PhishER Rule for simulated phish

Respondida

Comentários

2 comentários

  • Avatar
    Ashley Rush

    Hello Christine,

    Thank you for contributing to the community board. I have opened a support ticket on your behalf so that the Tech Support team can assist in the phishing test from campaigns appearing in your PhishER inbox.

    Thanks!

    Ashley
    KnowBe4

    0
    Ações de comentário Permalink
  • Avatar
    Matthew Bates

    A YARA rule like this should suffice, to apply a tag you want to base an action on:

    rule KNOWBE4_SIMULATED_PHISHING
    {
    meta:
    author = "LINKMJB"
    description = "Simulated phishing reported using Microsoft's reporting tool, instead of KnowBe4's Phish Alert Button, can end up in PhishER"
    date = "2020-11-01"
    strings:
    $phishtest = /(\n|\r)X-PHISHTEST:\sKnowBe4/ nocase
    $received_from_psm = /(\n|\r)Received:\sfrom psm\.knowbe4\.com.{0,200}/ nocase

    condition:
    all of them
    }

    Action could then:

    1. Mark it as clean
    2. Notify the reporter it was a simulated phishing email and congratulate for catching it
    3. Mark it as resolved
    4. Stop processing further actions
    0
    Ações de comentário Permalink

Por favor, entrar para comentar.