Create a Post
Showing results for 
Search instead for 
Did you mean: 

KnowBe4 Phishing Email Attachments are Getting Quarantined - "False Clicks/Opens"

In need of a little help!

I test my users every month with simulated phishing emails that come from KnowBe4. I haven't had an issue with Check Point Endpoint scanning and finding the attachments within those simulated emails as "malicious" until early September 2023. Once the email is delivered to the users inbox, it could take 1 minute for Endpoint to quarantine it, or 30 minutes. But once Endpoint quarantines it, it marks it as "opened" and/or "clicked" in the KnowBe4 Phishing report, which is false. 

Harmony Endpoint Threat Emulation is the specific blade on my E87.31 client that is finding the attachment in this file path as malicious: C:\Users\*user*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\QFG6XUIG\package-ID97000.pdf

  • I've found the common folder each time the malicious file is found is that QFG6XUIG folder, but that's just on my computer
  • the package-ID97000.pdf does change, depending on what that simulated email is sending for an attachment
  • KnowBe4 has sent .zip and .pdf files, and this issue is happening for both of those file types

I don't want whitelist a specific folder path, as it's not the same for all users, and I don't want to exclude a path that could legitimately hold a malicious file from a legitimate phishing email. 

Has anyone else run into this issue lately? And moreover, has anyone found a good solution to resolve this so the reporting is skewed?

Thanks in advance!

0 Kudos
3 Replies

Hi @gavin-sd !  Did you ever figure out what was causing this?  We're experiencing this exact same issue and I cannot get it fixed!

0 Kudos

Hey @lulrichs - no luck yet. I do have an active case open with Check Point on this issue. The engineer is going to forward my cpinfo and forensics report to R&D to see if they can help out. 

0 Kudos

hi gavin

I could send this file to check and do an analysis on virustotal, I already had a problem in a word file that harmony identified an email with a malicious link in the base of them



0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events