Note that ALL the items listed below are required to be implemented, otherwise simulation emails will not be delivered as expected.
Why Whitelist in Office 365?
Whitelisting ensures our phishing simulation functions without issue and prevents phishing simulation emails from being automatically moved to the spam folder or notifying users about potential phishing emails.
Whitelist the Connection Filter Policy
The Office 365 Exchange Connection Filter identifies good or bad source email servers by their IP addresses. The actions below will allow all emails from our IP addresses to be received.
You can whitelist the Connection Filter policy as follows:
- Go to the https://security.microsoft.com/antispam
- Click on "Connection filter policy"
- Then click on "Edit connection filter policy"
- Add the IPs to the "Always allow messages from the following IP addresses or
address range" input, one by one from the "Phishing IPs" table in this link.
- Click on the "Save" button (refer to the screenshot below which depicts how the fields are populated with multiple IPs, the relevant list of IP addresses is always represented in the above mentioned list)
- Select the anti-spam inbound policy and add the domains listed in "Phishing domains (Email)" table in this link:
Please make sure all 24 domains are added as in the screenshot below
Whitelist Spam Filtering
All mail systems have spam filtering. As our Phishing Simulation emails are "phishing" by definition, the Microsoft spam filter must be whitelisted. The steps below outline how to disable all spam checks for our phishing simulation emails so you won't experience issues with 100% clicked and 100% opened emails, even if the users don't click on them.
Steps to Whitelist the Spam Filtering
- Go to the https://admin.exchange.microsoft.com/#/transportrules
- Click on the plus sign → "Create a new rule"
- Give the rule a name, such as "Coalition Spam Filtering"
- Click on "Apply this rule if → The sender → IP address is in any of these ranges or exactly matches"
- Specify the IP addresses in the field from the "Phishing IPs" table in this link one by one. Please do not forget to click on "Save".
- Click on "Do the following → Modify the message properties → Set a Message Header"
- Choose the "Enter text" buttons by the right side of the "Do the following" field and enter these values: "X-MS-Exchange-Organization-BypassClutter" and "true"
- Click on the "+" sign, to add another rule condition
- Choose "Modify the message properties → Set the spam confidence level (SCL)" to... and select "Bypass Spam Filtering", which will set the value of SCL to -1
- Click on the "Next" button
- Leave the Set Rule settings as is proceed to the Review and Finish window and save the rule.
- Your final Completed Mail Flow Rule screen should look as below:
Please make sure the rule is Enabled, and priority is set to 0.
Whitelist ATP by email header for mail filtering and safelinks bypass
To configure the mail flow rule to bypass ATP link processing by header:
- Navigate to https://admin.exchange.microsoft.com/#/transportrules
- Create a new rule and name it "Bypass ATP Links". (this is an example name, as it can be set as desired)
- In the "Apply this rule if" condition select the message headers and then select "includes any of these words"
- In the Enter text type the header name X-TestPhish.
- In the Enter words type in X-TestPhish (alternatively please enter the value you are using instead of X-TestPhish in the phishing settings)
- In the "Do the following" condition select "Modify the message properties" and "set a message header"
- Insert below into the "Enter text" fields:
- Click the first *Enter text... link and set the message header to X-MS-Exchange-Organization-SkipSafeLinksProcessing
- Click the second *Enter text... link and set the value to 1
Please refer to the below screenshot which illustrates how should the configuration look:
Set the rule settings according to your needs in the next tab, and in the Review and Finish tab, press Finish.
ATP Bypass rule
- Create a new rule and name it "Bypass ATP". (this is an example name, as it can be set as desired)
- In the "Apply this rule if" condition select "The sender" and "IP address is in any of these ranges or exactly matches"
- Specify the IP addresses in the field from the "Phishing IPs" table in this link one by one.
- In the Do the following select "modify the message properties" and "set the message header"
- Insert the X-TestPhish value into both settings and press next.
Proceed to finish with the rule creation.
Once finished please ensure the Coalition filtering rules have the highest priority (if possible)
Microsoft Defender allowed 3rd party phishing simulations
- In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section.
Alternatively, you can use the following link https://security.microsoft.com/advanceddelivery to navigate directly to the Advanced delivery page.
- In the Advanced delivery menu, navigate to the Phishing simulation tab and press Edit to either add new or configure existing values (refer to the screenshot below).
- On the Edit third-party phishing simulation menu that opens, configure the following settings:
Domain: Insert the phishing (sending) domains specified in the following articles sending domains. Below is a reference screenshot of how it should look like on your end
Sending IP: Insert the IP addresses specified in the following article's "Phishing IPs" table. Below is a reference screenshot of how it should look like on your end:
Simulation URLs to allow: Insert the domains specified in the "Phishing domains (Landing Pages)" table in this link. The reference screenshot of how it should look on your end is below:
When you're finished, you can click Add, and click Close afterward if this was a first-time addition, or if you were editing existing values click Save and then click Close.
Once all of the above is implemented you should be all set.