This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Lutgendorf
Participant
‎2019-10-15 01:36 PM
Jump to solution

Best way to whitelist KnowBe4 Phishing domains?

So probably an obvious answer to this, but... long story short I need to whitelist the below. These are for phishing training from KnowBe4. 

Is there a way to import these given they're not all the same classification? Or is it better to attempt to treat these all like a host objects and hope their AWS IP's don't change? 

Sorry if it's a silly question. They also don't have CP listed in their documentation so i'd like something to forward on to them to add to it. 

Thanks in advance. 

Online-banking.kb4.io,
En-us.secureconnection.moneytransaction.kb4.io,
Mail.kb4.io,
Breakingnews.comano.us,
Secure-mail.web.magnetonics.com,
Socialmedia-insights.bloemlight.com,
Messaging-security.comano.us,
Do.not.click.on.this.link.instantrevert.net,
ftp.phishing.guru,
test.user-click.phishtrain.org,
password-changes.phishwall.net,
Robust-backend.ancillarycheese.com,
Web-login.malwarebouncer.com,
https.file-transfers.ancillarycheese.com,
guru.phishing.guru,
http.www.secure.kb4.io,
su.onamoc.comano.us,
https.secure-links.bloemlight.com,
dontclickthis.knowbe4.com,
us-api.mimecast.com,kb4.io,
addto.password.land,
05kqatnrJ9s0sNAh9.phish.farm,
secure.payment-gateway.microransom.us,
cardpayments.microransom.us.
crypt.single-sign-on.password.land.
oldmacdonald.had-a.phish.farm.
login.gogie.com,000000000000.phish.farm,
report-scam.malwarebouncer.com,
spamchallenge.msftemail.com,
gmail.net-login.com,
kn0wbe4.compromisedblog.com,
welsfargo.com-onlinebanking.com,
bofa.com-onlinebanking.com,
chase.com-onlinebanking.com,
capital1.com-onlinebanking.com,
2fa.com-token-auth.com,
token.onelogin.com-token-auth.com,
cnn.compromisedblog.com,
employeeportal.net-login.com,
34.75.2O2.lOl,

strongencryption.org.
protected-forms.com,
safe-site.protected-forms.com,
https.protected-forms.com,
secured-login.net,
singlesignon.secured-login.net,
googl-e.secured-login.net,
salesfarce.secured-login.net,
webmail.strongencryption.org.
login.strongencryption.org.
account.secured-login.net,
drive.secured-login.net,
form.secured-login.net,
tls.secured-login.net,
certificate.strongencryption.org.
office.strongencryption.org.
suite.strongencryption.org.
http.protected-forms.com,
internet.protected-forms.com,
submit.protected-forms.com,
*.kb4.io,
*.comano.us.
*.magnetonics.com,
*.bloemlight.com,
*.instantrevert.net,
*.phishing.guru.
*.phishtrain.org.
*.phishwall.net,
*.ancillarycheese.com,
*.malwarebouncer.com,
*.knowbe4.com,
*.password.land.
*.phish.farm.
*.microransom.us.
*.msftemail.com,
*.net-login.com,
*.compromisedblog.com,
*.com-onlinebanking.com,
*.com-token-auth.com,
*.2O2.lOl,

0 Kudos
1 Solution

Accepted Solutions
ScottG67
Participant
‎2021-05-26 11:11 AM
In response to George_Casper
Jump to solution

I got this figured out for the KnowBe4 domains.

 

  1. I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.
    1. I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.
  2. I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
  3. I then created a rule under the “Internet Access”  that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
  4. I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.

 

View solution in original post

0 Kudos
4 Replies
ajoubert
Explorer
‎2021-04-22 12:49 AM
Jump to solution

I have the same requirement, at the moment phishing campaign traffic being dropped by DNS trap

0 Kudos
ScottG67
Participant
‎2021-05-20 02:55 PM
In response to ajoubert
Jump to solution

I have the same requirement. Any help here would be greatly appreciated.

Thanks,

Scott

0 Kudos
George_Casper
Contributor
‎2021-05-20 05:50 PM
In response to ScottG67
Jump to solution

Two main places I had to allow the KnowBe4 domains

  1. Add an Access Control rule for URL Filtering.  Create a custom application/site with the domain list and allow it.   Even so, IPS would still kick in and block the users so..
  2. Threat Prevention, add a Global Exception to your protected scope with the destination of the custom app/site list and change Action to Detect instead of prevent and also add Logging.
ScottG67
Participant
‎2021-05-26 11:11 AM
In response to George_Casper
Jump to solution

I got this figured out for the KnowBe4 domains.

 

  1. I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.
    1. I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.
  2. I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
  3. I then created a rule under the “Internet Access”  that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
  4. I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events