Your Target Users are the people who will receive simulation emails, training emails or any other emails from the platform. They will not have a login to Keepnet or require any access to the platform.

⬇️ You have several options for adding target users:

• Manually Add Users

• SCIM Integration (most common: add users from your identity management provider directly into Keepnet. Automatically add people who join your business and remove people who leave)

• LDAP integration

• Add users via API

You will need to add all people responsible for managing and performing all activities on Keepnet to the platform. This should include any AD Admins required for technical setup.

Step 1.

First go to the Company tab on the left hand side and then into System Users. Here you can find all System Users already added.

Step 2.

By clicking the + New button in the upper right corner, you can create a new system user.

For more information on some of the fields, see below:

✅ You have now added your first System User! Now you need to Add your Target Users ➡️

By setting up a SCIM integration, you can ensure all new employees are added in auto-enrolled training and phishing simulations. There are 2 key steps to setting up your SCIM integration:

1. Get your secret token

2. Complete setup in your AD portal

First, get your secret token

Step 1: Create a new SCIM Setting

Go to Company > Company Settings > SCIM Settings page. Click the ‘+New’ button to create a SCIM setting.

Step 2: Map a Field (Optional)

Some of our customers add custom fields to add information in addition to email, first name, last name, department and phone number. If you would like to set this up click here, otherwise you can skip.

Step 3: Group Settings

Group Name: If you would like to synch all users to one target group please select the group here. You can leave empty and group by department instead.

Group By: Synchronize users by their Department or Custom Mapped Field. Please leave this empty if you want to synchronize users to only one group.

Step 4: Copy your Secret Token

Click Save and make sure to copy the unique token information.

✅ You can now use the following shortcuts to complete the final settings on your identity provider platform.

Shortcuts

• ​How to integrate Azure AD SCIM​

• ​How to integrate Okta SCIM​

• ​How to integrate Onelogin SCIM​

• ​How to integrate Jumpcloud SCIM​

This documentation introduces the functions and features of Keepnet's AI-based Security Awareness Training and Phishing Simulation Products tailored to stop modern phishing attacks.

The document covers all aspects of Keepnet’s Extended Human Risk Management Platform, which not only addresses traditional phishing methods but also provides robust defenses against more complex attacks such as Vishing (Voice Phishing), Smishing (SMS Phishing), MFA Phishing (Multi-Factor Authentication), Quishing (QR code phishing), and Callback Phishing (Telephone Oriented Attack Delivery).

Our documentation ensures you get maximum value from our products. It comprehensively covers its core functionalities and detailed features, providing clear, step-by-step instructions for effective utilization.

Target Audience

Our documentation is tailored to cater to a diverse range of users within organizations. It caters to the needs of the HR, IT, Compliance, and SOC teams. The platform allows these teams to utilize the products effectively, whether sending training to users, analyzing and containing email threats, or managing human risk within the organization.

Purpose of the documentation

The primary purpose of our documentation is to empower customers to independently use our products without relying heavily on the Keepnet support team. We provide comprehensive resources, including articles, tutorials, and troubleshooting guides, to ensure customers have the knowledge and tools to maximize our platform's capabilities.

The scope of the documentation

The documentation covers an extensive scope, encompassing details about various products within the Keepnet ecosystem. It includes the Dashboard, Threat Intelligence, Awareness Educator, Phishing Simulator, Vishing Simulation, Callback Simulator, Email Threat Simulator, Smishing Simulator, Quishing Simulator, Threat Sharing, Phishing Reporter, and Incident Responder. Each product's functionalities, features, and usage guidelines are explained to help users understand and utilize them effectively.

The structure of the documentation

To ensure a seamless experience, our documentation is structured in alignment with the Keepnet product interface. Starting with the Dashboard, users can navigate through each section, such as Threat Intelligence, Awareness Educator, and beyond. This intuitive structure allows users to easily find relevant information and logically progress through the documentation.

How to get help with the documentation

Should you require assistance using our documentation, we recommend carefully reading the instructions and guidelines. The outlined steps and best practices will help you derive the most value from available resources. If you need further support, our support team is available to address any specific queries or concerns. Reach out to us, and we will be more than happy to assist you in making the most of our documentation and achieving your desired outcomes.

Thank you for choosing Keepnet as your cybersecurity partner. Together, we can create a safer digital environment for businesses worldwide.

Build your security culture to STOP phishing!

Step 1.

Navigate to Company > Target Users on the left hand side menu. Click the "+New" blue button.

Step 2.

Select Add users manually to add target users one by one. Alternatively, select Import from file to upload a CSV or XLS(x) file.

Step 3.

Select Group: If you haven't added any users yet, you will need to create a new group. Some suggested User Groups our customers use:

• Test Group - for your cyber team to test phishing campaigns

• All Users - to easily send campaigns to all employees

• Department Specific e.g. Finance - to easily send targeted campaigns to specific departments

Step 4.

Field Mapping: Ensure the fields you are adding in are matched with the correct heading. For example, the user's first name matched with the heading, 'First Name'. Click Next once complete.

Step 5.

Import Users: Either pick the users you wish to add and click Import Selected, or click Import All to add all the users.

✅ You have now added your first Target Users. Now you need to ensure users are able to receive emails from Keepnet successfully ➡️

The document show step-by-step how to synchronize users' information from the Okta identity provider to the platform.

OKTA Configuration

2. Click on Applications and go to Applications from the left menu.

3. Click on the Browse App Catalog and search SCIM 2.0 Test App (OAuth Bearer Token) and then click Add button.

4. Enter a name for the application like My SCIM Integration and click on the Next button.

5. Choose SAML 2.0 with the default settings and click on the Done button.

6. The application is now created successfully, go to the Provision menu and click the Configure API Integration button and then enable the API Integration option.

   1. Tenant URL: https://scim-api.keepnetlabs.com/scim

   2. Secret Token: Enter the token which was created on the platform.

   3. Click the ‘Test API Credentials’ button to test your configuration. If it’s successful, click the Save button to save settings.

   4. While on the Provisioning menu, go to the ‘To App’ menu and click the Edit button to enable the following fields. Please make sure to click the Save button after enabling the following fields.

      1. Create Users

      2. Update User Attributes

      3. Deactivate Users.

Okta configuration has been successfully finished. You can proceed with the following step.

Synchronization Users or Groups

1. Go to the Assignments menu and click on the Assign button to assign Users or Groups to this SCIM application which will be synchronized to the platform.

2. To import user(s) or group(s), click on the Assign button to synchronize users or groups to synchronize to the platform.

Tutorial Video

This video tutorial shows the documentation steps for synchronizing users' information from the Okta identity provider to the platform.

Welcome to Keepnet! We're excited to be partnering with you on your human-risk management strategy.

This Getting Started guide will be your key resource in successfully implementing the technical setup of Keepnet and, therefore, mitigating human-related cybersecurity risks.

The steps you will follow:

1. ​Invite System Users​

2. ​Add Target Users​

3. ​Email Deliverability​

4. Track Opened Emails

5. Allow Phishing URLs

6. ​Setup Phishing Reporter​

7. ​Incident Responder Setup (Only for customers who have Incident Responder product)

The document show step-by-step how to synchronize users' information from the Jumpcloud identity provider to the platform.

SCIM Configuration in Jumpcloud

1. Please log in to Jumpcloud as an admin and follow the following steps.

2. Please create a group and assign users to the group for synchronization.

3. Go to SSO > + > and then click the Custom SSO SAML.

4. Enter a name for the Application name.

5. Go to the SSO submenu and enter a number like ‘1’ into the ‘IdP Entity ID’ and ‘SP Identity ID’ fields.

6. Go to the Identity Management submenu and then go to the bottom of the page to fill up the following fields.

   1. SCIM Version: SCIM 2.0

   2. Base URL: https://scim-api.keepnetlabs.com/scim

   3. Token Key: Please enter the secret token.

   4. Click the ‘Test Connection’ button to test the connection and then please click the ‘Activate’ button next to the ‘Test Connection’ button.

   5. Edit the SSO rule and then go to the SSO menu to Disable the SSO at the bottom of the page.

Jumpcloud configuration has been successfully finished. You can proceed with the following step.

Synchronization Users or Groups

1. Go to the SAML application and then select Groups that contain users that will be synchronized to the platform and then click the Save button.

2. The users will be synchronized to the platform in approximately a few minutes.

✅ You have now added your first Target Users. Now you need to ensure they are able to receive emails from Keepnet successfully ➡️

It is essential that your employees are able to receive all emails sent via Keepnet platform for you to accurately measure how your employees behave when faced with evolving social engineering threats.

To ensure emails are delivered in Microsoft 365, you have 2 options: Direct Email Creation or Whitelisting​

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 or Google Workspace with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links.

2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

3. Very simple and quick setup (can be completed in a couple of minutes!)

Whitelisting

Whitelisting is common practise for ensuring emails from specific domains are delivered successfully to the inboxes of your employees. Whitelisting is a method used by many organisations to ensure emails are successfully delivered.

The key challenge our customers face with whitelisting is email analysis tools often open links within emails to check for maliciousness, impacting the accuracy of your reporting data. For example, it may show that your employees have opened the phishing link when they have not. This will directly influence who receives the behavioural-based training.

⬇️ Please follow the relevant steps for your email provider:

The document show step by step how to synchronize users' information from the Onelogin identity provider to the platform.

Onelogin Configuration

2. Click on Applications and click Add App on the top of the screen.

3. Search ‘SCIM Provisioner with SAML (SCIM v2 Enterprise)' and click on the Add button.

4. Enter a name for the application like My SCIM Integration and click on the Save button.

5. Once you have successfully created the application, enter the application details and go to the Configuration menu and enable the API Connection.

   1. Tenant URL: https://scim-api.keepnetlabs.com/scim

   2. SCIM JSON Template: Please fill up this field with the following code.

   3. { "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "department": "{$parameters.department}", "manager": { "managerId": "{$parameters.external_manager_id}", "displayName": "{$user.manager_firstname} {$user.manager_lastname}" } }, "active": "{$user.active}", "emails": [ { "value": "{$user.email}", "type": "work", "primary": true } ], "meta": { "resourceType": "User" }, "name": { "familyName": "{$user.lastname}", "givenName": "{$user.firstname}", "formatted": "{$user.display_name}" }, "userName": "{$parameters.scimusername}", "id": null, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ] }

   4. SCIM Bearer Token: Enter the token which was created on the platform.

   5. Click on the Save button the proceed.

6. Go to the Provisioning menu and enable the following options under the Workflow title.

   1. Enable Provisioning.

   2. Create User

   3. Delete User

   4. Update User

OneLogin configuration has been successfully finished. You can proceed with the following step.

Synchronization Users or Groups

It is essential that your employees are able to receive all emails sent via Keepnet platform for you to accurately measure how your employees behave when faced with evolving social engineering threats.

To ensure emails are delivered in Microsoft 365, you have 2 options:

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 or Google Workspace with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links.

2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

3. Very simple and quick setup (can be completed in a couple of minutes!)

Whitelisting

Whitelisting is common practise for ensuring emails from specific domains are delivered successfully to the inboxes of your employees. Whitelisting is a method used by many organisations to ensure emails are successfully delivered.

The key challenge our customers face with whitelisting is email analysis tools often open links within emails to check for maliciousness, impacting the accuracy of your reporting data. For example, it may show that your employees have opened the phishing link when they have not. This will directly influence who receives the behavioural-based training.

Add New Enterprise Application

Step 1. Login

Step 2. Add new Enterprise Application

1. Click on Microsoft Entra ID.

2. Click on +Add at the top left hand side.

3. On the drop down select Enterprise Application.

4. Click on +Create your own application.

Step 3: Create your own application

1. Enter a name for the application.

2. Select ‘Integrate any other application you don't find in the gallery (Non-gallery)’ option.

3. Click the Create button to create the application.

Provisioning Settings

1. Select the ‘Provisioning’ menu from the left side.

2. Click the ‘New Configuration’ button and then enter the following information.

Tenant URL: https://scim-api.keepnetlabs.com/scim

Secret Token: Enter the token which was created on the Keepnet platform.

1. Click the ‘Test Connection’ button to test your configuration. If it’s successful, click the Save button to save settings.

Synchronize Users and Groups

When synchronizing users, customers have 2 options:

• Synchronize all users in Entra-ID

• Synchronize only assigned users and groups

Synchronize all users and groups in your Entra-ID

1. Within the provisioning section, use the Settings drop down

2. You will notice it defaults to 'Synchronize only assigned users and groups'

3. Click on 'Synchronize all users and groups'

4. Save

Synchronize only assigned users and groups

1. Click on Users and Groups in the left hand menu under Manage

2. Click on 'Add users/groups'

3. Click on 'None Selected' on the left hand side

4. On the right, you will see a list of your users and groups populate

5. Most customers find it useful to use Groups - if you select a Group, any new members of this group will automatically be added to Keepnet

6. Click Select then Assign on the bottom of the page

Start Provisioning

The final step is to start provisioning. Simply go to Overview on the left hand menu and select Start Provisioning on the top of the page.

Your users will sync from Microsoft to Keepnet every 40 minutes, ensuring any new employees who belong to one of your assigned groups is automatically added to Keepnet

Tutorial Video

This video tutorial shows the documentation steps for synchronizing users' information from the Azure AD identity provider to the platform.

A

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links.

2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

3. Very simple and quick setup (can be completed in a couple of minutes!)

This page explains how to use the Direct Email Creation feature in Google Workspace. Please follow the steps below to set up DEC settings within your Google Workspace.

First Settings on Platform

Please follow the steps below to make the necessary settings on the platform for the Direct Email Creation feature to be connected within your Google Workspace.

• Log in to the platform

• Go to Company > Company Settings > Direct Email Creation page.

• Click the + NEW button and select Google Workspace.

• Fill in the following fields.

  • Configuration Name: Give a name for your DEC settings.

  • Client ID: Copy the Client ID ( 102720780747216042586 ).

• Select your domain(s) under the Domains field.

  • IMPORTANT: The selected domain(s) must be Verified on the Allowed Domains page and must be used in your Google Workspace. Otherwise, the selected domain will not work with this DEC configuration.

• Do not close this tab. The Save button will remain disabled until the configuration works. Please proceed to the following section.

Seconds Settings on Google Workspace

Please follow the steps below to make the necessary settings for the Direct Email Creation feature to be connected to your Google Workspace.

• Log in to https://admin.google.com/ your Google Workspace admin panel.

• On the left-hand side, go to Security > Access and Data Control > API Controls.

• From the API Controls page, click on the "Manage Domain-wide Delegation" button under the "Domain-wide Delegation" field.

• Click on the Add New button.

• Enter the Client ID ( 102720780747216042586 ) into the Client ID field.

• Enter the following URLs into the OAuth Scopes field.

  • https://mail.google.com

  • https://www.googleapis.com/auth/gmail.insert

  • https://www.googleapis.com/auth/gmail.modify

• Click on the Authorize button.

Complete Final Settings and Test Email Direct Creation Feature

Now, we will complete the process in this section, test the connection between Google Workspace and the Direct Email Creation feature, and see if we can successfully create an email in the user's inbox.

• Go to your Company > Company Settings > Direct Email Creation settings page.

• Click on the "Send Test Email" button to test the email creation.

  • To: Enter the recipient's email address who will receive the test email in their inbox.

    • The email domain must be the domain that was selected previously in the Domains field.

  • From: Enter an email as a from address.

  • Sender Name: Enter a sender name.

  • Message: Enter a message for test purposes.

• Click on the Send button to create the email in the user's inbox. If successful, please click the Save button to complete the configuration.

If the test is not successful, please see the Troubleshoot section.

How to Launch Phishing Campaign by DEC Settings

Go to Phishing Simulator > Campaign Manager from the main menu. Click on + NEW to create a phishing campaign and launch it to your target users.

• Please complete the first, second, and third sections step by step. For more information about how to use each menu, see here.

• When you get to the Delivery Settings page, inside of the Email Delivery field, select your DEC settings.

• Set up the rest of the settings as you wish, and then click on Next to go to the last page.

• Review all of your settings and click the Launch button to create phishing simulation emails in the selected target user's inbox.

✅ You have now ensured your target users will receive emails through Keepnet. Now you need to Whitelist Domains so your target users can successfully open Keepnet email links ➡️

Video Tutorial

This video tutorial explains how to configure direct email creation settings and launch a campaign with these settings to create phishing emails directly in the user's inbox instead of launching with the SMTP option.

Troubleshoot

If you test the DEC configuration and the test is not successful, please try the following options.

• Please make sure the domain you selected in DEC settings is Verified in the Allowed Domains page. If it is not, please verify it.

• Please ensure the domain you selected in DEC settings is used in the employee's email address as main domain in Google Workspace.

• Please try to launch a phishing campaign to the test emails with DEC settings via Campaign Manager. Then, go inside the campaign report and go to the Sending Report menu. You can see more technical information if you hover your mouse over the delivery Error status.

If the options above are not resolved, please contact the support team for further assistance.

Using the platform's APIs, target users may be effortlessly migrated. The API endpoints that are required are detailed below.

Instructions for adding target users using an API

POST ​/api​/target-users

• Go to the Swagger link.

• Click the Authorize button on the top right side of the page.

• Complete the authorization step with the Client ID and Client Secret key that you created on the platform.

• Make sure that the api1 option is checked (✓) on the Scopes section.

• Then use this endpoint to add a new target user to the platform.

Searching for a user using API

POST ​/api​/target-users​/search

• Go to the Swagger link.

• Click the Authorize button on the top right side of the page.

• Complete the authorization step with the Client ID and Client Secret key that you created on the platform.

• Make sure that the api1 option is checked (✓) on the Scopes section.

• Then use this endpoint to search for a target user on the platform.

Editing Target Users using API

PUT ​/api​/target-users​/{resourceId}

• Go to the Swagger link.

• Click the Authorize button on the top right side of the page.

• Complete the authorization step with the Client ID and Client Secret key that you created on the platform.

• Make sure that the api1 option is checked (✓) on the Scopes section.

• Then use this endpoint to edit a target user on the platform.

​✅ You have now added your first Target Users. Now you need to ensure they are able to receive emails from Keepnet successfully ➡️

Video Tutorial

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links.

2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

3. Very simple and quick setup (can be completed in a couple of minutes!)

How to Configure Direct Email Creation

Step 1.

Go to Company > Company Settings > Direct Email Creation from the main menu. Click on + NEW to create a direct email creation setting.

Step 2.

Click on Connect Account button to connect your O365 with the Direct Email Creation (DEC) application to create a configuration.

Step 3.

Name your DEC, select which domains you will send phishing simulation emails to and Send Test Email.

• Send Test Email To: Enter the email of the person receiving the test email.

• Sender Email Address: Enter any email - you can now send emails from any email address!

• Sender Name: Enter a sender name.

• Message: Enter a message.

• Click SAVE to create configuration settings.

Step 4.

Make Direct Email Creation your Default Delivery Method - this will save you lots of time and remove delivery errors when you start sending phishing campaigns.

About Required API Permissions

The following permissions are required for customers using the Microsoft 365 email server.

Microsoft bundles permissions together. The following Microsoft screenshot shows a 'Mail' permission group. There's no separate Write permission — only the Mail.ReadWrite permission, which handles Write actions.

The following permissions are required for customers using the Microsoft Exchange Online email server.

In summary, customers only need to share the necessary permissions based on their specific environment, whether they use Microsoft 365, Microsoft Exchange Online, or a hybrid of both. Keepnet requests these permissions to create simulation emails in the user's inbox across any of these environments.

For example, if you use just only Microsoft Exchange Online, then Keepnet only uses the related permission groups for Exchange Online, other permissions are not used.

How to Provide Proof of DEC App Activity for Compliance and Security

To view the activity of the DEC application created by the platform and confirm that it is only creating simulation emails (and not reading any emails), please follow these steps:

2. Navigate to the Audit menu.

3. If not already enabled, click to Enable Audit Logging.

4. Set up the DEC configuration successfully on the platform, and send a test email using the DEC settings to generate activity logs.

5. Go back to the Audit menu and search for logs related to the user who sent the test email with DEC settings. Also, you may copy the Application ID of the DEC application and paste it under the Keyword Search field to search logs.

In the logs, you should see activities such as "Created mailbox item", confirming the application's behavior. For example:

This log indicates that the application is only creating mailbox items and not accessing or reading mailboxes.

Video Tutorial

This video tutorial explains how to configure direct email creation settings and launch a campaign with these settings to create phishing emails directly in the user's inbox instead of launching with the SMTP option.

FAQ

Q: Which permissions does the DEC feature work with?

Q: Can I launch a campaign with DEC settings using the Fast Launch option?

A: No, you can only launch a campaign with DEC settings using Campaign Manager. If you launch a campaign with Fast Launch, the campaign will be started with default SMTP settings.

Q: Do I need to whitelist if I use the DEC feature?

Q: Can I resend the campaign email to the users whose status shows Error in the Sending Report menu in the campaign report?

A: No, the users whose status shows Error means the destination email user account hasn’t been found in the O365, or there might be another problem for these users' email accounts which platform will show you as a tooltip if you hover your mouse over the error status.

Q: What action should I take for users whose status shows an error ("domain.com" is not in the allowed domain list) in the Sending Report menu after the launch campaign?

A: You can check and make sure you selected the related domain addresses in the DEC configuration, and then you can try to resend the campaign to these users from the Sending Report menu in the campaign report.

Q: What are the security risks if we authorize the DEC feature on the O365 server?

A: Authorizing the DEC feature on the O365 server doesn’t involve any potential security considerations. Keepnet provides encryption to secure data and prevent unauthorized access to keep your data safe.

Keepnet does its best to maintain rigorous security protocols such as regular audits of access rights, continuous monitoring for abnormal activities, and thorough vulnerability assessments.

This document explains the functionality of the LDAP feature as well as how to set up an LDAP to synchronize target users information such as Name, Surname, Email, Department, Phone Number or other information to the platform automatically.

What Is LDAP?

LDAP is a standard protocol that allows the platforms to access an active directory to fetch target user’s information such as Name, Surname, Email, Department, Phone Number, and other information to synchronize these user’s information to the platform automatically.

How To Set LDAP

Go to Company > Company Settings > LDAP from the platform menu to access the following LDAP configuration.

Settings

If the test connection is successful, you will see that it’s successful, if not please see the detailed pop-up message.

Usually, a whitelist rule is needed to access to the local Active Directory from the platform's IP address. You can contact support team to get IP address of the platform.

Scheduled Syncs

This is where you can see your scheduled LDAP rules. This means LDAP will automatically scan daily for new users to add/update/delete to your specified target group.

The components of the Scheduled Syncs page are explained in detail in the table below.

Field Mapping

This is where you can choose which information that will be fetched and imported to the specific column on the platform. The admin can fetch specific information from the active directory such as the Manager, Country, City, or other attributes and synchronize this information of the users.

The components of the Field Mapping page are explained in detail in the table below.

How to fetch custom attributes?

While the Email, First Name, Last Name, or Department attributes are the most popular field mapping categories, you can have the option to synchronize Display Name, Office, Telephone Number (Mobile or Home), Address (Street, City, State, P.O Box, Country, Zip Code), Company, and more.

• Go to Target Users > People menu and then click the Table Settings button on the right top of the screen to click the EDIT FIELDS button.

• Create a custom field and then click the Save button.

• To map this custom field with LDAP, go to Company Settings > LDAP > Field Mapping and map any listed active attributes to a created custom field.

Do not forget to save changes by clicking the Save Changes button and then proceed to the following title.

Import Users with LDAP

Follow the steps below to import target users to the platform from the integrated Active Directory by using the LDAP.

• Go to Company > Target Users from the platform menu.

• Click the + NEW button on the top right of the page and then select the ‘Import users from LDAP’ option.

There is two following option to import users.

Entire LDAP

This option fetches all unique email users in your active directory, no matter what active directory groups they are in.

• If this option is selected, please choose a target group that all users will be imported to on the platform.

  • If the target group is not selected, all users will be imported as a single member on the platform without being assigned to a target group. No worries, all users can be imported to a single target group later.

• There are three options to import users.

  • Choose ‘Select Manually’ if all users need to be imported manually without creating auto-synchronization.

  • Choose ‘Sync All Users’ if all users need to be synchronized automatically.

    • This process repeats every 24 hours automatically to fetch new users or update changes on the users.

  • Choose ‘Sync By Query’ if all users need to be synchronized users by criteria.

    • This process repeats every 24 hours automatically to fetch new users or update changes on the users that match the criteria.

    • Use the filters to create criteria to filter users out of all users to synchronize and then use the View Users button to see filtered users that will be synchronized.

LDAP Groups

This option fetches unique email users that are in certain groups in your active directory.

• If this option is selected, please choose LDAP groups which users that are inside will be imported to the platform.

  • If the target group is not selected, all users will be imported as a single member on the platform without being assigned to a target group. No worries, all users can be imported to a single target group later.

• There are three options to import users.

  • Choose ‘Select Manually’ if all users need to be imported manually without creating auto-synchronization.

  • Choose ‘Sync All Users’ if all users need to be synchronized automatically.

    • This process repeats every 24 hours automatically to fetch new users or update changes on the users.

  • Choose ‘Sync By Query’ if all users need to be synchronized users by criteria.

    • This process repeats every 24 hours automatically to fetch new users or update changes on the users that match the criteria.

    • Use the filters to create criteria to filter users out of all users to synchronize and then use the View Users button to see filtered users that will be synchronized.

    • Click ‘+ Add Condition’ to add more conditions for filtering the users.

Video Tutorial

The following video shows how to set up an LDAP connection and import or synchronize users to the platform.

It's suggested to use all the methods explained in this documentation step by step for whitelisting successfully. The customer may skip the related step if there is no feature in their O365 environment due to the license.

🚨 If you have additional security solutions (e.g. Mimecast) please make sure to whitelist in these security solutions by following these steps:

How to Whitelist Using the Third-party Phishing Simulations Feature in Office 365

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Sender IPs in the O365 environment in the Phishing Simulation feature.

3. Click the Policies & rules item on the left sidebar menu.

4. Go to Threat policies > Advanced delivery.

5. Click the Phishing simulations tab and click Edit.

6. Add the IP address to Sending IP section.

7. Add the Domain address (also known as the MAIL FROM address) used in the phishing campaign into the Domains section.

9. Click Save to complete the process.

How to Whitelist Using the Threat Policies Feature in Office 365

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Sender IPs in the O365 environment in the Threat Policies feature.

4. Click the Connection Filter Policy and select the Edit connection filter.

5. Add the IP addresses to the section labeled Always allow messages from the following IP addresses or address range.

6. Enable the Turn on safe list option.

7. Click Save to complete the process.

How to Whitelist Using the Spam Filter Bypass Feature in Office 365

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting the Sender IPs in the O365 environment in the Bypass Spam Filter feature.

2. Go to Exchange > Mail flow > Rules and click the + Add a rule button.

3. Select the Bypass Spam Filter option.

4. Enter a name for your whitelisting rule.

5. Scroll down to the "Apply this rule if..." section and select "The sender" and then select "IP address is in any of these ranges or exactly matches"
6. Scroll down to the "Do the following" section.

   1. Select the "Modify the message properties" option and then select the "Set the spam confidence level(SCL)" option.

   2. And then click the Set the spam confidence level (SCL) to '-1' option and select "Bypass spam filtering" and click the Save button.

7. Next to the "Do the following" field, click + button to create a new rule.

   1. Select the "Modify the message properties" option and then select the "set a message header" option.

   2. Click "Enter Words" and type "X-MS-Exchange-Organization-BypassClutter" and then click the Save button.

   3. Next, click Enter Words under the "header value" and type "true".

8. We recommend leaving the rest of the rule settings the same. Once you have completed these steps, click Save to save your whitelisting rule.

9. Make sure the whitelisting rule's status is enabled. If it's disabled, click on it and Enable it and click the Edit Rule Settings button on the opened page to save it.

How to Bypass Advanced Threat Protection (ATP) "Link" by Using IP Address in Office 365

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting the Sender IPs in the O365 environment with the "SkipSafeLinksProcessing" rule.

2. Go to Exchange > Mail flow > Rules and click the + Add a rule button.

3. Click on the Create a new rule option.

4. Enter a name for your whitelisting rule.

5. Scroll down to the "Apply this rule if..." section and select "The sender" and then select "IP address is in any of these ranges or exactly matches"
6. Scroll down to the "Do the following" section.

   1. Select the "Modify the message properties" option and then select the "Set a message header" option.

   2. Set the message header to "X-MS-Exchange-Organization-SkipSafeLinksProcessing" and set the value to "1".

7. We recommend leaving the rest of the rule settings the same. Once you have completed these steps, click Save to save your whitelisting rule.

8. Make sure the whitelisting rule's status is enabled. If it's disabled, click on it and Enable it and click the Edit Rule Settings button on the opened page to save it.

How to Bypass Advanced Threat Protection (ATP) "Attachment" by Using IP Address in Office 365

The below instructions will show you how to whitelist the attached files in the emails that will be sent from the platform to users by whitelisting the Sender IPs in the O365 environment with the "SkipSafeAttachmentProcessing" rule.

2. Go to Exchange > Mail flow > Rules and click the + Add a rule button.

3. Click on the Create a new rule option.

4. Enter a name for your whitelisting rule.

5. Scroll down to the "Apply this rule if..." section and select "The sender" and then select "IP address is in any of these ranges or exactly matches"
6. Scroll down to the "Do the following" section.

   1. Select the "Modify the message properties" option and then select the "Set a message header" option.

   2. Set the message header to "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" and set the value to "1".

7. We recommend leaving the rest of the rule settings the same. Once you have completed these steps, click Save to save your whitelisting rule.

8. Make sure the whitelisting rule's status is enabled. If it's disabled, click on it and Enable it and click the Edit Rule Settings button on the opened page to save it.

Troubleshooting

If the emails sent by the platform somehow is not delivered to the user's inbox, the admin can use the following steps to see why it's not delivered and find a solution for it.

2. Go to Exchange > Mail flow > Message Trace and click the + start a trace button.

3. Enter the from address to the "Senders" field which is expected to be delivered from the platform and click the Search button.

4. The O365 will list the emails that is delivered from the specified email address and then you can click on the emails to see more information.

🚨 If you have additional security solutions (e.g. Mimecast) please make sure to whitelist in these security solutions by following these steps:

Video Tutorial

The following video playlist tutorial contains information about how to whitelist in O365 environment.

It is essential that your employees are able to open all emails sent via Keepnet platform for you to accurately measure how your employees behave when faced with evolving social engineering threats.

To ensure emails are delivered in Google Workspace, you have 2 options:

Direct Email Creation

Direct Email Creation (DEC) is a feature that connects to your O365 or Google Workspace with a few required API permissions. This feature creates the phishing simulation email directly in the user’s inbox instead of sending the emails over SMTP protocol.

Key Benefits:

1. Remove false positives that whitelisting tools cause when analyzing links

2. Eradicate maintenance and challenges of whitelisting for the purpose of email delivery (you may need to whitelist in your URL protection solutions such as Defender or ZScaler)

3. Very simple and quick setup (can be completed in a couple of minutes!)

Whitelisting

Whitelisting is common practise for ensuring emails from specific domains are delivered successfully to the inboxes of your employees. Whitelisting is a method used by many organisations to ensure emails are successfully delivered.

The key challenge our customers face with whitelisting is email analysis tools often open links within emails to check for maliciousness, impacting the accuracy of your reporting data. For example, it may show that your employees have opened the phishing link when they have not. This will directly influence who receives the behavioural-based training.

How to Whitelist an IP Address in Google Workspace

Google Workspace IP Bypass

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Sender IPs in the Google Workspace environment.To complete this procedure, you must have security administrator privileges with Google Workspace.

1. Note the IP addresses to be allowed.

2. Sign in to Google Admin.​

3. Select Apps > Google Workspace > Gmail from the left sidebar menu.

4. Go to the Spam, Phishing, and Malware page.

5. Select the Email allowlist tab and click the Edit button.

6. Add the IP addresses that are listed here.

7. Click the Save button.

8. Go back to the Spam, Phishing, and Malware page.

9. Select the Inbound Gateway option and click Enable, if not enabled.

10. Add the IP addresses and click Save.

11. Select Automatically detect external IP if not already selected.

12. WARNING: Leave the option of Reject all mail not from gateway IPs unchecked.

    1. This option must be 'unchecked'. Do not enable this option!

13. Select the option of Require TLS for connections from the email gateways listed above.

14. Click Save to complete the process.

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

Next step is to Setup your Phishing Reporter ➡️

How to Whitelist Using the Safe Links Feature in Office 365

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Domains in the O365 environment in the Safe Links feature.

1. Find the list of the phishing simulator domains in Phishing Simulator > Settings > Domains.

2. Sign into the Microsoft Security & Compliance Center.

3. Click Policies and rules from the left sidebar menu, click Threat Policies and select Safe Links.

4. Click Create.

5. Add a name and description for your safe links policy and click Next.

6. Select your company domain to be included in this policy and click Next.

7. Deselect the Track user clicks option.

8. Add the phishing domains by using *.domain.com/* wildcard syntax to the Do not rewrite the following URLs section.

9. Click the Next button and select Submit to complete the process.

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

Next step is to Setup your Phishing Reporter ➡️

To complete this procedure, you must have security administrator privileges with the Microsoft Security & Compliance Center or be a member of the Microsoft Exchange Online Organization Management administrator group.

1. Note the IP addresses to be allowed.

2. Log in to your exchange admin center.

3. From the left sidebar menu, go to Mail flow > Connectors.

4. Click Add a connector.

5. Select Partner organization in the Connection from the section.

6. Give the connector a name and click Next.

7. In the Authenticating sent email window, select the option that states By verifying that the IP address of the sending server matches one of the following IP addresses that belong to your partner organization.

8. Enter the IP addresses and click Next.

9. Uncheck the TLS option stating Reject email messages if they are not sent over.

10. Click Next, then click Save to complete the process.

You must complete the following steps once the connector is defined.

1. Go to the Mail flow > Rules page in the left sidebar menu.

2. Click the + icon on the screen and select Bypass spam filtering.

3. In the New rule window, give the rule a name and select The sender is ... > IP address is in any of these ranges or exactly matches.

4. Enter the IP addresses and click OK.

5. In the Do the following section, select Set the message header to this value ... > Set a message header and enter “X-MS-Exchange-Organization-Bypass Clutter” in the text field, and click OK.

6. Set the value information to true with the enter text option on the right.

7. Click Save to complete the process.

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

Next step is to Setup your Phishing Reporter ➡️

Keepnet utilizes a tracking pixel to monitor when users open phishing simulation emails. This tracking pixel is embedded in all phishing simulation emails sent through the platform. When the email is opened, the pixel sends a response to Keepnet, logging the open event.

It is important to note that opening a phishing simulation email is not considered a failure and does not impact the user’s gamification score. However, phishing emails may be marked as "opened" automatically in the following scenarios:

• Email Reported: If a user reports the phishing email using the Reporter Button, the email is automatically logged as opened.

• Phishing Failure: If a user clicks on a phishing link or opens a malicious attachment within the simulation email, the system will mark the email as opened, even if the tracking pixel does not load.

This tracking mechanism ensures accurate monitoring of user interactions while maintaining fair evaluation criteria in phishing awareness programs.

Email Opens Not Being Recorded

In some organizations, email client settings prevent images from being automatically downloaded. When this occurs, Keepnet's tracking pixel cannot load, and email opens will not be recorded in phishing simulation reports.

If your organization blocks automatic image downloads, you can enable email open tracking using one of the following methods:

Safe Senders List (not recommended)

You can add phishing email senders to a safe senders list to allow all email images to load. This method is not recommended for the following reasons:

• There is a limit to the number of safe senders you can add, and Keepnet sends simulations from many different email addresses. Our phishing simulation email addresses are also subject to change without notice.

• Your users may be able to identify phishing simulation emails due to all of the images loading, while other external, non-Keepnet emails would not load images.

Trusted Zone in Outlook (recommended)

You can create a Group Policy Object in Active Directory to update the Trusted Zone in Outlook to allow tracking pixels to load without allowing all other phishing simulation email images to load. The steps to complete this are detailed below:

1. Navigate to your Local Group Policy Editor.

2. You will find the correct Group Policy to edit by navigating to User Configuration > Windows Settings > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

3. Double-click the Site to Zone Assignment List policy to modify the policy.

4. Enable the policy by selecting the Enabled option.

5. Under the Options area, click Show.

6. From the Show Contents window, enter the phish link domain used in your test in the Value Name. You can also use wildcards in your entry to indicate a phish link subdomain.

   • For a complete list of phish link domains, navigate to the Phishing > Settings > Domains tab in the Keepnet Platform.

7. For the Value, enter "2", which corresponds to "Trusted Zone".

8. Click OK.

9. Navigate to Outlook.

10. Select Options > Trust Center > Trust Center Settings. Click the check mark to Allow downloads from Websites in this security zone: Trust Zone.

We recommend sending a phishing test campaign to yourself once these settings are saved so you can ensure opens are being tracked successfully.

Google Workspace IP Bypass

The below instructions will show you how to whitelist the emails such as notification, training, or phishing simulation emails that will be sent from the platform to users by whitelisting Sender IPs in the Google Workspace environment.

1. Note the IP addresses to be allowed.

2. Sign in to Google Admin.

3. Select Apps > Google Workspace > Gmail from the left sidebar menu.

4. Go to the Spam, Phishing, and Malware page.

5. Select the Email allowlist tab and click the Edit button.

6. Add the IP addresses that are listed here.

7. Click the Save button.

8. Go back to the Spam, Phishing, and Malware page.

9. Select the Inbound Gateway option and click Enable, if not enabled.

10. Add the IP addresses and click Save.

11. Select Automatically detect external IP if not already selected.

12. WARNING: Leave the option of Reject all mail not from gateway IPs unchecked.

    1. This option must be 'unchecked'. Do not enable this option!

13. Select the option of Require TLS for connections from the email gateways listed above.

14. Click Save to complete the process.

🚨 If you have additional security solutions (e.g. Mimecast) please make sure to whitelist in these security solutions by following these steps:

​Whitelisting in Security Solutions​

​✅ You have now ensured your target users will receive emails through Keepnet. Now you need to Whitelist Domains so your target users can successfully open Keepnet email links ➡️

Video Tutorial

1. Note the IP addresses to be allowed.

2. Log in to your exchange admin center.

3. From the left sidebar menu, go to Mail flow > Connectors.

4. Click Add a connector.

5. Select Partner organization in the Connection from the section.

6. Give the connector a name and click Next.

7. In the Authenticating sent email window, select the option that states By verifying that the IP address of the sending server matches one of the following IP addresses that belong to your partner organization.

8. Enter the IP addresses and click Next.

9. Uncheck the TLS option stating Reject email messages if they are not sent over.

10. Click Next, then click Save to complete the process.

You must complete the following steps once the connector is defined.

1. Go to the Mail flow > Rules page in the left sidebar menu.

2. Click the + icon on the screen and select Bypass spam filtering.

3. In the New rule window, give the rule a name and select The sender is ... > IP address is in any of these ranges or exactly matches.

4. Enter the IP addresses and click OK.

5. In the Do the following section, select Set the message header to this value ... > Set a message header and enter “X-MS-Exchange-Organization-Bypass Clutter” in the text field, and click OK.

6. Set the value information to true with the enter text option on the right.

7. Click Save to complete the process.

🚨 If you have additional security solutions (e.g. Mimecast) please make sure to whitelist in these security solutions by following these steps:

​Whitelisting in Security Solutions​

​✅ You have now ensured your target users will receive emails through Keepnet. Now you need to Whitelist Domains so your target users can successfully open Keepnet email links ➡️

Video Tutorial

The following video tutorial contains information about how to whitelist in Exchange 2013 or 2016 environment.

Whitelisting in Content Filtering (Proxy)

Whitelisting Platform Addresses

Platform administrators must whitelist dash.keepnetlabs.com and api.keepnetlabs.com on content filtering proxy solutions to use the products successfully.

Whitelisting Phishing Simulation Domain Addresses

You can find the phishing simulation domains by logging into the platform and then go to Phishing Simulator > Settings > Domains page.

Whitelisting in Data Loss Prevention (DLP)

✅ You have now Whitelist Domains so your target users can successfully open Keepnet email links. Please also Whitelist in your security solutions if you haven't already.

This section describes in detail how to deploy the Phishing Reporter add-in to users in Microsoft 365, Exchange, or Google Workspace platforms.

Shortcuts

FAQ

Q: The add-in was deployed to one of the listed email servers more than 12 hours ago but is still not visible on users' email applications. What can I do?

A: You can try to re-deploy the add-in. If it still does not appear, you should contact the support team of the email service provider.

Q: Can an Attacker hijack Outlook Add-in?

Q: Is it possible to centralise the distribution of add-in?

A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools, such as Microsoft SCCM, IBM Bigfix.

Q: Does the Phishing Reporter Add-In work with the Outlook application on iOS?

A: Yes, if you distribute the Phishing Reporter Add-In as an XML package (Microsoft 365), it will be available in both OWA/Outlook applications and will also function within the Outlook application on iOS.

Step 1.

To download the Phishing Reporter, go to the Phishing Reporter tab on the left hand side and select Configure Add-in (or click on Settings).​

Step 2.

On the first settings page, Add-in Settings, is where you can customise how the Phishing Reporter appears in your employees inbox including:

• Logo

• Button labels

• Messages users receive when reporting emails

Step 3.

Your Email Settings page is where you select who will be notified about suspicious emails and the email you want them to receive. You can add as many emails as you would like here.

Step 4.

Proxy: If users are accessing the internet through a proxy, you can enable the plugin to detect the proxy configuration of the computer where it will be installed.

API: If you require any changes to be made to the API settings, please let our support team know on support@keepnetlabs.com.

Enterprise Vault: When selected, the suspicious email can be searched in the user's backup emails during the investigation. (Only for MSI phishing reporter add-in)

Step 5.

The Diagnostic Tool provides information about the status of the add-in. For example, if the add-in has been disabled by a user, the Diagnostic Tool can be used to ensure automatic activation or make system admins aware.

Step 6.

You will then need to Download the add-in for the environment compatible with your setup. Once downloaded you can follow the Deployment steps.​ ​

✅ You have now customised and downloaded the Phishing Reporter.

There are 2 key steps to deploying the Phishing Reporter Add-in in Microsoft 365: Deploy and Configure.

Step 1: Deploy Custom Add-in

2. Select Deploy Add-in and click Next.

3. Under Deploy a custom add-in, click Download custom apps.

4. Select I have the manifesto.xml file.

5. Click Upload.

Step 2. Configure Add-in

1. Assign the users who will have access to the add-in. We recommend selecting Everyone so the add-in will be installed on every user under the Microsoft 365 tenant.

2. Select Deployment Method. We recommend selecting Fixed which is the default option.

3. Click Deploy.

You will receive an email notification confirming your successful deployment. It may take up to 24 hours for the add-in to be displayed on the users' email applications. Users may need to relaunch email applications.

​✅ You have now deployed the Phishing Reporter.

Video Tutorial

This article section describes how to integrate the Incident Responder module with Google Workspace, Exchange, or Microsoft Office 365 email services. It's important to follow the steps accurately. Please contact your email server administrator if you don’t have the required permissions to make these configurations.

Benefit of Email Server Integration

The Incident Responder module investigation tool can detect malicious emails in user inboxes and remove them automatically or can be removed by the admin as well.

Server-based integration with your email service provides the most comprehensive protection. While email investigations can be conducted with the Phishing Reporter plug-in, the user must have Outlook open and the plug-in active for the investigation to be successful. If the Outlook application is closed for any reason, a complete investigation can only be performed using a server-based integration.

The server-based integration has the advantage to start an investigation at any time.

Mail Configurations

Select Incident Responder > Mail Configurations from the left sidebar menu of the dashboard to create a new mail configuration or view the details of an existing configuration.

To set initial configurations, select the appropriate email server integration:

• ​Office 365

• Exchange

• Google Workspace

The integration details are:

Shortcuts

• How to integrate with Microsoft 365

• How to integrate with Google Workspace

• How to integrate with Exchange

If you've installed the Phishing Reporter on the Microsoft Outlook Desktop version successfully but are unable to see the Phishing Reporter button, here are some steps you can follow to troubleshoot the issue.

Step 1: Check your Outlook Version

First, confirm that you are using a version of Outlook that is compatible with Phishing Reporter. It might be possible that your current Outlook version is outdated and not supported by the add-in. Phishing Reporter usually supports the most recent versions of Outlook, but you can double-check the specific versions from here.

Step 2: Verify Installation

Make sure the Phishing Reporter Add-in was installed correctly. If the installation was interrupted or not completed, it could result in the button not appearing.

• Press the Win+S button combination on your keyboard, and find ‘Installed Apps’.

• Locate 'Phishing Reporter Outlook AddIn' in the list of installed programs.

• If you cannot find it, try reinstalling the software.

Step 3: Enable Add-in

Sometimes, the add-in might not be enabled, or it may have been disabled. Here's how to check:

• In Outlook, go to 'File' > 'Options' > 'Add-ins'.

• In the 'Manage' dropdown, select 'COM Add-ins', then select 'Go'.

• If 'Phishing Reporter' is listed but not checked, tick the checkbox to enable it.

• If 'Phishing Reporter' is not listed, it means the add-in is not installed correctly. Try reinstalling.

Step 4: Check the Ribbon

In some cases, the button may not be visible because it's not added to your Outlook ribbon, or it's located under a different tab.

• Right-click on the ribbon and select 'Customize the Ribbon'.

• Look for 'Phishing Reporter Add-in Name' in the list. If it's there, make sure it's ticked and placed under the Home tab.

Step 5: Check Windows Event Logs

Sometimes, Outlook or the add-in may be experiencing issues that could be found in the Windows Event Logs.

• Type 'Event Viewer' in the Start menu and open it.

• On the left side, navigate to 'Windows Logs' > 'Application'.

• Look for any recent warnings or errors related to Outlook or the Phishing Reporter Add-in around the time you last launched Outlook. Pay particular attention to Event ID 45 and 59, which might be related to this issue.

5.1 - AddIn Disabled

When examining your Windows Event Logs, you may encounter a log entry indicating that the Phishing Reporter add-in has been disabled by Outlook. This typically occurs when the add-in takes too long to load at startup. Once identified, the disabled add-in can be enabled again, as outlined in Step 3 of this guide. If the issue continues after this action, please refer to Step 8 for further troubleshooting assistance.

Event ID:59
Source:Outlook
Log:Application
Message:Outlook disabled the following add-in(s):

ProgID: PhishingReporter.Outlook.Addin
GUID: {D0F2562C-3BC1-42E3-B34E-8A735974A173}
Name: PhishingReporterAddIn
Description: AddinModule
Load Behavior: 2
HKLM: 1
Location: C:\Program Files (x86)\Phishing Reporter\Phishing Reporter Outlook 
Threshold Time (Milliseconds): 1000
Time Taken (Milliseconds): 1875
Disable Reason: This add-in caused Outlook to start slowly.
Policy Exception (Allow List): 0

5.2 - AddIn Load Times

Microsoft Outlook Desktop may occasionally deactivate add-ins to prevent the application from crashing. By leveraging the Windows Event Logs, you can acquire valuable insights about the loading times of all add-ins. This knowledge helps identify add-ins exceeding the optimal loading time of 1000 milliseconds.

Outlook loaded the following add-in(s):

Name: Microsoft Exchange Add-in
Description: Exchange support for Unified Messaging, e-mail permission rules, and calendar availability.
ProgID: UmOutlookAddin.FormRegionAddin
GUID: {F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}
Load Behavior: 3
HKLM: 1
Location: C:\Program Files\Microsoft Office\root\Office16\ADDINS\UmOutlookAddin.dll
Boot Time (Milliseconds): 0

Name: Skype Meeting Add-in for Microsoft Office
Description: Skype Meeting Add-in for Microsoft Office
ProgID: UCAddin.LyncAddin.1
GUID: {A6A2383F-AD50-4D52-8110-3508275E77F7}
Load Behavior: 3
HKLM: 1
Location: C:\Program Files\Microsoft Office\root\Office16\UCAddin.dll
Boot Time (Milliseconds): 15

Name: PhishingReporterAddIn
Description: AddinModule
ProgID: PhishingReporter.Outlook.Addin
GUID: {D0F2562C-3BC1-42E3-B34E-8A735974A173}
Load Behavior: 3
HKLM: 1
Location: C:\Program Files (x86)\Phishing Reporter\Phishing Reporter Outlook AddIn\adxloader64.dll
Boot Time (Milliseconds): 146

Request url: https://addin-api.keepnetlabs.com/api/heartbeat response content : RestHttpClient.cs : Post : 109
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'keepnetaddin.xcompany.local'

7.3 - Unable to connect to the remote server

This log indicates a network connectivity error during an HTTP request.

This error usually stems from the following situations:

• The network connection dropped or there is a temporary problem in the network. In this case, the network connection should be checked and, if necessary, the network may need to be restarted or the network settings may need to be checked.

• The client side is using an incorrect IP address or port number. In this case, the target and parameters of the request should be checked.

• The connection is being blocked due to a firewall or other network security settings. In this case, the security settings should be checked.

Error Log:

Request url : https://addin-api.keepnetlabs.com/api/notify/email response content :   : RestHttpClient.cs : Post : 104
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.1.1.1:235

7.4 - The remote name could not be resolved

This log represents a network error situation.

This error usually stems from the following situations:

• Network connection problems. In this case, the network connection should be checked, and it should be ensured that the computer has general access to the internet.

• The DNS server is not functioning correctly. In this case, the DNS server should be checked, if necessary, restarted, or DNS settings should be reviewed.

Error Log:

Request url: https://addin-api.keepnetlabs.com/api/heartbeat response content : RestHttpClient.cs : Post : 104
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'addin-api.keepnetlabs.com'

Step 8: Contact Support

If the above steps don't resolve your issue, it's suggested to ask for assistance from the Keepnet support team. There are two primary ways to get in touch with them:

1. Email: You can send an email to support@keepnetlabs.com. Make sure to include all relevant details about your problem, such as your Outlook version, OS version, and any other pertinent information about your system.

2. Support Portal: Alternatively, you can submit a ticket directly via the Keepnet support portal at https://support.keepnetlabs.com/portal/en/home.

For additional information on how to contact support, please refer to our Help Desk documentation.

What is the Incident Responder?

The Incident Responder analyses a suspicious email, and according to the results, it takes action at the inbox level. The product also analyses the URLs, IPs, and Files with the engines of different technologies it is integrated where it enables an institution to acquire the technologies that it doesn’t have.

There are 2 steps for setting up the Incident Responder:

1. Integrate Threat Intel Partners - Keepnet will automatically tell you whether a suspicious email is malicious or not

2. Mail Configuration - Keepnet will be able to remove malicious emails from all employees inboxes

By integrating Threat Intel partners you will automate identifying malicious emails. Each email reported through the Phishing Reporter add-in will automatically be analysed for malicious content via multiple integrations.

There are 2 steps to Integrating Threat Intel Partners:

1. Create a new integration

2. Follow relevant steps to install each threat intel partner

Creating New Integration

Navigate to Incident Responder > Integrations. Click the blue New button. You can find all our Threat Intel partners under Integration Type.

Quick links to install each Threat Intel Partner

You can install free threat intel partners or if you already have subscriptions for paid versions, you can integrate these too! All links to install all free and paid for intel threat partners below

Free Intel Threat Partners

​Google Safe Browsing

​​Zen SpamHaus​

​​Cyber X-ray

​VMRay​

Paid Intel Threat Partners

​​Google Web Risk

​AnyRun​

​​OPSWAT​

​FortiSandbox

​​Virus Total​

​IMB X-Force

The Dashboard is the first page that the system administrator sees after logging into the platform. This section explains how to use the Dashboard widgets to enhance functionality to suit your needs.

Shortcuts

Help

Click the AI-Powered Assistant icon (...) at the bottom right of the Dashboard to get help about any information.

Video Tutorial

The following video tutorial contains information about how to manage dashboard.

You can integrate your Microsoft 365 environment with the Incident Responder product to start an investigation on users' email accounts by following the steps below.You must use an account with global administrator permission.

New Application

• Click +New registration.

• In the Register an application section, enter the name of the new application (required field).

• Select supported accounts from the Accounts in this organizational directory only option (auth secure login only - single-tenant).

• Select Public client/native (mobile & desktop) from the dropdown menu to enter a Redirect URL.

• Click Register. (Leave the myapp://auth field section blank).

• The new application will now appear in the list of app registrations; click on the name of the new application.

• Under Essentials, you will see the following displayed:

  • Application (client) ID

  • Directory (tenant) ID

• Please take note of these as you will need this information later to set up the new configuration.

Now you are ready to proceed to the next step: the application secret key.

Application Secret Key

An application secret key must be created for the new registration.

• Under Manage from the left-side menu, select Certificates & Secrets.

• Select Client secrets.

• Select +New client secret.

• Enter the description and expiration date and click Add.

• Make sure to save the secret key value before you move on to the final step.

Application Permissions

The last step is to add application permissions.

• Select Manage > API Permissions and click +Add permission.

• Click Microsoft Graph and a new window called Request API permissions will appear.

• Click Application permissions and then choose Application Permission and in the Select permissions field, find and select the following required permissions:

  • Directory.Read.All

  • Mail.ReadWrite

  • MailboxSettings.ReadWrite

  • User.Read.All (under User)

• Click Add permissions.

• Click Grant admin consent for (user).

Test the Email Server Integration

You can test the integration on the platform to make sure that it is working. Go to Incident Responder > Mail Configurations on the left sidebar menu of the dashboard and then click + NEW and choose the mail provider - in this case, Office 365.

Complete the following fields in the Microsoft Office 365 configuration table. The integration details are:

If the test was successful, the new email server integration will be shown in the list of mail configurations.

About Permissions

Directory.Read.All (Get user list)

This permission allows the app to read data in your organization's directory, such as users, groups, and apps. Note: Users may consent to applications that require this permission if the application is registered with their organization’s tenant.

The platform uses this permission to retrieve the client's user list when an investigation is initiated and then to access the email addresses. For example, when a user finds a suspicious email, the platform can scan all users in the list retrieved.

Mail.ReadWrite (Get users mails)

This permission allows the app to create, read, update, and delete email in user mailboxes. It does not include permission to send mail. The platform uses this permission to scan and filter users' emails. For example, when the “From” filter is selected as a parameter to be used in an investigation, this authorization enables the creation of a list of the emails that meet this criterion. It is also used to send a warning message to users. This permission also allows the platform to scan the contents of the emails to find and match the designated investigation parameters. For example, specific filters such as regex, keywords, etc.

MailboxSettings.ReadWrite (Warning action)

This permission allows the app to create, read, update, and delete the user's mailbox settings. It does not include permission to send mail directly, but allows the app to create rules that can forward or redirect messages. The platform uses this permission to mark emails that will receive a warning message.

User.Read.All (Get user data)

This permission allows the app to read the full set of profile properties, reports, and managers of other users in your organization on behalf of the signed-in user. The platform uses this permission to read and filter user information during the scanning process. If user-related filters, such as specific users, are selected as scan criteria, the user information may need to be read. For example, an organization may elect to initiate an investigation of employees in a particular department.

FAQ

Q: Is it possible to run a suspicious email investigation on the platform 24/7?

A: Yes. The platform’s flexibility allows you to start an investigation at any time and specify how long it is to run, or to create a continuous, automatic search for harmful e-mails. Server-based integration with your email service provides the most comprehensive protection.

Q: Is it possible to start investigations and delete harmful emails without Office 365 and Exchange EWS integration?

A: Yes. The Phishing Reporter plug-in can be used to conduct investigations and mitigation. However, the user must have Outlook open and the plug-in active. Email server integration eliminates this limitation.

Diagnostic Tool

In standard Windows, the MS Outlook service does not support monitoring and reporting the functionality of the installed add-ins on it. This service has been developed in order to monitor and report whether Keepnet Outlook add-in functions properly or not.Using this service, system administrators will be aware of the potential environment-based errors which could affect the Keepnet Outlook Phishing Reporter add-in not functioning properly and be able to take action.

Downloading Diagnostic tool

Go to Phishing Reporter > Settings > Diagnostic Tool to download the diagnostic tool.Configure the following settings:

• Proxy Settings: Enable proxy settings for the Diagnostic Tool to go internet through a proxy.

• Optional Settings: Select if you want the Diagnostic Tool to check the Phishing Reporter add-in and enable it automatically if disabled.

Once you're happy with your settings, click Download under the diagnostic tool. Then follow the steps below to install the service.

Installation

There are two options to install the service, either install it on your computer or deploy the service to thousands of users' computers using centralized software distribution tools.

Normal installation

• Click on the MSI package to install it on your computer.

• Click the Next button and continue with the default settings.

• Click the Yes button to finish the installation.

Silent Installation

You can use the following commands for silent installation and removal.

Once the installation is complete, you can confirm that the diagnostic tool has been installed by going to Phishing Reporter > Users and looking under the Diagnostic tool column.This column will show one of the following in the table below.

Understand Diagnostic Tool information

To view the Diagnostic Tool information, go to Phishing Reporter > Users and look under the Add-in Status column. When hovering the mouse over this column under the desired user, you will see the following information below.

The Diagnostic Tool has been successfully installed, operated and can communicate with the platform to help you obtain Phishing Reporter status information for all target users.

Troubleshooting

For troubleshooting purposes, you can provide the support team with the log and configuration files, which can be found in the following path on the user's computer.

• C:\Program Files (x86)\Keepnet Labs\KeepnetLabs Phishing Reporter Diagnostic Service

✅ You have now deployed the Phishing Reporter

Tutorial Video

This video tutorial explains how to customize the Diagnostic Tool service and download it.

FAQ

Q: Some users have the add-in enabled, but they seem offline on the interface. Why?

A: If the add-in is installed and active, but seems Offline, then the Outlook application is closed. If Outlook is still running, but it is still Offline, it means that there is a communication problem between the add-in and the platform. You can easily detect this problem from the logs created by the add-in on the user's computer or get support from our support team.

Q: How do I know if the add-in is disabled by the user or by Outlook?

A: If you see the “Inactive" notification, then it is disabled by the user. If it says “Disabled", it means that it is disabled by Outlook. You can also verify this from the interface of user’s Outlook Desktop in the File > Options > Add-Ins window.

Q: Can I have different teams log into the Keepnet Portal and see only the Outlook detail report page?

You can integrate your Google Workspace environment with the Incident Responder product by following the steps below.

• Log into https://console.cloud.google.com/ using an account that has administrative permissions.

• Click Select a project > New Project.

• Click on the related new project.

• On the left-side menu, go to APIs and Services > Library, search for Admin SDK API, and click Enable.

• Return to the previous page and search for Gmail API, then click Enable to activate the API.

• Select IAM & Admin > Service Accounts from the left-side menu.

• Click Create Service Account, name it, and click Create and Continue.

• Select Service Directory > Service Directory Admin as the role and click Continue > Done to complete the process.

• After creating a service account, click on the related user and go to the user details page.

• Go to the Keys tab, click Add Key > Create new key.

• Select JSON as the key type and click Create. Save the JSON file.

• Go to the Details tab and copy Unique ID information. Save this information for the next step.

Next, log in to admin.google.com.

• Go to Security > Access and data control > API controls on the left-side menu.

• Scroll down to Domain-wide delegation and click Manage Domain-Wide Delegation.

• Click Add New.

• For Client ID, enter the Unique ID information that you saved earlier.

• For OAuth Scopes, paste the scope information below:

https://mail.google.com/,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/gmail.labels,https://www.googleapis.com/auth/gmail.modify

• Click Authorize to complete the process.

Test the Configuration

To make sure that the integration is working, you can test it on the platform. Go to Incident Responder > Mail Configurations on the left sidebar menu of the dashboard and then click + NEW and choose the mail provider - in this case, Google Workspace.Complete the following fields in the configuration table:

The new configuration will now appear in the list of mail configurations if the test was successful.

About Permissions

Application Programming Interface (API) Scopes

API scopes identify the information an application will be able to access on a user’s behalf.

Permissions Required by the Platform

Email (read/write/send) - https://mail.google.com/

This permission allows the app access to emails in user mailboxes. Please note, it is only used to enable investigative searches; we do not create, read, edit, or send emails using this permission.

The platform uses this permission to scan and filter users' emails. For example, when the “From” filter is selected as a criterion for investigation, this authorization enables the creation of a list of the emails that meet the specified parameter. Other uses include regex and keyword searches.

This permission enables quick deletion of malicious content without compromising user privacy.

View Users on the Domain - /auth/admin.directory.user.readonly

This permission allows the app to read data in the organization's user directory. The platform uses this access to retrieve a client's user list and their email addresses when an investigation has been initiated.

Email (Manage Labels) - /auth/gmail.labels

This permission allows the app to create, read, update, and delete labels. The platform uses this authority to mark emails in the user's inbox with a warning message when the client deems this appropriate. For example, after running an investigation, you may choose to warn the user rather than delete the email results.

FAQ

Q: Can I start an investigation on Incident Responder without integrating Google Workspace?

A: No. In order to be able to start an investigation and take action on emails, integration with Google Workspace is required.

The widgets available will vary depending on your license type, role, and permissions.

Any actions you take will only be valid for your system users. Other users will see their own settings.

Dashboard Actions

Edit Dashboard

You can add, remove, or relocate a widget by clicking on the Edit Dashboard button at the top right. Once you have made the change, click Save Changes.

Add Widgets

Select the widget you want from the Edit Dashboard > Add Widgets menu and click Save Changes to confirm the action.

Remove Widgets

When you click Edit Dashboard, an ‘X’ icon will be visible at the top right of each widget. Click the ‘X’ to delete a widget and click Save Changes to confirm the action.

Relocate Widgets

Click the Edit Dashboard button and drag and drop the widget to the desired location. Click Save Changes to confirm the action.

Your license model determines which widgets are available on the Dashboard page.

Investigations

The Investigations widget displays a summary of the number of automated and manual investigations your company has launched.

Click the (icon symbol) button in the upper right corner of the widget to see detailed information about all of the investigations.

You can visit this document for detailed information about investigations.

ROI Summary

This widget summarizes the estimated return on investment, or savings achieved using the Incident Responder product.

For this feature to produce accurate results, you will need to enter the time and cost information specific to your business.

Go to the Incident Responder > Incident Responder page and click the Settings button at the top right of the ROI Summary window and provide the following elements for the calculation:

Phishing Reporter

The Phishing Reporter widget shows the number of people who have the plugin installed and the number of users who have been active in the previous 4 minutes. Visit this link to learn more detailed information about the technical structure of the Phishing Reporter plugin.

Incident Analysis

The Incident Analysis widget displays the total number of suspicious emails reported and the number of emails confirmed to be malicious. Visit this page for detailed information about the process used to analyze suspicious emails.

Reported Email Trends

The Reporter Email Trends widget provides a monthly analysis of the previous 6 months that includes the total number of malicious, phishing, or undetected emails, and the recent trend in activity.

Recently Reported Incidents

The Recently Reported Incidents widget shows the subject line, the status of the analysis (open, closed, in-progress, false-positive), and the result of the analysis (undetected, phishing, malicious, simulation) of the last five suspicious emails reported.

You can click on the title of each reported email to see specific summary information.

Click the All button on the top right of the widget to display all of the reported emails in detail.

Recent Investigations

The Recent Investigations widget shows the subject of the last five investigations, the progress of the investigations (%), and the current status (running, canceled, finished, expired). You can view a summary of the investigation by clicking on an investigation title.

Click the All button at the top right of the widget to go to the Investigations page.

Reporters

The Reporters widget shows the five most reliable users who report suspicious emails to the platform. The reliability score improves when the reported email is confirmed to be a phishing or otherwise malicious message. The reliability score will drop if the reported suspicious email does not contain irrelevant and/or harmful content.

Reliability status is classified as follows:

You can click the All button at the top right of the widget to see a list of all of the users who have reported suspicious activity to the platform.

Recent Incidents

This widget shows the last five reported email incidents and their results. You can access to the last five reported email incidents with their status and you can click on the related incident to access details.

Top Rules

The Rules box displays the top 5 playbook rules, the criteria used to analyze emails, defined in the Incident Responder platform that was met the most often.

Your license model determines which widgets are available on the dashboard.

Top Posts

The Top Posts box shows the five messages shared on the Threat Sharing platform that have generated the most interaction. Click on the title of a post to see more information.

The All button at the top right of the box will take you to the Threat Sharing section.

Recently Posted Threats

The Recently Posted Threats box displays the title of the last five posts shared on the Threat Sharing platform, the name of the malicious content in the post, and the name of the community where it was shared.

The All button at the top right of the box will take you to the Threat Sharing section.

Your license model determines which widgets are available on the dashboard.

Phishing Campaign Trends

This widget shows a summary graph of the overall performance of your phishing campaign for the last 6 months. The graph is organized by the number of users(Y-axis) and date(X-axis). The widget represents how many users have fallen to the phishing campaign for Click Only, Data Submission, and Attachment types of campaigns.

You can view your phishing campaign reports by clicking on the Campaign Reports shortcut.

Recent Campaigns

This widget shows the name of the last five phishing campaigns, the launch date of the campaign, and the current stats (no response, clicked, opened, submitted). You can go to report the campaign by clicking on the name of the campaign.

You can click ALL shortcuts to go to the campaign reports page to view all phishing campaigns.

Most Phished Users

This widget shows the names of the top five phished users for all the time, their email addresses, and the number of times they’ve been phished. The number of times is unique. As an example, if it says five that means the user received five unique phishing campaigns and phished to all five campaigns.

Most Engaged Campaigns

This widget shows the names of the last five phishing campaigns that have the most successfully phished users and the number of phished users. You can view the campaign report by clicking on the name of the campaign.

Top Phishing Simulation Reporters

This widget shows the names of the top five users that report phishing simulation emails, the email of the user, and the number of reported emails. It won’t matter if the user phished and then reported the email or not phished and reported the emails, both actions will be shown on the widget.

You can integrate your EWS environment with the Incident Responder product by following the steps below.

First, you must have or create a Microsoft user identity with either impersonation or delegation permission.

Please refer to this document for information on how to create a service/admin user.

Impersonation

Impersonation gives one service account access to every mailbox in a database. This enables quick and easy investigation and response to an incident.

Restrictions may also be designated for the impersonation account, depending on the policies of the organization.

The following command can be used in the Exchange Management Shell to grant the impersonation privilege to a service account. This example assigns the service account service@company.com full access permission to all user mailboxes in the company.com organization.

[PS] C:\Windows\system32> Get-Mailbox -ResultSize unlimited -Filter "(RecipientTypeDetails -eq 'UserMailbox') -and (Alias -ne 'Admin')" | Add-MailboxPermission -User admin@company.com -AccessRights FullAccess -InheritanceType All

Delegation

The delegation privilege requires that permissions be added individually to each mailbox. The platform can access the mailboxes within the Exchange designated by the organization.

Restrictions may also be designated for the account, depending on the policies of the organization.

The following command can be used in the Exchange Management Shell to grant delegation privilege to a service account. This example assigns the service account user service@company.com full access permission to the specified ‘TargetUserName’ user mailbox.

[PS] C:\Windows\system32> Add-MailboxPermission -Identity "TargetUserName" -User "service@company.com" -AccessRights FullAccess 

Test the Integration

To make sure that the integration is working, you can test it on the platform. Go to Incident Responder > Mail Configurations on the left sidebar menu of the dashboard and then click + NEW and choose the mail provider - in this case, Exchange EWS. Complete the following fields in the configuration table:

The integration details are:

The new configuration will now appear in the list of mail configurations if the test was successful.

Throttling Policy Configuration

What is Throttling Policy?

Throttling policy is a control mechanism designed to preserve server reliability and functionality by limiting the resources consumed by a single user or application.

The Microsoft Exchange throttling policy is a default setting that restricts users on various client access protocols, such as MAPI, Activesync, OWA, POP3, etc., intended to prevent a potential crash or denial of service (DoS) via repeated requests.

A successful integration between Exchange and the Incident Responder will lead to hundreds of connections on the Exchange server when an investigation begins.

The investigation may be obstructed by the throttling policy. Therefore, the default throttling policy rights of the service user defined in the Incident Responder product should be expanded to avoid this problem.

Choose a Throttling Policy

You can use the command below in Exchange Management to view all of the available throttling policies.

Get-ThrottlingPolicy | where-object {$_.IsDefault -eq $true}

Add a New Throttling Policy

Open the Exchange Management Shell and use the command below to create a new throttling policy.

New-ThrottlingPolicy KeepnetUnlimitedPolicyName

Configure Authorizations for the Throttling Policy

Once you have added a new throttling policy, please enter the following command to set the permissions of the new policy.

Set-ThrottlingPolicy KeepnetUnlimitedPolicyName -RCAMaxConcurrency Unlimited -Exchange EWSMaxConcurrency Unlimited -Exchange EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -Exchange EWSCutoffBalance Unlimited -Exchange EWSMaxBurst Unlimited -Exchange EWSRechargeRate Unlimited -Exchange EWSFindCountLimit Unlimited

Assign Throttling Policy to a Service

User Use the command below to assign a throttling policy to a specific user. Replace “service@company.com” with the service user you designated in the Incident Responder.

Set-Mailbox “service@company.com" -ThrottlingPolicy KeepnetUnlimitedPolicyName

Our Email Threat Simulator allows institutions to defend against major attack vectors. In recent years, the number of target-oriented attacks has increased significantly. Most often, the targets of attacks are large corporations, government agencies, and political organizations. However, any institution that collects data seen as valuable faces a risk of cyberattack. Awareness of potential exposure and preparation to resist an attack are critical in today’s world.

Shortcuts

• How to start Email Threat Simulator to test account

• How to view Email Threat Simulator report

• How to create trusted and restricted Exchange test email account

Video Tutorial

This video tutorial will cover how to start scan, view report on the Email Threat Simulator.

This guide explains the Threat Intelligence product and how to use it.

This includes:

• What is Threat Intelligence?

• How to export a list of breached accounts?

What is Threat Intelligence?

The Threat Intelligence product scans the web, searching for signals and data that may represent a breach of your data security and a threat to your business. The constant vigilance afforded to you by the Threat Intelligence product shortens the time between the potential data breach and defensive response, reducing the opportunity for fraudulent activity.

In the Threat Intelligence product, you can check for data leaks for your previously allowed email domains in the Domain Allowlist menu.

Please find the documentation for the domain allowlist here.

Go to the Threat Intelligence menu from the left menu on the dashboard to review the following functions.

Breached Accounts

This table contains all breached email accounts. This table includes information such as breached account, the source of the breach, the password type of the email account, and the leak date.

The components of the Breached Accounts page are explained in the table below.

Table Actions

You can take manual actions on breached accounts table. You can click the buttons top of the data table for the appropriate steps you want to perform.

Video Tutorial

This tutorial explains the Threat Intelligence product and how to use it.

FAQ

Q: Can I delete breached account from the platform?

A: No, you can only list, copy to clipboard and download the list of the breached accounts.

Q: Can I integrate the breached accounts with my SOAR products by obtaining the details using the API?

A: You can perform almost every operation in the Threat Intelligence product using API. You can refer to our Rest API document to see the details.

The Threat Sharing Community platform is an early warning system deployed across a network that provides inbox-level incident response and investigation capability, giving users maximum agility and reducing response time. Users have the ability to expand their threat intelligence reach by using their collective network knowledge, as well as reduce their costs and accelerate implementation of a response. Users can also preemptively initiate inbox investigations before suffering a malicious attack, which provides proactive protection. You can access the Threat Sharing module from the Dashboard > Threat Sharing.

6. FAQ

‌Q: Can I hide my identity when I post an incident to a community?

Q: How do I launch an investigation to assess the threat at my company?

A: When you see an incident posted and shared by a fellow member of a community, you can easily begin an investigation to determine potential risk to your firm by selecting the Investigate option. You will be prompted to add the criteria, target users, duration, and other details to be used as part of the investigation.

‌‌Q: Is it possible to invite someone from a company that is not currently a client to join a community?

‌A:‌ No. Community membership is limited to employees of organizations that have registered to the platform. Once an organization has registered, all registered users of that organization are eligible to participate, if they choose to do so.

For more information about invitations, go to Invitations or Invite New Members.

Q: Where are shared incidents stored?

A: Shared incidents will be maintained in the database

‌Q: What is the reliability of shared posts/incidents?

A: A user must accept terms and conditions before a post will be accepted in order to ensure maximum reliability of the shared information.

‌Q: Are shared threats/incidents/posts human-verified?

A: No, they are not verified. However, threat sharing communities are peer-to-peer networks formed and built on trust. This can be used to verify the posts/incidents.

Q: Is there any limit to the number of posts that can shared in a community?

A: No. You can share as many as you want to.

Q: Is it possible to leave a community of which I am the owner? Can I transfer ownership?

A: Yes. The owner of a community may transfer ownership to another member of the group. Select the name of the member to become the new owner, click on the three dots next to their name, and you have the option to Assign as Owner.

If you do not wish to assign a new owner, you also have the option to delete the community, however, please all posts and the data of the community will be erased.

Q: What is the reliability of shared posts/incidents?

A: A user must accept terms and conditions before a post will be accepted in order to ensure the maximum reliability of the shared information.

7. Use Cases

Use Case: Keep details private when posting an incident to avoid exposing confidential information

The best solution would be to post anonymously. The poster’s profile details – including the name of the individual and that of the organization - are withheld. It is also possible to select the attributes of the incident that will be visible or hidden in the Header field or Body or Attachment to provide additional confidentiality.

Use Case: Limit membership to a community

When setting up a community, the owner has a high degree of control about who can access and view that community information. The public, private, and hidden types of community offer different levels of disclosure and participation. Only public communities have unrestricted membership.

The owner of a private or hidden community has administrator rights and controls membership.

The name of a private community is displayed on the Communities homepage; however, membership is restricted.

Use Case: Find communities related to a particular industry or sector

The search option on the Communities page allows you to locate established groups in industries or sectors most relevant to your interests. For example, a user who works in financial services can search for communities concerned with banking, brokerage, investment banking, or private equity and, if the privacy options allow, become a member of those communities. It is also possible to search for industries and sectors according to the privacy option.

The Treat Sharing page also suggests communities that may be of potential interest.

Use Case: There are no communities related to my sector. What can I do?

If there are no existing communities of interest to join, this is an opportunity to create a new community for members of an unrepresented industry or sector.

This could be a great way to establish a presence for your community and become a thought leader within your industry or sector.

Use Case: Searching for specific incidents in the threat sharing database

The Incidents section offers several ways to search for a particular incident to determine if it may have already impacted your organization. The keyword, company, and threat fields can be used to filter the results.

This can provide excellent insights into past, present, and future threats to an organization, as well as guidance for targeted awareness training and to address any vulnerabilities in information security systems and networks.

Use Case: Assessing the threat of an incident

Community members can see which incidents are and have been considered the most harmful. The most dangerous attributes are flagged in the post, and members can immediately access the specific details and take the appropriate action for their organization.

Use Case: Using invitations to grow a community and improve security posture

Invitations are an invaluable way to expand and enrich communities. A large community has greater resources and expanded ability to improve cyber resilience. The member organizations will be better prepared for attacks based on the knowledge shared by others in the community.

There is no limit to the number of invitations to a public community, and all members may invite a colleague to join. The owner of a hidden or private community serves as a gatekeeper to membership and is the ultimate decision-maker of how many invitations are issued and to whom.

Use Case: Ensuring and enhancing the value of a community for the owner and members

The best way to make a community successful is the proactiveness of the membership, and in particular, the community owner. The larger the community, the more useful and valuable it will be for everyone, but the integrity and caliber of the membership provides additional strength, trust, and reliability.

Use Case: Defining the purpose of a community

The intended vision and goals of a community are provided when it is created and serve as a guide to activities and membership.

Use Case: What action can community members take in response to a posted incident?

Users have a range of options to choose from in response to a posted incident according to their own organization’s cybersecurity protocols and incident response procedures. Valuable information is provided related to both actual and potential threats and may be used according to individual needs.

Use Case: The community has lost its way. How can it be saved?

Priorities always change in an organization, and the same is true in the threat sharing world of communities. If the owner of a community no longer feels that it is functional, relevant or the purpose no longer exists, then the community can be deleted, and all incidents reported and which members were part of it will be destroyed as well.

This section describes the capabilities and features of the threat simulation reports that can be generated using the Email Threat Simulator > Scan > Report button.

The components of the Scan Reports page are explained below.

Summary

The Summary provides a brief synopsis of the threat scan and options for further action.

Summary Widgets

Scan Info

Threat Scan Score

The score is calculated based on the number of emails determined to be insecure and the severity value of the risk posed by these emails.

Stats

The attack vectors are listed by attack type or by email status: Malicious Attachments, Ransomware Samples or Insecure Emails.

Attacks Sent

This section provides a summary report of the attack vectors exploited to target an email address.

FAQ

Q: Can I download a list of the attack vectors sent?

A: Yes, you can download a detailed report of the launched attack vectors in .xls, .pdf, or .csv format using the Download button.

Q: Can I export reports into my own reporting tool (e.g., Qlik Sense, Tableau, PowerBI)?

A: Yes. You can transfer all of our reports through an API. This flexibility allows you to use the information as needed to suit your business.

This document will provide information on how to start the Email Threat Simulator scan to the email inbox by using the “Continue with Microsoft Office 365” feature.

Microsoft O365 requires extra configuration steps in order to use the Email Threat Simulator with an O365 email account.

Create Microsoft Azure Application

Follow the steps to create and configure the application on Microsoft Azure.

• From the Home page, go to the App Registrations menu from the Azure Services page

• Create a new application by clicking on the +New Registration button.

• Fill in the following fields on the Register an Application page and then click the Register button.

  • Name: Enter a name for your application.

  • Supported account types: Select the “Accounts in this organizational directory only (Single tenant)” option.

  • Redirect URI: Leave this field blank.

• After creating the application, copy the “Application (client) ID” and “Directory (tenant) ID” from the Overview page to use it in the platform later.

Follow the steps to assign the required permission to the application that has been created on Microsoft Azure.

• To assign EWS.AccessAsUser.All permission;

  • Click API Permissions from the left menu and click the +Add a permission button.

  • Click APIs my organization users title on the Request API Permissions page.

  • Select Delegated permissions option on the Office 365 Exchange Online page.

  • Enable the EWS.AccessAsUser.All permission in the EWS field and then click Add Permission button.

• To assign Mail.Read permission;

  • Click API Permissions from the left menu and click the +Add a permission button.

  • The Microsoft APIs field will appear by default on the Request API Permission page.

  • Click on Microsoft Graph and select Delegated Permissions option.

  • Enable the Mail.Read permission in the Mail field and after that click Add Permission button.

Follow the steps to configure Authentication configuration in order to start a simulation from the platform.

Set permissions on the Web Applications field from the Authentication menu;

• Click on the Authentication from the left menu and then click on the +Add a platform button from the Platform Configurations page.

• From Configure Platforms page, under the Web Applications title, click on the Single-page Application button.

• Under the Configure Single-page Application title, find Redirect URLs and Front-Channel Logout URL and then write https://ets-api.keepnetlabs.com/ to both fields.

• Under the Implicit Grant and Hybrid Flows title, enable the Access tokens (used for implicit flows) and ID tokens (used for implicit and hybrid flows) options.

• Click on Configure button to finish this configuration steps.

Set permissions on the Mobile and Desktop Applications field from the Authentication menu;

• Click on the +Add a platform button from the Platform Configurations page.

• From Configure Platforms page, under the Mobile and Desktop Applications title, click on the Mobile and Desktop Applications button.

• Under the Configure Desktop + Devices title, find Redirect URLs and then select the “https://login.microsoftonline.com/common/oauth2/nativeclient” address.

• Click on Configure button to finish this configuration steps.

Set permissions on the Advanced Settings field from the Authentication menu;

• From the Authentication menu, under the Advanced Settings title, find Allow Public Client Flows field and activate the “Enable the following mobile and desktop flows:” option.

• Click the Save button to finish this configuration steps.

How to start the simulation with the “Continue with Microsoft Office 365“ feature?

Follow the following steps to start the simulation from the platform.

• Go to Email Threat Simulator > Scans page from the left menu on the platform.

• Click on the +NEW button to start a new simulation.

• Read the warning message and then click the “I Understand” button.

• Follow the steps in the following table for further steps to start a simulation.

Click on the Next button to go to the next page and customize the options as wished on “the “Scan and Delivery Settings” page and then go to the last page to agree on the “User Agreement” to start the simulation.

Troubleshoot

If you’re unable to start an ETS scan on an O365 email account, follow these steps to troubleshoot:

1. Check Sign-In Logs: Navigate to the User Sign-In logs for the email account used for the ETS scan. Review the logs to identify any technical issues preventing Keepnet from connecting to the account.

2. Verify MFA/2FA Settings: Ensure that Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) is disabled for the email account used for the ETS scan.

3. Allow Time for Settings to Apply: After configuring the account settings according to the documentation, wait at least 60 minutes before initiating the ETS scan. Microsoft may require some time to apply the changes across your organization.

This document will provide information on how to start an Email Threat Simulator scan to the email inbox using a Google Workspace account.

To use the Email Threat Simulator with a Google Workspace email account, the app requires a password.

Create an app password

Follow the steps to create the app password for the Google Workspace account.

2. Select Security.

3. Under “How to sign in to Google”, select 2-Step Verification.

4. At the bottom of the page, select App passwords.

5. Enter a name to help you remember where to use the app password.

6. Select Create.

7. Copy and save the app password for use in the Keepnet interface.

8. The app password is a 16-character code generated on your device.

9. Select Done.

How to start a simulation with a Google Workspace account?

This section describes the steps to start a scan with Google Workspace in the Email Threat Simulator product.

1. Go to Email Threat Simulator > Scans page from the left menu on the platform.

2. Click on the +NEW button to start a new simulation.

3. Read the warning message and then click on the “I Understand” button.

4. Fill in the Test Email Address field.

5. Check 'Automate with password' under Choose an Option.

6. In the Password field, enter the app password value you created before.

7. Click on the Next button.

8. In the Scan and Delivery step, set the delivery speed as desired.

9. Click on the Next button.

10. Confirm the User Agreement.

11. Start the simulation by clicking on the Save button.

How to Use the Threat Sharing Community

You must either a) create a community, or b) become a member of an existing community. You can access the Communities page by Dashboard > Threat Sharing > Communities. The sub pages of the community page are explained below.

The fields of the community page are explained below.

A search window is available to help quickly find a name on the community homepage.

How to create a Community?

Go to Dashboard > Threat Sharing > Communities and click on the Create Community button.

Next, you will be asked to enter the following from the table below:

Please read and accept the terms and conditions. Then click on Create to complete the process.

After creating your community, you will be directed to the new Threat Sharing Community homepage.

You will now be able to post your first incident.

Community Settings

Go to Dashboard > Threat Sharing > Communities and click on the Three Dots. You will be able to edit the interaction with the fields in the table below.

How to Transfer Ownership of a Community

If you no longer wish to be the owner of a community, you have the option to transfer ownership to a fellow member.

• Go to the Communities dashboard

• Select the community for which ownership is to be transferred

• Go to Members menu

• Select the member who will be the new owner

• Click on the three dots to the right of the member’s name and click 'Assign as owner' button

• Confirm that you are willing to give admin privileges (includes rights to remove users and delete the community) to the new owner

• Click Accept to complete the transfer of ownership

• A message will appear to confirm that the transfer of the community’s ownership has been successful.

Invite new members to your Community

Once a community has been established, you are able to invite members to join the group. A maximum of five can be invited at one time.

To invite new members;

• Go to the right-hand pane of the community homepage

• Under About Community, click +Invite and enter the email address of the invite

• Click Invite to send your request

Requests

Individuals who are not currently members of the community can request to join. These requests are visible under the Requests option on the community homepage.

Members Page

The names of the members of your threat sharing community are visible under the Members page. You wil be able to see the following information.

A search window is available to help quickly find a name on the community homepage.

Incidents Page