Email phishing simulation campaigns

This page includes:

About email phishing simulation campaigns

From time-to-time, some organizations run simulation email campaigns to determine how their employees respond to phishing attacks and to other malicious attacks. Applications such as KnowBe4 and Terranova Security are frequently used to perform these simulation campaigns. Before you begin a campaign, you must make sure that:

  • the simulation emails won't be scanned by "Acronis Email Security" - and found to be malicious or spam

  • links inside the simulation emails won't be clicked by "Acronis Email Security"

  • your email service won't quarantine any of the simulation emails

  • the "Acronis Email Security" IR Team won't investigate any simulation scan that is reported by an end-user

What is the "global simulation application allowlist"

"Acronis Email Security" maintains a list of the popular phishing simulation applications. This list is called the "global simulation application allowlist". For each application in the list, "Acronis Email Security" maintains a list of the IP addresses that are used by each simulation application to send the simulation emails. For details, see Global simulation application allowlist below.

Before you begin

Important: We recommend that before you begin an email phishing simulation campaign, that you first send a few trial emails to make sure that everything is operating as expected - before you begin the actual simulation campaign.

What you need to do

Before you begin a campaign, make sure that the following prerequisites are in place:

Step 1 - Allow-list your simulation application IP addresses in "Acronis Email Security"

There are two ways in which simulation application IP addresses - from which the simulation emails will be sent by your simulation application - can be allow-listed in "Acronis Email Security":

1

Your simulation application IS in the "global simulation application allowlist"

Check the list below [Global simulation application allowlist] to find out if your simulation application is included in the "Acronis Email Security" "global simulation application allowlist".

If it is included, then it is not necessary for you to allow-list these IP addresses - they are already allow-listed.

2

Your simulation application is NOT in the "global simulation application allowlist"

If your simulation application is not included in the "Acronis Email Security" "global simulation application allowlist", then:

  • Add the relevant IP addresses to the "Acronis Email Security" "Sender IP allowlist" for your organization.

    When you add the IP addresses to the "Sender IP allowlist", make sure to select "Allow all emails" for the Email allow options. For details, see Configuring the "sender IP allowlist".

    Important:

    • Inform "Acronis Email Security" Support [support@perception-point.io] that you have added the allowlist entries. "Acronis Email Security" Support will add a simulation tag to the scans of all emails that originate from these IP addresses and domains. [See Adding a simulation tag to scans below.]

Step 2 - Allow-list your simulation application domains and/or IP addresses in your email service

Make sure that the domains and/or IP addresses from which the simulation emails will be sent by your simulation application are allow-listed in your email service.

For procedural details, see the official documentation for your simulation application.

Step 3 - Prevent third-party phishing simulation emails from going to quarantine

The procedure below helps to prevent third-party phishing simulation emails from going to quarantine after they are scanned by "Acronis Email Security".

Important: For Microsoft 365 Inline integrations only

Note:

  • Perform this step even if your simulation application is in the "global simulation application allowlist".

  1. Open the Advanced delivery page in Microsoft 365.

    [See here: https://security.microsoft.com/advanceddelivery ]

  2. Open the Phishing simulation tab.

  3. Click Add or Edit.

  4. Add the following domains in the Domain field:

    1. the domain or domains of your simulation application

    2. the "Acronis Email Security" domain:

      • For US environments:

      nat.perception-point.io

      • For EU environments:

      nat.eu.perception-point.io

      • For AUS environments:

      nat.aus.perception-point.io

      1. In "Acronis Email Security", go to Settings > Account.

      2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

  5. Add the following IPs in the Sending IP field:

    1. the IPs of your simulation application

    2. the following "Acronis Email Security" IPs:

      1. In "Acronis Email Security", go to Settings > Account.

      2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

       

      For US environments

      For EU environments

      For AUS environments

       

      • 3.81.182.154

      • 3.93.155.149

      • 3.95.118.12

      • 3.95.142.181

      • 54.227.64.76

      • 52.12.169.124 [required only if Muti-region is enabled]

      • 99.81.216.78

      • 34.249.190.60

      • 108.128.137.108

      • 99.80.189.20

      • 52.12.169.124 [required only if Muti-region is enabled]

      • 13.236.255.231

      • 54.66.125.250

      • 52.12.169.124 [required only if Muti-region is enabled]

      Note: Microsoft allows you to add a maximum of 10 entries. If you are not able to add all the required IPs, you may need to insert only the primary "Acronis Email Security" IP. For details, contact "Acronis Email Security" Support [support@perception-point.io]

  6. Click Add

Global simulation application allowlist

"Acronis Email Security" maintains a list of popular simulation applications, and the IP addresses associated with these simulation applications. This list of simulation applications is called in the "Acronis Email Security" "global simulation application allowlist". If your simulation application is already included in the "global simulation application allowlist", it is not necessary for you to allow-list the simulation application's IP addresses in "Acronis Email Security" for your organization.

Note: Even if your simulation application is included in the "Acronis Email Security" "global simulation application allowlist", make sure to allow-list the IP addresses of your simulation application in your email service.

See Step 2 - Allow-list your simulation application domains and/or IP addresses in your email service above.

Following is a list of the simulation applications that are included in the "global simulation application allowlist":

 

Application

Simulation tag

1

Breach Secure Now

breachsecurenow

2

CanIPhish

caniphish

3

Cofense

cofense

4

Cybeready

cybeready

5

Cywareness

cywareness

6

Dcoya

dcoya

7

FortiPhish

fortiphish

8

Infosec

infosec

9

KnowBe4

knowbe4

10

Kymatio

kymatio

11

Reflex

reflex

12

Sophos

sophos

13

Terranova Security

terranovasecurity

14

Wizer

wizer

Listing all simulation scans

In the Security Operations > Scans page, it is possible to display only those scans that have a simulation tag.

To display only those scans that have a simulation tag:

  1. In the Scans page, open the Advanced filters feature. For details, see Advanced filters.

  2. Scroll down the list of filter options, and then under Detection select Only Simulation.

  3. Click "Apply Filters" to display a list of simulation scans.

Adding a simulation tag to scans

If your allowlists for the simulation application's IPs and domains are correctly configured, "Acronis Email Security" will add a "simulation" tag to each simulation scan.

Note: You can't request an investigation of an email that has been assigned a simulation tag.

How does a simulation tag help?

A simulation tag helps in two ways:

  • It enables the "Acronis Email Security" IR Team [and admin users] to identify the email as a simulation email. This prevents anyone from changing the scan verdict from Clean to any other verdict - when using the Request Investigation or Change Verdict features.

  • It enables admin users to list all the simulation scans - in the Scans page.

 

Perform the procedure below to list all the scans that were assigned a specific simulation tag:

  1. In the Scans page, locate and open one simulation scan.

  2. In the Verdict section, note the simulation tag that has been applied to the scan. In the example below, the "cymulate" simulation tag was applied.

  3. In the Scans page, open the Advanced filters feature. For details, see Advanced filters.

  4. Scroll down the list of filter options, and then under Detection > Simulation, enter the name of the simulation tag that you noted in Step 2 above.

    Important: Enter the name of the simulation tag in lower-case letters only - no upper-case letters.

  5. Click "Apply Filters" to display a list of the simulation scans.

How is a simulation tag added to a scan

There are two ways that a simulation tag can be added to a scan:

  • Each IP address in the "global simulation application allowlist" is associated with a simulation tag - for example Simulation-knowbe4 or Simulation-cymulate. When a scan is performed on an email that originates from an IP address that is included in the "global simulation application allowlist", the associated simulation tag is added to the scan.

  • A simulation tag is added to scans for emails that originate at IP addresses that are not included in the "global simulation application allowlist" - only if you inform "Acronis Email Security" Support about these IP addresses. See Step 1 - Allow-list your simulation application IP addresses in "Acronis Email Security" above.

    Remember to ask "Acronis Email Security" Support for the exact name of the simulation tag that they applied. This will enable you to "filter or list" simulation scans.

Integrating the KnowBe4 Phish Alert button - PAB

Users of KnowBe4 are able to integrate the KnowBe4 Phish Alert button - PAB - with "Acronis Email Security". When integrated, when a user uses the PAB to report a suspicious email, a copy of the report is sent to "Acronis Email Security". This enables the "Acronis Email Security" IR Team to investigate the email.

For additional information about the KnowBe4 Phish Alert button, see the official KnowBe4 documentation.

  • See also: Configuring a Microsoft 365 "Report Message" button

The KnowBe4 Phish Alert button can be integrated with any of the following "Acronis Email Security" integrations:

  • Microsoft 365 Inline

  • Microsoft 365 API

  • Google Workspace

The procedure below shows how to integrate the KnowBe4 Phish Alert button with Microsoft 365 Inline and API integrations.

  • For details on how to integrate the KnowBe4 Phish Alert button with Google Chrome, see the official KnowBe4 documentation .

To integrate the KnowBe4 Phish Alert button:

  1. Login to the KnowBe4 Dashboard [https://training.knowbe4.com/ui/dashboard]

  2. Click Account Settings. [https://training.knowbe4.com/ui/account/info#phishalert]

  3. Navigate to Account Integrations > Phish Alert.

  4. Select the Enable Phish Alert check box.

  5. Select "Enable Microsoft 365 Defender Integration".

  6. In the Submit Reported Emails to field, enter the "Acronis Email Security" dedicated mailbox that is appropriate for your environment:

    1. In "Acronis Email Security", go to Settings > Account.

    2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

    Environment

    Dedicated mailbox

    For US environments

    report@report.us.perception-point.io

    For EU environments

    report@report.eu.perception-point.io

    For AUS environments

  7. Save the settings.

    The integration is now complete. Test the integration on an email that has been scanned by "Acronis Email Security".

  • KnowBe4 suspicious email reports don't contain user comments such as "I think this email is clean, spam, or malicious". Instead, the reports always arrives at the "Acronis Email Security" IR Team queue with the "Please investigate this Email" comment.

See also: