This article takes you through Block List, a new feature within Phish Focus.
This feature allows a Phriendly Phishing Admin to connect Phish Focus to your MS tenant and easily update the Block List from within Phish Focus. As an Admin, you can review reported emails in Phish Focus and create a block list entry. That block list entry updates to your MS 365 mail server block list and moves future emails from same entries to either your users' Junk folder or quarantined automatically.
Important Things to Note:
- The Block List feature is only used for organizations using MS 365 mail server.
- For each zone, you can use only 1 tenant. If you are already connected to a MS 365 tenant, other admins within your zone needs to login to the same tenant.
- As a Phriendly Phishing Admin, you should login with your own account to use the Block List feature.
This article covers below:
- Enable Block List
- Disconnect from MS 365 Tenant
- Create Block List Entries from an Email
- Manage Block List Entries
- Block List Activity Logs
- Synchronisation between Phish Focus and MS 365 Tenant
Block List is a configurable option by the Admins and by default this button is disabled. Refer to below steps on how to enable the feature:
- From the Phriendly Phishing platform, click Phish Focus.
- Clicks Settings > Enable Block List
- Connect to MS 365 Tenant. You are required to log-in to your MS 365 Tenancy and accepts to grant Phish Focus to connect and use permissions.
- Once logged in successfully, the below notification will appear. Click OK.
- After clicking, OK you will see your Tenant ID and User ID
As an Admin you can log-out if you want to remove the connection to your MS Account by clicking Log-out or disconnect from the tenant.
Notes on Disconnecting from MS 365 Tenant:
- All the MS 365 accounts logged for this tenant are also logged out.
- The data of the tenant/mail server are store and kept temporarily.
Disconnect from Tenant
Once Block List is enabled and the connection to MS 365 tenant is successful, Admins can now create block list entries which are synchronised with MS 365 Blocklist.
Block List entries are created from the body of the email which includes:
- Sender Email Address
- URL in the Email content
- File Hash of the email's attachment
See steps below to create a block list:
- Click the reported email > Actions > Add to Block List
- A pop-up dialogue box below appears, for you to choose which information to block. Click Save.
- Once Saved, while information is synching to MS 365 Server, status appears as Pending. Once synch has completed, status now appears as Action under Block List.
As an admin you have visibility and can manage the block list entries for your zone. Refer to below lists:
- 3 Attribute Types the entry could be: Sender, URL, and File Hash
- Created Date (date value was created)
- Expiration date (date value is set to expire - could be: Never expire, 7 days, or 30 days)
- Synced status: Pending, Active, Failed or Expired.
- Action: Edit, Delete
- Pending = value is in the process of being added or deleted from the MS 365 blocklist.
- Active = value is successfully added to the blocklist and synced with the connected MS 365 mail server.
- Failed = value is not successfully added and synced. It could be because of an existing entry in MS 365 and cannot be duplicated.
- Expired = value has expired. When it reaches the expiration date, it is removed from the MS 365 block list and status in Phish Focus is “Expired”.
Action: As a Phriendly Phishing Admin, you can action a value dependent on the synched status. Edit, allows an Admin to change the expiration date and Delete allows an admin to remove the whole value from the block list.
- Pending: Delete
- Active: Edit, Delete
- Failed: Delete
- Expired: Edit, Delete
All activities of Block List feature are logged in Activity Logs. This section shows below information:
- Modified Date and Time
- Value: name of the entry which has been modified
Done by, which could be any of the below:
- An Admin who performed the action
- Synced from MS 365 - action caused by synching data from MS 365 blocklist.
As an Admin, you can download the logs as a CSV file.
This section provides Admins an insight on the synch proccess happening after adding an entry in the block list.
From Phish Focus:
If a value is created from Phish Focus → it is added to the MS 365 block list
If a value is updated from Phish Focus (expiration date) → it is updated to the MS 365 block list
If a value is deleted from Phish Focus → it is removed from the MS 365 block list
From MS 365 Block List:
If a value is created from MS 365 block list → NO CHANGE or UPDATE in Phish Focus.
If a value is updated from MS 365 block list (expiration date) → it is updated in Phish Focus and a log is recorded under activity logs
If a value is deleted from MS 365 block list → it is removed in Phish Focus and a log is recorded under activity logs
If a value is auto-removed from MS 365 block list when it reaches the expiration date → it shows as Expired in Phish Focus
If you come across any questions or concerns, please contact Phriendly Phishing support.