No, KnowBe4 Is Not Being Exploited

Some of our customers are reporting “Threat Alerts” from Mimecast stating hackers have exploited KnowBe4 or KnowBe4 domains to send email threats.

This is being sent to Mimecast customers and other non-customers who are members of threat intelligence networks.

Sometimes, there is an included link and it references KnowBe4 along with another Mimecast competitor. The wording choice of the alert is poor and misleading.

What they are referencing is the fact that attackers sometimes send phishing emails claiming to be from KnowBe4, usually hoping the potential victim clicks on the included malicious link. The included malicious link (and sending email address) will sometimes include the phrase ‘knowbe4.com’ somewhere in an attempt to trick the recipient.

No, KnowBe4 Has NOT Been Exploited!

The alert uses the phrase “exploiting KnowBe4’s legitimate domain”. Exploit is a term commonly used to indicate that a vulnerability was found and utilized by a hacker. In this case, Mimecast should have simply said the attackers were pretending to be from KnowBe4. It is a bit of a stretch to call a phishing email an exploitation. In our definition, that is spoofing, not exploitation. This looks like a novice wrote the alert.

To be clear, in Mimecast’s alert, the domains with the term Knowbe4 in them are not KnowBe4 domains. They are simple look-alike "evil-twin" domains the attackers have created to trick unsuspecting potential victims.

We occasionally see fake KnowBe4 emails sent as if they were really sent by our real domain (e.g., knowbe4.com), but again, these are spoof email addresses and they never pass the normal email checks (e.g., DMARC, SPF, and DKIM). These types of messages, using our real domain name, will fail upon receipt and usually end up in people’s Spam or Junk mail folders.

If you want to learn more about DMARC, SPF, and DKIM, click here.

It is not unusual for any well-known company to be used in a brand impersonation phishing attack. It is not unusual for the world’s leading human risk management company to be used in phishing lures. We have been for years and consider it a sort of badge of honor that hackers think we are popular enough to be used in brand impersonation.

Even Mimecast has been the victim of brand impersonation (see an example below).

pot_kettle_black

But we did not put out an “urgent threat alert” and claim Mimecast’s brand or domains had been “exploited.” We believe in fair competition, and don’t resort to these tactics.

Your human risk management plan should include an effective security awareness training component that teaches users about brand impersonation, how to recognize it, and how to appropriately mitigate and report it.

It is well understood that not every email is where it claims to be from. In fact, we have built an entire industry around it.

Discover dangerous look-alike domains that could be used against you!

Since look-alike domains are a dangerous vector for phishing attacks, it's top priority that you monitor for potentially harmful domains that can spoof your domain.

Our Domain Doppelgänger tool makes it easy for you to identify your potential "evil domain twins" and combines the search, discovery, reporting, risk indicators, and end-user assessment with training so you can take action now.

Here's how it's done: