KnowBe4 produces a number of cybersecurity products, including borderline unwatchable training videos and, the subject of this post, phishing tests.
A phishing test (also commonly referred to as simulated phishing) is when an organization sends its employees emails that look like phishing attempts to see whether or not staff will click on the links in the emails. Those who do click on the links are typically directed to even more pointless training.
As I’ve said before, I think phishing tests are the current version of “change your password every three months” requirements. Like the constant password changes of yesterday, phishing tests are usually done with good intent but are, at best, security theater and, at worst, undermine long-term cybersecurity efforts.
Regardless, most modern email systems will tend to flag phishing tests as spam/phishing and either quarantine them or deliver them to junk mailboxes. To ensure the phishing test is delivered to employee inboxes, organizations have to whitelist the emails using one of a number of possible methods.
KnowBe4 helpfully publishes its whitelisting guide on its website.
KnowBe4’s documentation explains how organizations can whitelist their phishing test emails by IP address, hostnames, or headers. And, of course, the same information can be used to filter any phishing test emails into the junk mail or any other folder.
For example, as of the writing of this article, KnowBe4’s documentation indicates it uses 23.21.109.197 and 23.21.109.212 as IP addresses to send phishing test emails to its US, Canadian, UK, and German customers. Its documentation also mentions that it may use 147.160.167.0/26 in the future to send phishing test emails. It also uses the hostname psm.knowbe4.com.
KnowBe4 also uses a default header of X-PHISHTEST, but unlike the IP address and the hostname, individual organizations can create a custom header. As such, filtering against that header is less reliable than the other two indicators.
From there, it is just a matter of creating a mail filter that routes any emails that have those IP addresses/ranges or hostname in the header into whatever folder you want.
KnowBe4’s documentation page is updated almost daily, but this appears to mainly be an effort to signal that the information is current rather than that it is constantly changing the IP/hostname details. The only thing that seems to actually change daily is the documentation’s date. This makes sense because every time KnowBe4 updates its IP addresses or hostname, every organization using it for phishing tests also has to update its email whitelisting configuration, so these details likely change infrequently.
Still, the last part of this process would be to set up a webpage monitor to report when there are any changes to the whitelisting guide. I prefer to self-host something like changedetection.io, which gives a diff showing what changed on a page.