailbox received the message? The YARA rules all act on the contents of the messages and there doesn't appear to be anywhere that the PhishER address appears. I would expect there to be some way to say "run this rule or add this tag if message was submitted to [abcd]@phisher.knowbe4.com" or "don't run this rule if it was submitted to [xyz]@phisher.knowbe4.com"
-
For anyone seeing this in the future: turns out this is something missing as of now and a feature request was added. It might get fixed at some point in the future.
When sending messages to PhishER using the Phish Alert Button, PhishER reads the header and contents of the original phish message that is attached and not the envelope that was sent to PER. It does appear to capture the "Reported by" data from the envelope forwarded to PER, so it's probably capable of reading which PER mailbox the report was sent to.
If you simply forward messages to PER instead of forward as attachment or use PAB, it is possible to create rules based on which PER mailbox got the report. That somewhat defeats the purpose because you'd be reading the headers of the forwarded message from internal users to PER, and losing the original header data of the suspected phishing message.
Either way, thank you Michael for the help and follow up.
U moet u aanmelden om een opmerking te plaatsen.
Opmerkingen
2 opmerkingen