Combined Phish Alert Button with Report Message to Microsoft

Respondida

Comentários

109 comentários

  • Comentário oficial
    Avatar
    Douglas Freeman

    Hello Steve, 

    Thank you for posting to the community board. I see your point about wanting the PAB to integrate with Microsoft for the purposes of improving mail filters and streamlining the product for your users. We don't currently have that functionality in place so I’ve submitted a feature request to our development team to see if that is something we can implement.

    I’ll be following the request so if I get any update from development I’ll follow up on this post! Thank you for your contribution, our Dev team takes these requests seriously and is very interested in implementing enhancements for our users!

    Ações de comentário Permalink
  • Avatar
    Alex Rourke

    +1 for this feature. It would also be nice if a report spam option was included. We could then use transport rules to route these to Microsoft. There may be some technical limitations doing things this way though. I'd be curious to see if this is possible at all.

    6
    Ações de comentário Permalink
  • Avatar
    Evan Templin

    I would love to see this as a feature! But, I think that I found a temporary workaround.

    Microsoft takes manually submitted emails by the email of phish@office365.microsoft.com. If you go into your Account settings in KnowBe4, you can set an email for all non-campaign reported emails to be sent to a email (Account Settings > Phish Alert > "Forward non-simulated phishing emails to:"). When using this setting, it attaches it as a .eml, as requested by Microsoft, and sends a copy of the phishing email as the user who submitted the email (allowing Microsoft to trace it back to your domain). This will allow both KnowBe4 and Microsoft to be able to work together.

    This is not a perfect solution, but I believe this is a viable workaround until we get an answer from the dev team.

    4
    Ações de comentário Permalink
  • Avatar
    Matt Jenner (Editado )

    +1 for me as well. We have M365 with ATP as well.  With M365 E5 you can now do phishing tests through Microsoft.  There's no point in keeping KB4 if you have no solution for PAB to M365 issue.  This has been a known issue/request for 3 years now.

    4
    Ações de comentário Permalink
  • Avatar
    Alex Rourke

    The help article mentioned by Ondřej was updated about a month ago and does appear to get us closer to a solution - it allows phish reports sent using KnowBe4's phish alert button to be forwarded to Microsoft and reported as phishing without KnowBe4 modifying its message format. There's still some holes here though - KnowBe4 provides no ability to report junk/not junk email like Microsoft does, which is something our user's need to be able to do.

    If KnowBe4 added junk and not junk reporting to their add-in (along with associated behaviors for moving the messages to the appropriate folder in the mailbox) and conformed with Microsoft's format for third-party submitted messages, their add-in would have feature parity with Microsoft's and be able to tell users when they correctly report a PST.

    Thanks to Microsoft's changes, it is now possible for KnowBe4 to modify their add-in and create something that is truly better than the Microsoft Report Messages addon. We're closer than ever to getting this resolved!

    3
    Ações de comentário Permalink
  • Avatar
    Daniel Walker (Editado )

    Add me onto the +1 list. The microsoft formatting method posted by Ondřej was definitely helpful (going to use that for now, combined with forwarding .EML to us, Microsoft, and Vade submission emails), but would prefer an API/MS Graph tie-in. Even better - why not both? Using Vade (direct ProofPoint competitor). The report message button from MS also reports to Vade so that if enough people report a phish, it will be yanked out of everyone's boxes if it didn't get caught beforehand. That said, Microsoft's Report Message button is limited to people's direct inboxes, and is not available when viewing shared mailboxes. So KB4 has a real opportunity here to make the Phish Alert Button superior to Microsoft's.

    3
    Ações de comentário Permalink
  • Avatar
    Alex Rourke

    If you are using the report message button provided by Microsoft in Office 365 instead of the one provided by KnowBe4, you've probably noticed several issues:

    • PSTs reported through "Report Messages" always get marked as clicked in the KnowBe4 console - users who report messages always fail the test.
    • Reported messages start AIR investigations in Office 365.
    • If you have a mail flow rule set up to forward reported messages to a sec ops mailbox, PST reports are also sent to this mailbox.

    Microsoft recently released new functionality in Office 365 that, when configured properly, make this whole system work better: Advanced Delivery Policies. When properly configured:

    • PSTs reported through "Report Messages" will not be reported as clicked in the KnowBe4 console.
    • Reported PSTs will not trigger AIR investigations in Office 365.
    • In the user submissions portal in Office 365, reported PSTs are clearly marked as being phishing simulation tests.

    The guide authored by KnowBe4 on setting up Advanced Delivery Policies is fairly comprehensive, it does not mention that this will not work if you have DMI (Direct Message Injection) enabled for your KnowBe4 account. You can safely turn this off, but there are a number of other whitelist settings in Office 365 that must be set up and managed if DMI is not used.

    Guidance around how exactly to receive copies of emails users report as phishing in Office 365 has changed over the years, with Advanced Delivery Policies now generally available, here is the best guidance:

    1. Configure a special use mailbox to receive reported messages and designate it as a SecOps mailbox in the Microsoft 365 Defender Portal.
    2. Use the Microsoft 365 Defender portal to configure the user submissions mailbox.

    Using this method, reported PSTs (along with junk/not junk) reports will be sent to the mailbox sent above. To prevent reported PSTs from being delivered to this mailbox, you'll need to create a mail flow rule in Exchange Online:

    1. Apply the rule if: The recipient address includes: <your sec ops mailbox>
    2. and The subject matches these text patterns. You'll have three entries here (for US KnowBe4 customers, based on the current phishing IPs they use being 23.21.109.197, 23.21.109.212 and 147.160.167.0/26):
    3. \|147\.160\.167\.([0-9]|[1-5][0-9]|6[0-3])\|
    4. \|23\.21\.109\.212\|
    5. \|23\.21\.109\.197\|
    6. Do the following... Delete the message without notifying anyone

    Some background on this: messages reported and sent to a sec ops mailbox always include a subject header that includes the sending IP of the server in brackets, for example: '3|39acc2de-76b2-492a-e49f-08d961df97c6|74.91.82.159|info@wealthmediamktg.com|(Claim your best deal) 8/19/2021 3:50:17 PM'. The rule above uses regex to look for KnowBe4's IP addresses in this subject line. For addresses in CIDR ranges, you could add each of KnowBe4's 64 IP addresses in the 147.160.167.0/26 subnet, or you can determine the range of addresses used in the subnet (147.160.167.0 to 147.160.167.63) and build a regular expression that can identify any of the messages in that range (([0-9]|[1-5][0-9]|6[0-3])).

    If KnowBe4 created a submission mailbox that conformed to Microsoft's standards for third party reporting mailboxes or could forward messages submitted using their tool to Microsoft using this format, they could better integrate their platform with Microsoft's to enhance their customers' experience. Until then, the new workaround discussed above greatly improves usability for those of us who want to use Microsoft's message reporting tools while also using KnowBe4's phishing simulation platform.

    2
    Ações de comentário Permalink
  • Avatar
    Ondřej Kacar

    Hello, is there any progress regarding the request. We have same issue, and would be great to have this feature asap :).

    2
    Ações de comentário Permalink
  • Avatar
    Ondřej Kacar

    I found a workaround: Phish Alert Button + https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide#third-party-reporting-tools

    The non-simulated email is reported to the Office 365 ATP as phish email + all non-simulated reported emails are in the SOC shared mailbox for further investigation. 

    2
    Ações de comentário Permalink
  • Avatar
    Kaiser U.

    Hey Alex,

    You got it-- I've included your name and details in the feature request for our team to review. I think it will be quite an interesting request due to any possible limitations (as you said). But it is very much worth requesting and discussing as we see more and more of our community give their insights on this request. :) 

    Please let us know if you have any further feedback or suggestions. We'll always be happy to help. 

    Cheers,

    Kaiser 

    KnowBe4

    1
    Ações de comentário Permalink
  • Avatar
    Jennifer Wescott

    +1 and following... (we use Proofpoint as well)

    1
    Ações de comentário Permalink
  • Avatar
    Joe Reynoldson

    +1 and following ... we use O365 with EOP and ATP

    1
    Ações de comentário Permalink
  • Avatar
    Will Conner

    +1 and following.  We are currently using the Phish Alert button by KnowBe4, however, we will be moving away from it given the new features in O365 and the benefits the O365 button brings in being able to auto-respond to phishing mail and manage investigations.  I love how much the button helps us with our KnowBe4 campaign reporting but active incidents take priority.  I am looking forward to a solution that will communicate with both products.

    1
    Ações de comentário Permalink
  • Avatar
    Douglas Freeman

    Thank you for your contribution Will

    I'll pass this information over to our development team to make sure that they are aware that this is a request that is being upvoted! 

    We appreciate the feedback! 

    1
    Ações de comentário Permalink
  • Avatar
    Michael Rhodes

    Also, my concern is that if enough users are reporting KnowBe4 phishing tests using Microsoft's button, if Microsoft's AI will start blocking the tests even though KnowBe4 is whitelisted in the Exchange config.

    1
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Bill and Martin,

    As soon as we have this finalized I will be sure to post any details here.

    1
    Ações de comentário Permalink
  • Avatar
    Lisa Ashbaugh

    Please add me to the feature request. We currently use MS with the ATP as well. 

    1
    Ações de comentário Permalink
  • Avatar
    Najjah Gilbert

    Hi Ondřej,

    We don't have any status updates available, but I've added you as a +1 to this feature request. Thank you for your feedback!

    1
    Ações de comentário Permalink
  • Avatar
    Jacob Hahn

    Hi Matt,

    I have gone ahead and added you to the feature request as well.  Thank you for your feedback!

    Thanks,

    1
    Ações de comentário Permalink
  • Avatar
    Kaiser U.

    Hi Alex,

    Great find! This is super helpful insight that I'll be sure to also pass along to our team internally. I will go ahead and also add you and Ondřej as a +1 to this general feature request.

    Thanks,

    Kaiser
    KnowBe4

    1
    Ações de comentário Permalink
  • Avatar
    Chuck Benslay

    +1

    It's been over 2 years since this was first requested.  We are getting false 'clicks' when our Users report a KB4 phishing test via the Microsoft Report Message plug-in in Outlook.  Obviously this messes up our reporting and we have to manually remove the User from an auto-enrolled remedial training.

    1
    Ações de comentário Permalink
  • Avatar
    Jordy Guillon

    Add me to this request. Our org just deployed o365.  Between these two buttons, the Microsoft alert button wins as it reports directly back to their AI..  Phish alert becomes just a user "feel good" button that does little to improve our security posture.

    1
    Ações de comentário Permalink
  • Avatar
    Tarryn Roth

    +1 and following. We would also like to integrate KnowBe4 reporting with the Microsoft report button. We use the Microsoft button due to the functionality provided by Microsoft for it. Currently, we aren't able to track via the phishing campaigns who reported a phishing email from the simulation as we use the Microsoft button. I would also like to be able to provide a message that the email was part of the simulation.  

    1
    Ações de comentário Permalink
  • Avatar
    Jennifer Wescott

    We are currently evaluating the button options we have available (Microsoft/Office 365, Proofpoint, and KnowBe4's PAB) and we are finding it difficult to evaluate whether the other buttons are able to send to KnowBe4 so we can have that reporting. Just to confirm, we currently cannot set up a third-party report button to send copies of phishing emails to phishalert@kb4.io (or another KB4 email) so that we can use the functionality of the other button in addition to retaining the reporting we get from KnowBe4? 

    0
    Ações de comentário Permalink
  • Avatar
    Kaiser U.

    Hi Jennifer,

    Thanks for participating in this! That's correct. At this time the reporting is specific to the Phish Alert Button. The forwards that occur with the PAB occur within the code specific to the PAB and it's APIs. However, I will gladly put in a request to add additional APIs (seen here) so that it may be possible to integrate the PAB with other reporting tools, outside of the KnowBe4 console, in addition to the original request's details. :) 

    Thanks for reaching out and checking in on this! If you have more questions or concerns feel free to reach back out. We can always create a ticket on your behalf and get them addressed.

    Cheers,

    Kaiser

    KnowBe4

    0
    Ações de comentário Permalink
  • Avatar
    Kaiser U.

    Hi Joe,

    You got it! I've added your  details to the feature request for our development team to review. :) Thanks so much for participating!

    Cheers,

    Kaiser

    KnowBe4

    0
    Ações de comentário Permalink
  • Avatar
    Ivo Svilenski

    Following. Currently evaluating replacing Phish Alert with Report Message. 

    We'll miss the phishing campaign thumbs up and analytics.

    0
    Ações de comentário Permalink
  • Avatar
    Arnold Dizon

    Following. We also use O365 with EOP and ATP. 

    0
    Ações de comentário Permalink
  • Avatar
    Douglas Freeman

    Hi Michael, 

    I'm glad you brought that item up. Now due to the nature of what we do, Knowbe4's phishing and landing domains do end up on blacklists. We have a system internally to identify anytime our domains end up on blacklists and a removal process to minimize the amount of time that the domains are on that list!

    0
    Ações de comentário Permalink
  • Avatar
    Ricardo Sousa

    +1 and following. We user O365 too and this would be great as we are having to manually submit the reported phishing emails to Microsoft.

    0
    Ações de comentário Permalink

Por favor, entrar para comentar.