Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.
I’m a software developer. A few years ago, we were all sent mail by a sketchy looking company that had our company’s logo slapped onto the header in the sloppiest way possible and wanted us to click on a link to a “mandatory Cybersecurity training”.
Obviously everyone ignored it. Which is exactly what you’d want people to do. Turns out, it was real and not a scam, just incompetence.
Hello <name>,
thanks for signing up to <training I didn’t sign up for>.
Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
My favorite was, though, when my company started using yet another awful Microsoft service and we got a mail that we could log into our account on microsoftonline.com. Turns out that obvious phishing domain is actually operated by Microsoft.
Oh just wait until you get someone legitimately using a domain.onmicrosoft.com email address. Microsoft uses the onmicrosoft.com domain as a placeholder for unlicensed users and domains which haven’t been fully setup yet. Which is funny since they own the .Microsoft TLD and could move everything to .Microsoft domains to show it off but they choose not to for whatever reason
A company I used to work for used paycom(dot)com for their HR software. So we would frequently get notifications from there for work stuff. One day I got an external work email telling me to click a link to a paycom(dot)net site to sign up for a raffle to win a free ipad. I thought that looked sketchy as fuck so I did a quick whois on the .net and .com sites. They were completely different and the .net site was basically entirely anonymised. So obviously at that point I was like “damn this phisher managed to get the .net domain for paycom. That’s kind of impressive. I should let our IS guy know so he knows we’re being targeted.” So I shot off an email to our basically only IS guy and he responded by telling me that the email was legit and everyone in the company got it because the company was giving away an extra ipad they had. But he also said now that I pointed it out it was the sketchiest looking email he had seen in a while.
I honestly should have known better considering this is the same company where at one point a different IS person had sent me an email basically just saying “Your computer has a virus. Open this attachment to remove it.” Turns out that was also legit and the guy who used my desk on first shift managed to get a virus somewhere but rather than comming down to fix it themselves IS just sent me an email with a script to run.
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren’t the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there’s no effective way to automate their filtering.
Sounds about right.
Pro tip, set up a rule in your email client to send any email that contains the following phrases, phishme.com or knowb4, in the header to junk.
Note that I said header, not From field.
It is so stupid that orgs spend thousands of dollars on these products and you can be seen as not being a phishing risk because of their shitty systems.
I’m a software developer. A few years ago, we were all sent mail by a sketchy looking company that had our company’s logo slapped onto the header in the sloppiest way possible and wanted us to click on a link to a “mandatory Cybersecurity training”.
Obviously everyone ignored it. Which is exactly what you’d want people to do. Turns out, it was real and not a scam, just incompetence.
i think you all completed the training before it started
Got a mail a few weeks ago:
Turns out someone from management assigned us to that training and that’s just the standard mail it sends…
My favorite was, though, when my company started using yet another awful Microsoft service and we got a mail that we could log into our account on
microsoftonline.com. Turns out that obvious phishing domain is actually operated by Microsoft.I always just wait for a follow up email from whomever assigned it or ask someone who would know if that’s legit
Oh just wait until you get someone legitimately using a domain.onmicrosoft.com email address. Microsoft uses the onmicrosoft.com domain as a placeholder for unlicensed users and domains which haven’t been fully setup yet. Which is funny since they own the .Microsoft TLD and could move everything to .Microsoft domains to show it off but they choose not to for whatever reason
A company I used to work for used paycom(dot)com for their HR software. So we would frequently get notifications from there for work stuff. One day I got an external work email telling me to click a link to a paycom(dot)net site to sign up for a raffle to win a free ipad. I thought that looked sketchy as fuck so I did a quick whois on the .net and .com sites. They were completely different and the .net site was basically entirely anonymised. So obviously at that point I was like “damn this phisher managed to get the .net domain for paycom. That’s kind of impressive. I should let our IS guy know so he knows we’re being targeted.” So I shot off an email to our basically only IS guy and he responded by telling me that the email was legit and everyone in the company got it because the company was giving away an extra ipad they had. But he also said now that I pointed it out it was the sketchiest looking email he had seen in a while.
I honestly should have known better considering this is the same company where at one point a different IS person had sent me an email basically just saying “Your computer has a virus. Open this attachment to remove it.” Turns out that was also legit and the guy who used my desk on first shift managed to get a virus somewhere but rather than comming down to fix it themselves IS just sent me an email with a script to run.
Someone once said that people don’t hate computers, they hate the idiots who program computers.
Genius. The people who click on the link to the training are exactly the people who need the training.
Here’s the thing…
If you are savvy enough to know how to (or look up how to) find the header of your phishing test email service, and then create a rule to filter on that, then you aren’t the target for those emails anyway.
I would argue that logic gives you a false sense of security. All employees are targets no matter the pecking order.
A product that you are paying thousands of euros for and is required for business certifications like SOC2/ISO27001 or cyber insurance can be so easily nullified is a joke.
This is not reliable.
Phish training companies are using a huge variety of domains, including look-alikes relevant to the test - including valid spf/dkim/dmarc configurations. Exactly as real phishers do - and there’s no effective way to automate their filtering.
Are you sure? Have you ever looked at the header of an email from knowb4 or phishme? The emails come from their own mail servers.
Yes, absolutely. We used to use knowbe4. I’m not saying they didn’t do this in the past, but I know for certain they didn’t when I checked.
There were obviously hints - the campagns are designed to be detectable - but easy filtering was not one of them, that would be stupid.
Where I worked it wasn’t enough to ignore those emails, we were supposed to hit a button flagging them as a phishing attempt.
That is why it goes to junk and not deleted, you can still see them and report them.
So just have them tagged instead of junked and do the needful.
Hmmm, I did a lot of Outlook rules, but I don’t remember an ability to run a script when a rule was met. Maybe I just never needed it though.
I mean just plonk them on a folder or tag them or whatever, and then you can manually perform the operation at your leisure.