Combined Phish Alert Button with Report Message to Microsoft

Respondida

Comentários

111 comentários

  • Avatar
    Winston Anderson

    +1

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Winston,

    A +1 has been added for you on this feature as well.

    0
    Ações de comentário Permalink
  • Avatar
    Kyle Chubala

    Hi there, please add me to the list!

    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hi Kyle, 

    Thanks for your post. I have added you to the feature request as a +1 as well.

    0
    Ações de comentário Permalink
  • Avatar
    Martin Navarro

    +1!

    Is there any update? It has been a year since the original post.

    Thank you!

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Martin,

    I have added a +1 on this feature for you as well. Unfortunately, I don't have any insight on if this is being implemented. Those decisions are made by our development team. That being said this has been widely requested and I know this is something we would like to do.

    0
    Ações de comentário Permalink
  • Avatar
    Ben Taylor

    Added a +1 for this also. Rolled out the PAB button to replace the 'Report Message' button, feels like a back step given the granularity the MS button applied, and integration with Defender for 365, if there is a way to integrate the two it would be very useful. 

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Ben,

    We appreciate your interest in this feature. I have added a +1 to it on your behalf!

    0
    Ações de comentário Permalink
  • Avatar
    Brett Webb

    Please add me as a +1 on this as well

    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hi Brett,

    Thanks for your post. I have added you as a +1 to the feature request.

    0
    Ações de comentário Permalink
  • Avatar
    Todd Albers

    Please add me as a +1 on this.

    We are likely going with the MS Outlook Report Message button.  That then allows us to manage reported phishing emails in the MS 365 Exchange Security interface.  But, we would like to still keep KnowBe4 training (and tracking of reported phishing emails by users)which really only works if KnowBe4 will allow the MS Outlook Report Message button.  And once you are on O365 Exchange email, providing the MS Outlook Report Message button to your users is as simple as turning it on within the O365 Exchange security interface. 

    I see MS Exchange Phishing Security \ Advanced Threat Protection \ ProofPoint (or other Email Security Gateway) as the "Frontline" or "Defensive" side of Email Security and KnowBe4 (Including PhishER and PhishRIP as extra backup) as the "Backline" or "Responsive" side of Email Security.  I may change my perception of that as I continue to learn more about them both.  I don't know exactly which features are available and which ones aren't between the two.  i.e. - Is the Reported Phishing Security Interface on MS 365 Exchange the same thing as PhishER?  Or are they actually still something different that can still co-exist and complement each other? 

    I believe )365 Email security etc. and KnowBe4 can coincide and complement each other.  But, I see that working only if KnowBe4 will allow emails reported by the MS Outlook Report Message button to be forwarded to an email address at KnowBe4 (or some other way?) which would serve the same functionality as the same email being reported from the KnowBe4 Phish Alert Button (PAB).

    Again, please add me as a +1 on this also.

    Thanks!

    Todd

    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hi Todd,

    Thanks for your post and for contributing to the community board. I have added you as a +1 to the feature request.

     

     

    0
    Ações de comentário Permalink
  • Avatar
    Kate Curr

    Hi

    I would like to add to the request for this issue to be resolved. I am coming at it from the other side. We are running the KnowBe4 Phishing simulation program and when a user uses the M365 button to report the phishing email that KB4 has sent, it registers falsely as a clicked link. This means that my stats and the dashboard are completely wrong and the data useless for reporting to my Executive. I discovered this when I was investigating a very high CTR which turns out to be a high level of reporting.  My Servicedesk wants to keep reporting phishing to M365 for all the very valid reasons listed above.  I am not sure where I can go with the phishing simulation program from here

     

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Kate,

    I have added you to this feature request. I also opened a ticket for you as well. We may have something that can work for your specific situation in the short term to help with the false clicks. Our technician that is working on this is out of the office until next week so I apologize for that but they will reach out to you when they return.

    0
    Ações de comentário Permalink
  • Avatar
    Bill Crahen

    @Walter Nelson, Kate's issue is also why I had originally upvoted for this as well. Can you share details on that workaround? 

    0
    Ações de comentário Permalink
  • Avatar
    Martin Navarro

    Hi Walter Nelson!

    If you find a solution for her (Kate Curr), please let me know too. This is one of the main reason I do not use the phish alert button either, too many false positives with KB4 campaigns. Last time I asked there was no solution.

    Thanks!

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Bill and Martin,

    As soon as we have this finalized I will be sure to post any details here.

    1
    Ações de comentário Permalink
  • Avatar
    Todd Olson

    Walter, feel free to +1 me to this as well.

    Kate:  We had the same issue, but here is a KnowBe4 Link to resolve the issue about users using the Microsoft Report Phishing feature from causing failed tests.

    How to Prevent False Clicks in Microsoft 365 – Knowledge Base (knowbe4.com)

    1. Open Exchange PowerShell and run the following command to locate the policy:
      Get-OwaMailboxPolicy | Format-Table Name,ReportJunkEmailEnabled
    2. Set the ReportJunkEmailEnabled to False (see example below):
      Set-OwaMailboxPolicy -Identity "OwaMailboxPolicy-Default" 
      -ReportJunkEmailEnabled
      $false
    3. Verify your change has worked by opening a users' account and selecting the Mark as Phishing option from the drop-down menu (click to view). After you make the selection, the reporting message should not display.
    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hi Todd, 

    Thanks for your post and contribution to the community board. I have added you on as a +1 to this feature request.

    0
    Ações de comentário Permalink
  • Avatar
    Tarek Aloch

    +1 and following - the workaround is great but full integration would be huge for us. Thanks 

    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hi Tarek,

    I've added you as a +1 to the request.

    0
    Ações de comentário Permalink
  • Avatar
    Satnam Brar

    ditto!

    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hello Satnam,

    I've added you on as a +1 as well.

     

     

    0
    Ações de comentário Permalink
  • Avatar
    Alex Rourke

    If you are using the report message button provided by Microsoft in Office 365 instead of the one provided by KnowBe4, you've probably noticed several issues:

    • PSTs reported through "Report Messages" always get marked as clicked in the KnowBe4 console - users who report messages always fail the test.
    • Reported messages start AIR investigations in Office 365.
    • If you have a mail flow rule set up to forward reported messages to a sec ops mailbox, PST reports are also sent to this mailbox.

    Microsoft recently released new functionality in Office 365 that, when configured properly, make this whole system work better: Advanced Delivery Policies. When properly configured:

    • PSTs reported through "Report Messages" will not be reported as clicked in the KnowBe4 console.
    • Reported PSTs will not trigger AIR investigations in Office 365.
    • In the user submissions portal in Office 365, reported PSTs are clearly marked as being phishing simulation tests.

    The guide authored by KnowBe4 on setting up Advanced Delivery Policies is fairly comprehensive, it does not mention that this will not work if you have DMI (Direct Message Injection) enabled for your KnowBe4 account. You can safely turn this off, but there are a number of other whitelist settings in Office 365 that must be set up and managed if DMI is not used.

    Guidance around how exactly to receive copies of emails users report as phishing in Office 365 has changed over the years, with Advanced Delivery Policies now generally available, here is the best guidance:

    1. Configure a special use mailbox to receive reported messages and designate it as a SecOps mailbox in the Microsoft 365 Defender Portal.
    2. Use the Microsoft 365 Defender portal to configure the user submissions mailbox.

    Using this method, reported PSTs (along with junk/not junk) reports will be sent to the mailbox sent above. To prevent reported PSTs from being delivered to this mailbox, you'll need to create a mail flow rule in Exchange Online:

    1. Apply the rule if: The recipient address includes: <your sec ops mailbox>
    2. and The subject matches these text patterns. You'll have three entries here (for US KnowBe4 customers, based on the current phishing IPs they use being 23.21.109.197, 23.21.109.212 and 147.160.167.0/26):
    3. \|147\.160\.167\.([0-9]|[1-5][0-9]|6[0-3])\|
    4. \|23\.21\.109\.212\|
    5. \|23\.21\.109\.197\|
    6. Do the following... Delete the message without notifying anyone

    Some background on this: messages reported and sent to a sec ops mailbox always include a subject header that includes the sending IP of the server in brackets, for example: '3|39acc2de-76b2-492a-e49f-08d961df97c6|74.91.82.159|info@wealthmediamktg.com|(Claim your best deal) 8/19/2021 3:50:17 PM'. The rule above uses regex to look for KnowBe4's IP addresses in this subject line. For addresses in CIDR ranges, you could add each of KnowBe4's 64 IP addresses in the 147.160.167.0/26 subnet, or you can determine the range of addresses used in the subnet (147.160.167.0 to 147.160.167.63) and build a regular expression that can identify any of the messages in that range (([0-9]|[1-5][0-9]|6[0-3])).

    If KnowBe4 created a submission mailbox that conformed to Microsoft's standards for third party reporting mailboxes or could forward messages submitted using their tool to Microsoft using this format, they could better integrate their platform with Microsoft's to enhance their customers' experience. Until then, the new workaround discussed above greatly improves usability for those of us who want to use Microsoft's message reporting tools while also using KnowBe4's phishing simulation platform.

    2
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Alex,
    Thanks for the suggested workaround. A little disclaimer from KB4 for anyone potentially wanting to try this. KB4 has not vetted this workaround and we cannot guarantee it to work. Our Phish Alert Button is currently the only way to be certain to avoid false positives on reporting and to properly track reported messages from your end-users automatically.

    0
    Ações de comentário Permalink
  • Avatar
    Tarek Aloch

    @Alex Rourke... it's a bit early to confirm but after a day of testing this seems to be working great for me. I'll update here if it stops working. Infinite thanks to you for this workaround, this helps us out big time 

     

    0
    Ações de comentário Permalink
  • Avatar
    Tarek Aloch

    Update: This works flawlessly for simulated phishing emails using links , but forwarding a simulated phishing email with an attachment seems to trigger a false click. Just a heads up for anyone trying this.

    My issue might not even be related to the 'Report Message' button, but perhaps SafeAttachments or some other policy. I'll do some more testing and update with my findings 

    0
    Ações de comentário Permalink
  • Avatar
    Bob Wesley

    +1

    We are using O365 and Microsoft's Report Message feature.
    Integrating the PAB with this would be ideal.

    0
    Ações de comentário Permalink
  • Avatar
    Mario Rodriguez

    Hi Bob,

    I've added you as a +1 to the request.

    0
    Ações de comentário Permalink
  • Avatar
    Nathan Gatt

    Same issue - it would be good to still make use of the Microsoft 365 AIR functionality while integrating the PAB reporting.

    0
    Ações de comentário Permalink

Por favor, entrar para comentar.