KnowBe4 Phish Alert causing malware attachments to save in OLK folder — expected behavior?
Posted by Theitdr@reddit | sysadmin | View on Reddit | 10 comments
We’re using Office 365 Exchange and have run into an issue with our phishing reporting tool (KnowBe4).
Whenever a user reports a phishing email, the malware attachment from the original message is being saved to the user’s OLK folder. It then gets quarantined by Cisco Secure Endpoint, but still triggers alerts to our SOC indicating the file originated from the OLK path.
What’s confusing is that multiple users say they never opened or clicked the attachment—they only used the reporting tool.
Is this expected behavior for KnowBe4, or is something misconfigured on our end? Has anyone found a way to prevent or mitigate this?
LeidaStars@reddit
Yeah, this is expected with KnowBe4. The PAB button works through Outlook, so it processes the email locally and can drop attachments into the OLK temp folder even if the user never opened them. Your endpoint tool sees that and fires an alert.
Check Point (Harmony Email) handles it differently. It works via API directly in M365, so everything happens in the cloud. When a user reports something, nothing gets written to the endpoint, no OLK artifacts, no false SOC alerts. Much cleaner from an operations perspective.
We use Guardz at our MSP and it bundles Check Point email security alongside EDR and ITDR in one platform. So the email side stays cloud-native and the identity and endpoint coverage is all in the same dashboard. Cuts down on exactly this kind of cross-tool noise.
Theitdr@reddit (OP)
Thank you for the advice! Im going to pass this on over to our Security team.
fuckasoviet@reddit
Just spitballing, but I assume it's because Phish Alert is saving a copy of the email with attachments to include in the actual Phish Alert email it sends out to admins.
Unfortunately I'm not seeing a way to disable attachments from being included in the report.
siedenburg2@reddit
I want what kb4 does. It takes the reported mail and sends it as an eml to the report inbox, thanks to that i can check headers etc. Yes, it also copies malware, but it will (hopefully) not be executed.
bbqwatermelon@reddit
I believe it does have the option to detonate in a sandbox, it proudly advertises a crowdstrike feature for this if I recall correctly.
Theitdr@reddit (OP)
It seems like Knowbe4 drops a copy of the email that was reported in that folder. Thank you for giving me the idea to look in this direction.
Theitdr@reddit (OP)
That could be, and that's what I thought, honestly. Its just weird because even I got hit by the soc this morning and I wanted to reach out and see if anyone in the community could explain to me why this would happen even if its being reported.
Sroni4967@reddit
yeah thats normal behavior when outlook downloads attachments temporarily. are you seeing actual malware or just test files from knowbe4 training
littleko@reddit
this is actually expected-ish behavior. Outlook caches attachments in the OLK temp folder when the addin (PAB in this case) accesses the message to package it for reporting, even if the user never clicked it. So the user isn't lying.
best mitigation is whitelisting the OLK path in Cisco Secure Endpoint for the outlook process specifically, or tuning your SOC alert to suppress when the parent process is outlook.exe and the file gets quarantined anyway.
knowbe4 has a kb on this iirc, worth checking their docs because there are some addin settings around how attachments are handled when reporting.
Theitdr@reddit (OP)
I'm going to look into this KB