- CheckMates
- :
- Products
- :
- General Topics
- :
- Best way to whitelist KnowBe4 Phishing domains?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jump to solution
Best way to whitelist KnowBe4 Phishing domains?
So probably an obvious answer to this, but... long story short I need to whitelist the below. These are for phishing training from KnowBe4.
Is there a way to import these given they're not all the same classification? Or is it better to attempt to treat these all like a host objects and hope their AWS IP's don't change?
Sorry if it's a silly question. They also don't have CP listed in their documentation so i'd like something to forward on to them to add to it.
Thanks in advance.
Online-banking.kb4.io,
En-us.secureconnection.moneytransaction.kb4.io,
Mail.kb4.io,
Breakingnews.comano.us,
Secure-mail.web.magnetonics.com,
Socialmedia-insights.bloemlight.com,
Messaging-security.comano.us,
Do.not.click.on.this.link.instantrevert.net,
ftp.phishing.guru,
test.user-click.phishtrain.org,
password-changes.phishwall.net,
Robust-backend.ancillarycheese.com,
Web-login.malwarebouncer.com,
https.file-transfers.ancillarycheese.com,
guru.phishing.guru,
http.www.secure.kb4.io,
su.onamoc.comano.us,
https.secure-links.bloemlight.com,
dontclickthis.knowbe4.com,
us-api.mimecast.com,kb4.io,
addto.password.land,
05kqatnrJ9s0sNAh9.phish.farm,
secure.payment-gateway.microransom.us,
cardpayments.microransom.us.
crypt.single-sign-on.password.land.
oldmacdonald.had-a.phish.farm.
login.gogie.com,000000000000.phish.farm,
report-scam.malwarebouncer.com,
spamchallenge.msftemail.com,
gmail.net-login.com,
kn0wbe4.compromisedblog.com,
welsfargo.com-onlinebanking.com,
bofa.com-onlinebanking.com,
chase.com-onlinebanking.com,
capital1.com-onlinebanking.com,
2fa.com-token-auth.com,
token.onelogin.com-token-auth.com,
cnn.compromisedblog.com,
employeeportal.net-login.com,
34.75.2O2.lOl,
strongencryption.org.
protected-forms.com,
safe-site.protected-forms.com,
https.protected-forms.com,
secured-login.net,
singlesignon.secured-login.net,
googl-e.secured-login.net,
salesfarce.secured-login.net,
webmail.strongencryption.org.
login.strongencryption.org.
account.secured-login.net,
drive.secured-login.net,
form.secured-login.net,
tls.secured-login.net,
certificate.strongencryption.org.
office.strongencryption.org.
suite.strongencryption.org.
http.protected-forms.com,
internet.protected-forms.com,
submit.protected-forms.com,
*.kb4.io,
*.comano.us.
*.magnetonics.com,
*.bloemlight.com,
*.instantrevert.net,
*.phishing.guru.
*.phishtrain.org.
*.phishwall.net,
*.ancillarycheese.com,
*.malwarebouncer.com,
*.knowbe4.com,
*.password.land.
*.phish.farm.
*.microransom.us.
*.msftemail.com,
*.net-login.com,
*.compromisedblog.com,
*.com-onlinebanking.com,
*.com-token-auth.com,
*.2O2.lOl,
1 Solution
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got this figured out for the KnowBe4 domains.
- I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.
- I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.
- I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
- I then created a rule under the “Internet Access” that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
- I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.
4 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same requirement, at the moment phishing campaign traffic being dropped by DNS trap
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same requirement. Any help here would be greatly appreciated.
Thanks,
Scott
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two main places I had to allow the KnowBe4 domains
- Add an Access Control rule for URL Filtering. Create a custom application/site with the domain list and allow it. Even so, IPS would still kick in and block the users so..
- Threat Prevention, add a Global Exception to your protected scope with the destination of the custom app/site list and change Action to Detect instead of prevent and also add Logging.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got this figured out for the KnowBe4 domains.
- I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.
- I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.
- I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
- I then created a rule under the “Internet Access” that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
- I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.
Best way to whitelist KnowBe4 Phishing domains?
So probably an obvious answer to this, but... long story short I need to whitelist the below. These are for phishing training from KnowBe4.
Is there a way to import these given they're not all the same classification? Or is it better to attempt to treat these all like a host objects and hope their AWS IP's don't change?
Sorry if it's a silly question. They also don't have CP listed in their documentation so i'd like something to forward on to them to add to it.
Thanks in advance.
Online-banking.kb4.io,
En-us.secureconnection.moneytransaction.kb4.io,
Mail.kb4.io,
Breakingnews.comano.us,
Secure-mail.web.magnetonics.com,
Socialmedia-insights.bloemlight.com,
Messaging-security.comano.us,
Do.not.click.on.this.link.instantrevert.net,
ftp.phishing.guru,
test.user-click.phishtrain.org,
password-changes.phishwall.net,
Robust-backend.ancillarycheese.com,
Web-login.malwarebouncer.com,
https.file-transfers.ancillarycheese.com,
guru.phishing.guru,
http.www.secure.kb4.io,
su.onamoc.comano.us,
https.secure-links.bloemlight.com,
dontclickthis.knowbe4.com,
us-api.mimecast.com,kb4.io,
addto.password.land,
05kqatnrJ9s0sNAh9.phish.farm,
secure.payment-gateway.microransom.us,
cardpayments.microransom.us.
cr
