Solved: Best way to whitelist KnowBe4 Phishing domains?

Mike_Lutgendorf · ‎2019-10-15

So probably an obvious answer to this, but... long story short I need to whitelist the below. These are for phishing training from KnowBe4.

Is there a way to import these given they're not all the same classification? Or is it better to attempt to treat these all like a host objects and hope their AWS IP's don't change?

Sorry if it's a silly question. They also don't have CP listed in their documentation so i'd like something to forward on to them to add to it.

Thanks in advance.

Online-banking.kb4.io,
En-us.secureconnection.moneytransaction.kb4.io,
Mail.kb4.io,
Breakingnews.comano.us,
Secure-mail.web.magnetonics.com,
Socialmedia-insights.bloemlight.com,
Messaging-security.comano.us,
Do.not.click.on.this.link.instantrevert.net,
ftp.phishing.guru,
test.user-click.phishtrain.org,
password-changes.phishwall.net,
Robust-backend.ancillarycheese.com,
Web-login.malwarebouncer.com,
https.file-transfers.ancillarycheese.com,
guru.phishing.guru,
http.www.secure.kb4.io,
su.onamoc.comano.us,
https.secure-links.bloemlight.com,
dontclickthis.knowbe4.com,
us-api.mimecast.com,kb4.io,
addto.password.land,
05kqatnrJ9s0sNAh9.phish.farm,
secure.payment-gateway.microransom.us,
cardpayments.microransom.us.
crypt.single-sign-on.password.land.
oldmacdonald.had-a.phish.farm.
login.gogie.com,000000000000.phish.farm,
report-scam.malwarebouncer.com,
spamchallenge.msftemail.com,
gmail.net-login.com,
kn0wbe4.compromisedblog.com,
welsfargo.com-onlinebanking.com,
bofa.com-onlinebanking.com,
chase.com-onlinebanking.com,
capital1.com-onlinebanking.com,
2fa.com-token-auth.com,
token.onelogin.com-token-auth.com,
cnn.compromisedblog.com,
employeeportal.net-login.com,
34.75.2O2.lOl,

strongencryption.org.
protected-forms.com,
safe-site.protected-forms.com,
https.protected-forms.com,
secured-login.net,
singlesignon.secured-login.net,
googl-e.secured-login.net,
salesfarce.secured-login.net,
webmail.strongencryption.org.
login.strongencryption.org.
account.secured-login.net,
drive.secured-login.net,
form.secured-login.net,
tls.secured-login.net,
certificate.strongencryption.org.
office.strongencryption.org.
suite.strongencryption.org.
http.protected-forms.com,
internet.protected-forms.com,
submit.protected-forms.com,
*.kb4.io,
*.comano.us.
*.magnetonics.com,
*.bloemlight.com,
*.instantrevert.net,
*.phishing.guru.
*.phishtrain.org.
*.phishwall.net,
*.ancillarycheese.com,
*.malwarebouncer.com,
*.knowbe4.com,
*.password.land.
*.phish.farm.
*.microransom.us.
*.msftemail.com,
*.net-login.com,
*.compromisedblog.com,
*.com-onlinebanking.com,
*.com-token-auth.com,
*.2O2.lOl,

ScottG67 · ‎2021-05-26

I got this figured out for the KnowBe4 domains.

I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.

I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.

I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
I then created a rule under the “Internet Access” that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.

View solution in original post

ajoubert · ‎2021-04-22

I have the same requirement, at the moment phishing campaign traffic being dropped by DNS trap

ScottG67 · ‎2021-05-20

I have the same requirement. Any help here would be greatly appreciated.

Thanks,

Scott

George_Casper · ‎2021-05-20

Two main places I had to allow the KnowBe4 domains

Add an Access Control rule for URL Filtering. Create a custom application/site with the domain list and allow it. Even so, IPS would still kick in and block the users so..
Threat Prevention, add a Global Exception to your protected scope with the destination of the custom app/site list and change Action to Detect instead of prevent and also add Logging.

ScottG67 · ‎2021-05-26

I got this figured out for the KnowBe4 domains.

I created a Custom Application Site object containing the full domain names (Site Names) provided by KnowBe4.

I was able to add all of these 53 domains via a CSV that I got from the KNowBe4 service. So at least I didn’t have to type them all in.

I then created domain objects for all of the root domains. The root domains were also supplied by KnowBe4.
I then created a rule under the “Internet Access” that allows to the root domains I created above. On the HTTP and HTTPS services/Applications
I then had to create a Global Exception That allowed to the Protection/Site/File being the Custom Application Site I created back in step #1 with the services being HTTP, HTTPS I set the Action to Detect.

Are you a member of CheckMates?

Best way to whitelist KnowBe4 Phishing domains?

Best way to whitelist KnowBe4 Phishing domains?