1. On the Hosted Email Security (HES) console, go to Inbound Protection > Policy Objects > Keyword Expressions.

   

2. Create a new keyword expression for KnowBe4. 
   1. Set Match to Any Specified.
   2. Click the Add button.
   3. Enter the following keywords/phrase:
      • KnowBe4
      • This is a phishing security test from KnowBe4 that has been authorized by the recipient organization.
   4. Click Save.

   

3. Go to your policies and select Inbound Protection > Policy.
4. Choose the domain where you want to apply the policy to, and then click Add.

   

5. Under the Basic Information Setting, set a name for your new policy and tick Enable.

   

6. Under the Recipients and Senders, set the following:
   1. In the Recipients section, choose My domains and select from the available domains, then click Add.
   2. In the Senders section, choose Anyone to use any email addresses for a rule, since KnowBe4 uses random email addresses to send its phishing campaign emails.
7. Under the Scanning Criteria, configure the following:
   1. Click Advanced.
   2. Enable the Specified header matches checkbox.
   3. Click keyword expressions link. It will show a new window where you can select the keyword expression you created earlier.

      

   4. Under Specified Header Matches, select Other and type "X-PHISHTEST".
   5. Choose the keyword expression you have created and click Add.
   6. Click Save.

      

8. Under the Actions setting, choose the intercept action to Deliver now.

   

9. Review the summary of your policy. It should look similar below:

   

10. Make this new policy as the first rule on your list of policies in order for it to take precedence before the other policies. Click the up arrow button to move this rule to the top of your policy list.

    

In this case, if the keyword was matched, the email would not go through the rest of the policies and it would get delivered immediately to the end-user. No attachment, URL, or other content will be further checked by HES.

To resolve the issue, deliver KnowBe4 campaigns without scanning the URLs on the test email.

1. On the Trend Micro Email Security (EMS) console, go to Administration > Policy Objects > Keyword Expressions.

   

2. Create/Add a new keyword expression for KnowBe4.
   1. Set Match to Any Specified.
   2. Click the Add button.
   3. Enter the following keywords/phrase:
      • KnowBe4
      • This is a phishing security test from KnowBe4 that has been authorized by the recipient organization.
   4. Click Save.

   

   ^{Click the image to enlarge.}

3. Go to your policies and select Inbound Protection > Content Filtering.
4. Choose the domain where you want to apply the policy to, and then click Add.

   

5. Under the Basic Information Setting, set a name for your new policy and tick Enable.

   

   ^{Click the image to enlarge.}

6. Under the Recipients and Senders, set the following:
   • In the Recipients section, choose My domains and select from the available domains, then click Add.
   • In the Senders section, choose Anyone to use any email addresses for a rule, since KnowBe4 uses random email addresses to send its phishing campaign emails.
7. Under the Scanning Criteria, configure the following:
   1. Click Advanced.
   2. Enable the Specified header matches checkbox.
   3. Click the keyword expressions link. It will show a new window where you can select the keyword expression you created earlier.

      

   4. Under Specified Header Matches, select Other and type "X-PHISHTEST".
   5. Choose the keyword expression you have created and click Add.
   6. Click Save.

      

      ^{Click the image to enlarge.}

8. Under the Actions setting, choose the intercept action to Deliver now, and select To the default mail server.

   

9. Review the summary of your policy. It should look similar to the image below:

   

   ^{Click the image to enlarge.}

10. Once verified, click Submit.
11. Make this new policy the first rule on your list of policies in order for it to take precedence before the other policies. Click the up arrow button to move this rule to the top of your policy list.

    

In this case, if the keyword was matched, the email would not go through the rest of the policies and it would get delivered immediately to the end-user. No attachment, URL, or other content will be further checked by EMS.