Filter Out KnowBe4 Pishing Test Emails

KnowBe4 produces a number of cybersecurity products, including borderline unwatchable training videos and, the subject of this post, phishing tests.

A phishing test (also commonly referred to as simulated phishing) is when an organization sends its employees emails that look like phishing attempts to see whether or not staff will click on the links in the emails. Those who do click on the links are typically directed to even more pointless training.

As I’ve said before, I think phishing tests are the current version of “change your password every three months” requirements. Like the constant password changes of yesterday, phishing tests are usually done with good intent but are, at best, security theater and, at worst, undermine long-term cybersecurity efforts.

Regardless, most modern email systems will tend to flag phishing tests as spam/phishing and either quarantine them or deliver them to junk mailboxes. To ensure the phishing test is delivered to employee inboxes, organizations have to whitelist the emails using one of a number of possible methods.

KnowBe4 helpfully publishes its whitelisting guide on its website.

KnowBe4’s documentation explains how organizations can whitelist their phishing test emails by IP address, hostnames, or headers. And, of course, the same information can be used to filter any phishing test emails into the junk mail or any other folder.

For example, as of the writing of this article, KnowBe4’s documentation indicates it uses 23.21.109.197 and 23.21.109.212 as IP addresses to send phishing test emails to its US, Canadian, UK, and German customers. Its documentation also mentions that it may use 147.160.167.0/26 in the future to send phishing test emails. It also uses the hostname psm.knowbe4.com.

KnowBe4 also uses a default header of X-PHISHTEST, but unlike the IP address and the hostname, individual organizations can create a custom header. As such, filtering against that header is less reliable than the other two indicators.

From there, it is just a matter of creating a mail filter that routes any emails that have those IP addresses/ranges or hostname in the header into whatever folder you want.

KnowBe4’s documentation page is updated almost daily, but this appears to mainly be an effort to signal that the information is current rather than that it is constantly changing the IP/hostname details. The only thing that seems to actually change daily is the documentation’s date. This makes sense because every time KnowBe4 updates its IP addresses or hostname, every organization using it for phishing tests also has to update its email whitelisting configuration, so these details likely change infrequently.

Still, the last part of this process would be to set up a webpage monitor to report when there are any changes to the whitelisting guide. I prefer to self-host something like changedetection.io, which gives a diff showing what changed on a page.

The Other Benefit of Using A Password Manager

Terence Eden’s essay That’s not how 2FA works is a good primer on how 2FA, for some people, is borderline magic thinking. 2FA is good at protecting against a particular set of attacks such as credential stuffing and brute force attacks, but it is not cybersecurity magic.

Eden points out that 2FA doesn’t help you better identify a site–so it doesn’t protect users from entering their passwords and sending a 2FA token if a phisher gets you to click on reall-bank.com instead of real-bank.com.

However, password managers are good at not falling for fake sites (in addition to allowing users to maintain unique, complex passwords for every site).

The best defence is to use a password manager. I recommend the open source Bit Warden.

A password manager stores your passwords. But it also stores the web address of site’s login page. If you visit githud, the password manager won’t prompt you to use the login details for github.

Defence in depth. Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.

An Ingenious Phishing Technique

Craig Hays wrote a fascinating article describing a phishing campaign his company had to deal with that had an ingenious method of propagating itself.

As we dug deeper and compared sign-in timestamps with email timestamps, it became clear what was happening. The phishing emails were being sent as replies to genuine emails. Emails exchanged between our people and our suppliers, our customers, and even internally between colleagues.

A typical phishing email comes from an email address you’ve never seen before. Granted, it might be similar to a real address you’d expect to see such as rnicrosoft.com instead of microsoft.com, but it’s rare for an address you trust to send you anything suspicious. When someone you know does send you something suspicious it’s usually rather obvious. When it happens we contact them directly to let them know there’s a problem. ‘Looks like you’ve been hacked, mate.’ We don’t fall for the scam.

In this attack, however, all of the phishing links were sent as replies to emails in the compromised account’s mailbox. This gave every email an inherited sense of trust. ‘You asked for this thing, here it is: link to phishing page’. When I realised what was happening, I was in awe. Whether done by deliberate design or not, the outcome was incredible. The conversion rates one these emails would make even the greatest of email marketers envious!

LostPass Phishing Attack Against LastPass

Every few months, someone comes out with a clever attack on LastPass. In January, for example, Sean Cassidy released his LostPass phishing attack that “allows an attacker to steal a LastPass user’s email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.”

LostPass is a clever phishing attack. Essentially an attacker creates a fake notice that a user’s LastPass session has expired and asks them to log in. The fake version is visually identical to the actual notice LastPass uses, and even technical users would be unable to distinguish between the real notice and a phishing attempt.

LastPass responded by removing the button in its session expiration notices (so users will, presumably, be able to better distinguish fake versions which would need to have some sort of “login” button). LastPass also now requires users to go through an email-based process to approve logins from any previously unknown device or IP address.

LastPass also points the finger at Google, saying it identified these sorts of problems with the way Chrome displays notifications, but that its complaints fell on deaf ears,

A point that was only briefly raised in Cassidy’s research was the role that the browser itself plays in this attack. LastPass has encouraged Google for years to provide a way to avoid using the browser viewport for notifications. As a true solution to this threat, Google should release infobars in Chrome that give extensions the capability to do proper notifications outside the DOM. You can see our plea for this back in January 2012 with still no resolution; please star this issue to help us raise awareness.

It is good that people like Cassidy are out there looking for ways to get around LastPass’ security, and also good that LastPass generally responds to these sort of attacks much more quickly and effectively than a lot of companies. Every time a vulnerability in LastPass is found, people I know ask me whether they should still use LastPass, and my answer so far has always been “yes.”

So far the vulnerabilities that have been found in LastPass are of the sort that I still feel far more secure using it to manage my passwords than using some other password manager or (even worse) some other method for creating and managing the passwords to the dozens of services I have credentials for.