Created
April 1, 2026 00:09
-
-
Save matt-/906950998ecbcaea4e5a706a118997d8 to your computer and use it in GitHub Desktop.
A google script for gmail to tag KnowBe4 phishing attempts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Looks for messages whose Received header contains: | |
| * "from psm.knowbe4.com" | |
| * In Apps Script, enable Advanced Google services: | |
| * Services > Gmail API > On | |
| **/ | |
| function tagKnowBe4Messages() { | |
| const label = getOrCreateLabel_('KnowBe4'); | |
| let pageToken; | |
| do { | |
| const resp = Gmail.Users.Messages.list('me', { | |
| q: 'newer_than:1d -label:KnowBe4', | |
| maxResults: 100, | |
| pageToken: pageToken | |
| }); | |
| const messages = resp.messages || []; | |
| for (const msg of messages) { | |
| const full = Gmail.Users.Messages.get('me', msg.id, {format: 'metadata', metadataHeaders: ['Received']}); | |
| const headers = full.payload?.headers || []; | |
| if(!headers.some(h => h.name && h.name == 'Received' && h.value && h.value.includes('from psm.knowbe4.com'))) continue; | |
| console.log(`KnowBe4: ${full.snippet}`) | |
| const thread = GmailApp.getMessageById(msg.id).getThread(); | |
| label.addToThread(thread); | |
| } | |
| pageToken = resp.nextPageToken; | |
| } while (pageToken); | |
| } | |
| function getOrCreateLabel_(name) { | |
| return GmailApp.getUserLabelByName(name) || GmailApp.createLabel(name); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment