This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gavin-sd
Explorer
‎2023-11-14 08:27 AM

KnowBe4 Phishing Email Attachments are Getting Quarantined - "False Clicks/Opens"

In need of a little help!

I test my users every month with simulated phishing emails that come from KnowBe4. I haven't had an issue with Check Point Endpoint scanning and finding the attachments within those simulated emails as "malicious" until early September 2023. Once the email is delivered to the users inbox, it could take 1 minute for Endpoint to quarantine it, or 30 minutes. But once Endpoint quarantines it, it marks it as "opened" and/or "clicked" in the KnowBe4 Phishing report, which is false. 

Harmony Endpoint Threat Emulation is the specific blade on my E87.31 client that is finding the attachment in this file path as malicious: C:\Users\*user*\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\QFG6XUIG\package-ID97000.pdf

  • I've found the common folder each time the malicious file is found is that QFG6XUIG folder, but that's just on my computer
  • the package-ID97000.pdf does change, depending on what that simulated email is sending for an attachment
  • KnowBe4 has sent .zip and .pdf files, and this issue is happening for both of those file types

I don't want whitelist a specific folder path, as it's not the same for all users, and I don't want to exclude a path that could legitimately hold a malicious file from a legitimate phishing email. 

Has anyone else run into this issue lately? And moreover, has anyone found a good solution to resolve this so the reporting is skewed?

Thanks in advance!

Labels
0 Kudos
3 Replies
lulrichs
Explorer
‎2024-03-28 06:35 AM

Hi @gavin-sd !  Did you ever figure out what was causing this?  We're experiencing this exact same issue and I cannot get it fixed!

0 Kudos
gavin-sd
Explorer
a month ago
In response to lulrichs

Hey @lulrichs - no luck yet. I do have an active case open with Check Point on this issue. The engineer is going to forward my cpinfo and forensics report to R&D to see if they can help out. 

0 Kudos
lluner
Participant
4 weeks ago
In response to gavin-sd

hi gavin

I could send this file to check and do an analysis on virustotal, I already had a problem in a word file that harmony identified an email with a malicious link in the base of them

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events