Skip to main content

Reduce False Positives By Excluding Certain IP Addresses

Gareth Shelwell
Updated

Phishing simulation tools can be hindered by false positives when email security solutions detonate payloads. This can skew the results of your campaigns. One effective method to reduce these false positives is by excluding IP addresses owned by certain trusted organizations. This article will guide you on how to configure these exclusions within the platform settings.

We support out-of-the-box exclusions for IP addresses from the following major providers:

  • Microsoft
  • Google
  • AWS

Additionally, we support the use of custom exclusions for single IP addresses, IP address CIDR blocks, and reverse DNS lookup addresses.

Table of Contents

Excluding IP Addresses

To exclude IP Addresses, head to Platform Settings > Phish Settings > False Positives. Based on which organization is contributing to your false positives, you can choose to Exclude activity. 

Custom Address Exclusions

You can add multiple custom exclusions by inputing a single IP addresses, IP address CIDR blocks, or reverse DNS lookup addresses. There may be a variety of reasons why you choose to exclude these different types of addresses:

  • Single IP Address: Useful if you're experiencing false positive activity from a single IPv4 address.
  • IP Address CIDR Block: Useful if there's an entire block of IP addresses that false positive activity is originating from (ensure that you're exclusions aren't too big, or else you may end up excluding legitimate activity!)
  • Reverse DNS Lookup Addresses: Useful if there's a particular service that's causing false positive activity, and the service has publicly announced who they are through inclusion of a reverse DNS lookup address that's associated to the IP address. This address type also supports wildcards on either the beginning or end of the address.

Determine If False Positive Suppression Is Required

  1. Go to the Reporting page
  2. Click on the Campaign in question (example screenshot below):
  3. Click on the toggleable column for 'Click Evidence' just above the statistics table, and then click on the 'View Evidence' link for the affected employee (example below):

  4. A popup will appear that shows the payload interaction evidence. In the example below, based on the IP being owned by Microsoft, there's a high likelihood that this is a false positive. In this scenario, we would recommend excluding Microsoft IP addresses to reduce false positives. 

Guidance To Analyze Suspected False Positives

Many network security vendors that offer VPN, DNS Filtering or Web Filtering services often also provide automated real-time threat lookup services which perform what's called "link pre-clicking".

In cases such as this, an employee may click a link within a simulated phishing email, which is then intercepted by the network security service. Upon interception, the network security service will analyze the URL and determine if the URL is suspicious either through manual/pre-configured rules and if deemed suspicious it initiates a background task that clicks the link, analyzes the page and then determines what action to take next such as presenting the employee with a warning page, a block page, or to let them go directly to the webpage.

Because of the "link pre-click" the IP Address evidence will often point to an IP Address owned by the network security vendor and can cause confusion of whether it's an actual link click by the employee, or if it's a link pre-click that's been initiated as a result of the employee clicking on the link.

To help determine if a link pre-click has occurred, consider the following:

  • Have the suspected false positives only impacted a small subset of employees (i.e. less than 10-20%)?
    Normally, when we see false positives related to a security product, it's widespread and impacts upwards of 50-100% of employees included in the campaign.
  • Is the time difference between email delivery and payload click highly variable? For example, are you seeing some payload clicks occur within 2 minutes of email delivery, some within 30 minutes, and some within a few hours?
    Normally, with false positives, we'll see all payload interactions occur within a close timeframe of initial email delivery (e.g. all within 10-15 minutes of delivery).
  • Does your organization utilize a network security product (it could be a VPN, DNS Filtering, or Web Filtering Service) which performs link pre-clicking?
    If your network security product does, or you don't know, please review the relevant vendor's product configuration guidance. Many vendors provide guidance on how to allowlist domains to prevent link pre-clicking from occurring, which will help to avoid confusion around false positives and ensure phishing campaign evidence shows information relevant to the actual device used by the employee. Some vendors are included in our Phishing Website Allowlisting Guide. If you're using a product that's not included, please let us know!

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk