PhishER Rules/Actions - what are ya'll doing?

Hi everyone,

First post! We recently purchased KnowB4’s PhishER platform and I Was hoping to see if anyone else is using the tool?

I’m really interested in leveraging the tool to it’s fullest potential. One of the Yara rules we wrote was to auto tag emails as spam if the SCL was between 5-9. I disabled this task because if left as is, it leaves room to accidentally flag THREAT emails as SPAM (as a phishing email could have an SCL of 5-9).

Curious if anyone has feedback for additional logic to add that would help to differentiate a true spam rule vs. a rule that might accidentally capture threats?

rule code below.

Appreciate it!

rule default {


author = “AZope”
description = “if SCL value more than 5”

$a = “SCL:5”
$b = “SCL:6”
$c = “SCL:7”
$d = “SCL:8”
$e = “SCL:9”

any of them

1 Like

We had to create some rules for official training emails. We also added some rules for rules very specific to certain types of emails. Emails around ach scams and such.

1 Like

Would you be able to help me in figuring out how to write a YARA Rule to identify an email as sent from internal vs.external domain?

1 Like

Are you doing anything at your email proxy like adding and external tag to the email. This would make the rule creation real easy. If you are not adding an external tag to any external emails, you really should, it’s a great way to help your end users, in identifying phishing emails. Either way a rule to determine an internal vs external should be easy to create.

1 Like

Yes, we have an Exchange rule setup to tag emails sent from outside the domain with an external banner.

What I’m trying to do is add a bucket of tags to all tickets in PhishER such that when a security team member goes in to review an email they’d already have a handful of useful info. Internal vs. External, SPF Pass, DKIM Pass, DMARC Pass…

Does this make sense?

any help you could provide in the YARA rule for internal vs. external would be apprecaited. We only have 1 domain.


I reached out to our support team and this hopefully will help you to write your script as there is example code included in the PhishER Quickstart Guide which is detailed below.
Rule 2: Internal Messaging provides some guidelines


rule Internal {
= /from.{0,20}@ **[](** / = /to.{0,20}@ /
$ = /Authentication-Results:.[spf=pass]/

all of them

The customer can use this rule as a base and customize as necessary! The red text is where they can add their organization’s domain.

You can also detect External Messages by using this rule (in this case, “external” means NOT their organization’s domain):


rule external {
$a = /from.{0,20}@ /
$b = /to.{0,20}@ /
$c = /Authentication-Results:.{0,20}spf=pass/

(not $a) and (not $b) and (not $c)

I get the following error, any ideas?

Support said.
It appears you’re getting the syntax error because you didn’t declare the strings correctly. You will need to add a $ before each string, like below:

** = /from.{0,[20}]( ** = /to.{0,20}

$ = /Authentication-Results:.[spf=pass]/

It should save after that! :slight_smile:

Featured Webinars

Advanced Phishing and

Monday 1:30 PM – 2:30 PM
» Learn More
Outlook Phish Alert Button
Tuesday 1:30 PM – 2:30 PM
» Learn More
Customizing Phishing Templates, Landing Pages, & Training Notifications
Wednesday 1:30 PM – 2:30 PM
» Learn More
Active Directory Integration
(ADI) Setup

Thursday 1:30 PM – 2:30 PM
» Learn More

Friday 1:30 PM – 2:30 PM
» Learn More

Privacy Policy | Terms of Service