Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mike_Lutgendorf
Participant
Jump to solution

Best way to whitelist KnowBe4 Phishing domains?

So probably an obvious answer to this, but... long story short I need to whitelist the below. These are for phishing training from KnowBe4. 

Is there a way to import these given they're not all the same classification? Or is it better to attempt to treat these all like a host objects and hope their AWS IP's don't change? 

Sorry if it's a silly question. They also don't have CP listed in their documentation so i'd like something to forward on to them to add to it. 

Thanks in advance. 

Online-banking.kb4.io,
En-us.secureconnection.moneytransaction.kb4.io,
Mail.kb4.io,
Breakingnews.comano.us,
Secure-mail.web.magnetonics.com,
Socialmedia-insights.bloemlight.com,
Messaging-security.comano.us,
Do.not.click.on.this.link.instantrevert.net,
ftp.phishing.guru,
test.user-click.phishtrain.org,
password-changes.phishwall.net,
Robust-backend.ancillarycheese.com,
Web-login.malwarebouncer.com,
https.file-transfers.ancillarycheese.com,
guru.phishing.guru,
http.www.secure.kb4.io,
su.onamoc.comano.us,
https.secure-links.bloemlight.com,
dontclickthis.knowbe4.com,
us-api.mimecast.com,kb4.io,
addto.password.land,
05kqatnrJ9s0sNAh9.phish.farm,
secure.payment-gateway.microransom.us,
cardpayments.microransom.us.
crypt.single-sign-on.password.land.
oldmacdonald.had-a.phish.farm.
login.gogie.com,000000000000.phish.farm,
report-scam.malwarebouncer.com,
spamchallenge.msftemail.com,
gmail.net-login.com,
kn0wbe4.compromisedblog.com,
welsfargo.com-onlinebanking.com,
bofa.com-onlinebanking.com,
chase.com-onlinebanking.com,
capital1.com-onlinebanking.com,
2fa.com-token-auth.com,
token.onelogin.com-token-auth.com,
cnn.compromisedblog.com,
employeeportal.net-login.com,
34.75.2O2.lOl,

strongencryption.org.
protected-forms.com,
safe-site.protected-forms.com,
https.protected-forms.com,
secured-login.net,
singlesignon.secured-login.net,
googl-e.secured-login.net,
salesfarce.secured-login.net,
webmail.strongencryption.org.
login.strongencryption.org.
account.secured-login.net,
drive.secured-login.net,
form.secured-login.net,
tls.secured-login.net,
certificate.strongencryption.org.
office.strongencryption.org.
suite.strongencryption.org.
http.protected-forms.com,
internet.protected-forms.com,
submit.protected-forms.com,
*.kb4.io,
*.comano.us.
*.magnetonics.com,
*.bloemlight.com,
*.instantrevert.net,
*.phishing.guru.
*.phishtrain.org.
*.phishwall.net,
*.ancillarycheese.com,
*.malwarebouncer.com,
*.knowbe4.com,
*.password.land.
*.phish.farm.
*.microransom.us.
*.msftemail.com,
*.net-login.com,
*.compromisedblog.com,
*.com-onlinebanking.com,
*.com-token-auth.com,
*.2O2.lOl,

0 Kudos
(1)
1 Solution

Accepted Solutions
ScottG67
Participant

I got this figured out for the KnowBe4 domains.

 

  1. I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.
    1. I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.
  2. I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
  3. I then created a rule under the “Internet Access”  that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
  4. I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.

 

View solution in original post

0 Kudos
4 Replies
ajoubert
Explorer

I have the same requirement, at the moment phishing campaign traffic being dropped by DNS trap

0 Kudos
ScottG67
Participant

I have the same requirement. Any help here would be greatly appreciated.

Thanks,

Scott

0 Kudos
George_Casper
Collaborator

Two main places I had to allow the KnowBe4 domains

  1. Add an Access Control rule for URL Filtering.  Create a custom application/site with the domain list and allow it.   Even so, IPS would still kick in and block the users so..
  2. Threat Prevention, add a Global Exception to your protected scope with the destination of the custom app/site list and change Action to Detect instead of prevent and also add Logging.
ScottG67
Participant

I got this figured out for the KnowBe4 domains.

 

  1. I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.
    1. I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.
  2. I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
  3. I then created a rule under the “Internet Access”  that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
  4. I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events