ThoughtContagion/SimPhish-Resources.txt

## SimPhish-Resources.txt
KnowBe4:
  ATP Bypass by Header: Bypassing Safe Links and Safe Attachments by header values allows attackers to modify the header of their emails and bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/115004326408-How-to-Bypass-Safe-Link-Attachment-Processing-of-ATP)
  Bypass Spam Filtering by Domain: Bypassing Spam filtering by domain allows attackers to spoof external domains and IP addresses to bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/360010283614
  Bypass Spam Filtering by Header:  Bypassing Spam filtering by header values allows attackers to modify the header of their emails and bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/212723707
  Adding KnowBe4 to your SPF Records: While not inherently dangerous, attackers can query a domain's DNS records to enumerate if they are KnowBe4 customers. - https://support.knowbe4.com/hc/en-us/articles/115003254328
  Edit Account Settings: By changing the default header value in KnowBe4 account settings, attackers cannot leverage the publcily disclosed header to bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/226457887-How-to-Edit-Your-Account-Settings
  Advanced Delivery Policies: Advanced Delivery Policies help to ensure that attackers are not abusing simulated phishing platforms by requiring a more secure method of delivery. While this would frustrate the majority of attackers, it is not a deterrent for an incentivised attacker. - https://support.knowbe4.com/hc/en-us/articles/4404511190803
  Direct Message Injection: This is the safest option for delivery of simulated phishing/training emails. DMI leverages a direct, secure connection between the KnowBe4 console and the 365 tenant. - https://support.knowbe4.com/hc/en-us/articles/360054494394-DMI-Configuration-Guide

Other platforms leverage many of the same techniques. Below are a list of IP's, Headers, and Header text used for simulated phishing platforms.

In nearly all cases, Microsoft's Advanced Delivery Policies are the safer options - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-delivery

IP Addresses:
  18.205.140.116
  168.245.36.66
  207.154.247.120
  206.189.251.203
  159.89.9.35
  18.184.115.153
  18.184.247.15
  18.194.120.252
  18.194.64.92
  18.194.59.184
  18.194.131.176
  147.160.167.0/26
  192.254.121.248
  52.49.201.246
  52.49.235.189
  23.21.109.197
  23.21.109.212
  52.240.43.212
  34.232.212.184
  167.89.85.54
  149.72.237.117
  52.56.150.127
  45.55.94.58
  134.209.115.132
  159.65.161.216
  206.189.237.97
  64.191.166.196
  64.191.166.197
  69.72.47.194
  64.238.34.10
  64.238.34.11
  161.38.205.202
  64.191.166.0/24
  64.238.34.10/24
  54.80.160.189
  167.89.85.54
  3.212.212.17

Headers:
  X-PHISHTEST
  X-PhishingTackle
  X-EPHISHIENCY

Header Text:
  PhishingTackle.com
  KnowBe4
  PhishingBox
  Hook Security
  emPower
  ePHISHiency
	KnowBe4:
	ATP Bypass by Header: Bypassing Safe Links and Safe Attachments by header values allows attackers to modify the header of their emails and bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/115004326408-How-to-Bypass-Safe-Link-Attachment-Processing-of-ATP)
	Bypass Spam Filtering by Domain: Bypassing Spam filtering by domain allows attackers to spoof external domains and IP addresses to bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/360010283614
	Bypass Spam Filtering by Header: Bypassing Spam filtering by header values allows attackers to modify the header of their emails and bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/212723707
	Adding KnowBe4 to your SPF Records: While not inherently dangerous, attackers can query a domain's DNS records to enumerate if they are KnowBe4 customers. - https://support.knowbe4.com/hc/en-us/articles/115003254328
	Edit Account Settings: By changing the default header value in KnowBe4 account settings, attackers cannot leverage the publcily disclosed header to bypass security measures. - https://support.knowbe4.com/hc/en-us/articles/226457887-How-to-Edit-Your-Account-Settings
	Advanced Delivery Policies: Advanced Delivery Policies help to ensure that attackers are not abusing simulated phishing platforms by requiring a more secure method of delivery. While this would frustrate the majority of attackers, it is not a deterrent for an incentivised attacker. - https://support.knowbe4.com/hc/en-us/articles/4404511190803
	Direct Message Injection: This is the safest option for delivery of simulated phishing/training emails. DMI leverages a direct, secure connection between the KnowBe4 console and the 365 tenant. - https://support.knowbe4.com/hc/en-us/articles/360054494394-DMI-Configuration-Guide

	Other platforms leverage many of the same techniques. Below are a list of IP's, Headers, and Header text used for simulated phishing platforms.

	In nearly all cases, Microsoft's Advanced Delivery Policies are the safer options - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-delivery

	IP Addresses:
	18.205.140.116
	168.245.36.66
	207.154.247.120
	206.189.251.203
	159.89.9.35
	18.184.115.153
	18.184.247.15
	18.194.120.252
	18.194.64.92
	18.194.59.184
	18.194.131.176
	147.160.167.0/26
	192.254.121.248
	52.49.201.246
	52.49.235.189
	23.21.109.197
	23.21.109.212
	52.240.43.212
	34.232.212.184
	167.89.85.54
	149.72.237.117
	52.56.150.127
	45.55.94.58
	134.209.115.132
	159.65.161.216
	206.189.237.97
	64.191.166.196
	64.191.166.197
	69.72.47.194
	64.238.34.10
	64.238.34.11
	161.38.205.202
	64.191.166.0/24
	64.238.34.10/24
	54.80.160.189
	167.89.85.54
	3.212.212.17

	Headers:
	X-PHISHTEST
	X-PhishingTackle
	X-EPHISHIENCY

	Header Text:
	PhishingTackle.com
	KnowBe4
	PhishingBox
	Hook Security
	emPower
	ePHISHiency