This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gavin-sd
Participant
‎2023-11-14 08:27 AM

KnowBe4 Phishing Email Attachments are Getting Quarantined - "False Clicks/Opens"

In need of a little help!

I test my users every month with simulated phishing emails that come from KnowBe4. I haven't had an issue with Check Point Endpoint scanning and finding the attachments within those simulated emails as "malicious" until early September 2023. Once the email is delivered to the users inbox, it could take 1 minute for Endpoint to quarantine it, or 30 minutes. But once Endpoint quarantines it, it marks it as "opened" and/or "clicked" in the KnowBe4 Phishing report, which is false. 

Harmony Endpoint Threat Emulation is the specific blade on my E87.31 client that is finding the attachment in this file path as malicious: C:\Users\*user*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\QFG6XUIG\package-ID97000.pdf

  • I've found the common folder each time the malicious file is found is that QFG6XUIG folder, but that's just on my computer
  • the package-ID97000.pdf does change, depending on what that simulated email is sending for an attachment
  • KnowBe4 has sent .zip and .pdf files, and this issue is happening for both of those file types

I don't want whitelist a specific folder path, as it's not the same for all users, and I don't want to exclude a path that could legitimately hold a malicious file from a legitimate phishing email. 

Has anyone else run into this issue lately? And moreover, has anyone found a good solution to resolve this so the reporting is skewed?

Thanks in advance!

Labels
0 Kudos
5 Replies
lulrichs
Explorer
‎2024-03-28 06:35 AM

Hi @gavin-sd !  Did you ever figure out what was causing this?  We're experiencing this exact same issue and I cannot get it fixed!

0 Kudos
gavin-sd
Participant
‎2024-03-29 08:52 AM
In response to lulrichs

Hey @lulrichs - no luck yet. I do have an active case open with Check Point on this issue. The engineer is going to forward my cpinfo and forensics report to R&D to see if they can help out. 

0 Kudos
lluner
Advisor
‎2024-04-03 09:11 AM
In response to gavin-sd

hi gavin

I could send this file to check and do an analysis on virustotal, I already had a problem in a word file that harmony identified an email with a malicious link in the base of them

 

 

0 Kudos
ckon
Explorer
‎2024-10-09 10:14 AM
In response to gavin-sd

Hey @gavin-sd  just following up, did they find any solution for you? I'm now experiencing the same thing after addressing their false positive URL clicks.

0 Kudos
gavin-sd
Participant
‎2024-10-09 01:11 PM
In response to ckon

We did not find a solution to essentially whitelist the simulated phishing attacks. Instead they gave me an option of a setting change that would allow simulated tests to not have attachments, but only links embedded in the emails.

"You can certainly disable templates with attachments from being used!
 
This can be done from account settings>phishing>disable template attack vectors and then select the attachment type from the drop-down menu, please be sure to save your changes."

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top