Email phishing simulation campaigns

This page includes:

About email phishing simulation campaigns

From time-to-time, some organizations run simulation email campaigns to determine how their employees respond to phishing attacks and to other malicious attacks. Applications such as KnowBe4 and Terranova Security are frequently used to perform these simulation campaigns. Before you begin a campaign, you must make sure that:

  • the simulation emails won't be scanned by Perception Point X‑Ray - and found to be malicious or spam

  • links inside the simulation emails won't be clicked by Perception Point X‑Ray

  • your email service won't quarantine any of the simulation emails

  • the Perception Point IR Team won't investigate any simulation scan that is reported by an end-user

What is the "global simulation application allow list"

Perception Point X‑Ray maintains a list of the popular phishing simulation applications. This list is called the "global simulation application allow list". For each application in the list, Perception Point X‑Ray maintains a list of the IP addresses that are used by each simulation application to send the simulation emails. For details, see Global simulation application allow list below.

Before you begin

Important: We recommend that before you begin an email phishing simulation campaign, that you first send a few trial emails to make sure that everything is operating as expected - before you begin the actual simulation campaign.

What you need to do

Before you begin a campaign, make sure that the following prerequisites are in place:

Step 1 - Allow-list your simulation application IP addresses in Perception Point X‑Ray

There are two ways in which simulation application IP addresses - from which the simulation emails will be sent by your simulation application - can be allow-listed in Perception Point X‑Ray:

1

Your simulation application IS in the "global simulation application allow list"

Check the list below [Global simulation application allow list] to find out if your simulation application is included in the Perception Point X‑Ray "global simulation application allow list".

If it is included, then it is not necessary for you to allow-list these IP addresses - they are already allow-listed.

2

Your simulation application is NOT in the "global simulation application allow list"

If your simulation application is not included in the Perception Point X‑Ray "global simulation application allow list", then:

  • Add the relevant IP addresses to the Perception Point X‑Ray "Sender IP allow list" for your organization.

    When you add the IP addresses to the "Sender IP allow list", make sure to select "Allow all emails" for the Email allow options. For details, see Configuring the "sender IP allowlist".

    Important:

Step 2 - Allow-list your simulation application domains and/or IP addresses in your email service

Make sure that the domains and/or IP addresses from which the simulation emails will be sent by your simulation application are allow-listed in your email service.

For procedural details, see the official documentation for your simulation application.

Step 3 - Prevent third-party phishing simulation emails from going to quarantine

For Microsoft 365 Inline integrations only

Important:

The procedure below helps to prevent third-party phishing simulation emails from going to quarantine after they are scanned by Perception Point X‑Ray.

  1. Open the Advanced delivery page in Microsoft 365.

    [See here: https://security.microsoft.com/advanceddelivery ]

  2. Open the Phishing simulation tab.

  3. Click Add or Edit.

  4. Add the following in the Domain field:

    1. the domain or domains of your simulation application

    2. the Perception Point X‑Ray domain:

      • For US environments:

      nat.perception-point.io

      • For EU environments:

      nat.eu.perception-point.io

      • For AUS environments:

      nat.aus.perception-point.io

      1. In Perception Point X‑Ray, go to Account > Preferences.

      2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

  5. Add the following in the Sending IP field:

    1. the IPs of your simulation application

    2. the following Perception Point X‑Ray IPs:

      1. In Perception Point X‑Ray, go to Account > Preferences.

      2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

       

      For US environments

      For EU environments

      For AUS environments

       

      • 3.81.182.154

      • 3.93.155.149

      • 3.95.118.12

      • 3.95.142.181

      • 54.227.64.76

      • 52.12.169.124 [required only if Muti-region is enabled]

      • 99.81.216.78

      • 34.249.190.60

      • 108.128.137.108

      • 99.80.189.20

      • 52.12.169.124 [required only if Muti-region is enabled]

      • 13.236.255.231

      • 54.66.125.250

      • 52.12.169.124 [required only if Muti-region is enabled]

      Note: Microsoft allows you to add a maximum of 10 entries. If you are not able to add all the required IPs, you may need to insert only the primary Perception Point X‑Ray IP. For details, contact Perception Point Support [support@perception-point.io]

  6. Click Add

Global simulation application allow list

Perception Point X‑Ray maintains a list of popular simulation applications, and the IP addresses associated with these simulation applications. This list of simulation applications is called in the Perception Point X‑Ray "global simulation application allow list". If your simulation application is already included in the "global simulation application allow list", it is not necessary for you to allow-list the simulation application's IP addresses in Perception Point X‑Ray for your organization.

Note: Even if your simulation application is included in the Perception Point X‑Ray "global simulation application allow list", make sure to allow-list the IP addresses of your simulation application in your email service.

See Step 2 - Allow-list your simulation application domains and/or IP addresses in your email service above.

Following is a list of the simulation applications that are included in the "global simulation application allow list":

 

Application

Simulation tag

1

Breach Secure Now

breachsecurenow

2

CanIPhish

 caniphish

3

Cofense

cofense

4

Cybeready

cybeready

5

Cywareness

cywareness

6

Dcoya

dcoya

7

FortiPhish

fortiphish

8

Infosec

infosec

9

KnowBe4

knowbe4

10

Kymatio

kymatio

11

Reflex

reflex

12

Sophos

sophos

13

Terranova Security

terranovasecurity

14

Wizer

wizer

Listing all simulation scans

In the Security Operations > Scans page, it is possible to display only those scans that have a simulation tag.

To display only those scans that have a simulation tag:

  1. In the Scans page, open the Advanced filters feature. For details, see Advanced filters.

  2. Scroll down the list of filter options, and then under Detection select Only Simulation.

  3. Click "Apply Filters" to display a list of simulation scans.

Adding a simulation tag to scans

If your allowlists for the simulation application's IPs and domains are correctly configured, Perception Point X‑Ray will add a "simulation" tag to each simulation scan.

How does a simulation tag help?

A simulation tag helps in two ways:

  • It enables the Perception Point IR Team [and admin users] to identify the email as a simulation email. This prevents anyone from changing the scan verdict from Clean to any other verdict - when using the Request Investigation or Change Verdict features.

  • It enables admin users to list all the simulation scans - in the Scans page.

 

Perform the procedure below to list all the scans that were assigned a specific simulation tag:

  1. In the Scans page, locate and open one simulation scan.

  2. In the Verdict section, note the simulation tag that has been applied to the scan. In the example below, the "cymulate" simulation tag was applied.

  3. In the Scans page, open the Advanced filters feature. For details, see Advanced filters.

  4. Scroll down the list of filter options, and then under Detection > Simulation, enter the name of the simulation tag that you noted in Step 2 above.

    Important: Enter the name of the simulation tag in lower-case letters only - no upper-case letters.

  5. Click "Apply Filters" to display a list of the simulation scans.

How is a simulation tag added to a scan

There are two ways that a simulation tag can be added to a scan:

  • Each IP address in the "global simulation application allow list" is associated with a simulation tag - for example Simulation-knowbe4 or Simulation-cymulate. When a scan is performed on an email that originates from an IP address that is included in the "global simulation application allow list", the associated simulation tag is added to the scan.

  • A simulation tag is added to scans for emails that originate at IP addresses that are not included in the "global simulation application allow list" - only if you inform Perception Point Support about these IP addresses. See Step 1 - Allow-list your simulation application IP addresses in Perception Point X‑Ray above.

    Remember to ask Perception Point Support for the exact name of the simulation tag that they applied. This will enable you to "filter or list" simulation scans.

Integrating the KnowBe4 Phish Alert button - PAB

Users of KnowBe4 are able to integrate the KnowBe4 Phish Alert button - PAB - with Perception Point X‑Ray. When integrated, when a user uses the PAB to report a suspicious email, a copy of the report is sent to Perception Point X‑Ray. This enables the Perception Point IR Team to investigate the email.

For additional information about the KnowBe4 Phish Alert button, see the official KnowBe4 documentation.

The KnowBe4 Phish Alert button can be integrated with any of the following Perception Point X‑Ray integrations:

  • Microsoft 365 Inline

  • Microsoft 365 API

  • Google Workspace

The procedure below shows how to integrate the KnowBe4 Phish Alert button with Microsoft 365 Inline and API integrations.

  • For details on how to integrate the KnowBe4 Phish Alert button with Google Chrome, see the official KnowBe4 documentation .

To integrate the KnowBe4 Phish Alert button:

  1. Login to the KnowBe4 Dashboard [https://training.knowbe4.com/ui/dashboard]

  2. Click Account Settings. [https://training.knowbe4.com/ui/account/info#phishalert]

  3. Navigate to Account Integrations > Phish Alert.

  4. Select the Enable Phish Alert check box.

  5. Select "Enable Microsoft 365 Defender Integration".

  6. In the Submit Reported Emails to field, enter the Perception Point X‑Ray dedicated mailbox that is appropriate for your environment:

    1. In Perception Point X‑Ray, go to Account > Preferences.

    2. The Environment of your organization will appear under General > Info: US, EU, or AUS.

    Environment

    Dedicated mailbox

    For US environments

    report@report.us.perception-point.io

    For EU environments

    report@report.eu.perception-point.io

    For AUS environments

  7. Save the settings.

    The integration is now complete. Test the integration on an email that has been scanned by Perception Point X‑Ray.

  • KnowBe4 suspicious email reports don't contain user comments such as "I think this email is clean, spam, or malicious". Instead, the reports always arrives at the Perception Point IR Team queue with the "Please investigate this Email" comment.

  • We recommend using the Microsoft 365 built-in report button because it can be fully integrated with Perception Point X‑Ray. [That is, the Microsoft 365 built-in report button doesn't have the limitation described above.] For details, see Configuring a Microsoft 365 "Report Message" button.

See also: