← Back to Explore
sublimeExclusion
KnowBe4 phishing simulation
Identifies phishing simulations sent by KnowBe4 and excludes the message from live analysis.
Detection Query
type.inbound
and (
any(headers.ips,
regex.match(.ip,
'147\.160\.167\.([0-9]|[0-5][0-9]|6[0-3])',
'23.21.109.(197|212)',
'52.49.(201.246|235.189)'
)
)
or (
length(headers.ips) == 0
and length(headers.hops) == 1
and any(headers.hops, any(.fields, strings.starts_with(.name, "X-PHISH")))
and (
(
headers.return_path.domain.root_domain == "knowbe4.com"
and any(headers.hops,
any(.fields,
strings.icontains(.value, "injector.psm.knowbe4.com")
)
)
)
or any(headers.hops,
any(.fields, strings.icontains(.value, "gmailapi.google.com"))
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "KnowBe4 phishing simulation"
description: "Identifies phishing simulations sent by KnowBe4 and excludes the message from live analysis."
type: "exclusion"
source: |
type.inbound
and (
any(headers.ips,
regex.match(.ip,
'147\.160\.167\.([0-9]|[0-5][0-9]|6[0-3])',
'23.21.109.(197|212)',
'52.49.(201.246|235.189)'
)
)
or (
length(headers.ips) == 0
and length(headers.hops) == 1
and any(headers.hops, any(.fields, strings.starts_with(.name, "X-PHISH")))
and (
(
headers.return_path.domain.root_domain == "knowbe4.com"
and any(headers.hops,
any(.fields,
strings.icontains(.value, "injector.psm.knowbe4.com")
)
)
)
or any(headers.hops,
any(.fields, strings.icontains(.value, "gmailapi.google.com"))
)
)
)
)