This document will cover all aspects of safelisting in Office 365 to allow our simulated phishing emails through.
This guide is split into 3 sections:
- Microsoft Advanced Delivery Phishing Simulation
- Bypassing junk in Office 365
- Bypassing ATP link processing
Please make sure that all 3 sections have been configured within your Office 365 environment. Each section is required to ensure your service is delivered as smoothly as possible. If you experience any problems through the service, one of the first questions we'll want to confirm is whether all of our Guide's instructions were implemented.
The estimated time for completion is 20 minutes.
Microsoft Advanced Delivery Phishing Simulation
This guide takes you through the configuration details to utilise Microsoft’s specific ruleset to allow a 3rd party Phishing Simulation services provider, such as CSA, to safely deliver educational e-mails into your environment.
What do you need to know before you begin?
- You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, open https://security.microsoft.com/advanceddelivery.
-
You need to be assigned permissions before you can do the procedures in this article:
- To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.
- For read-only access to the advanced delivery policy, you need to be a member of the Global Reader or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online.
Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy:
- Head to the Microsoft 365 Defender Portal, this can be found by accessing the Office 365 Admin Center > Show all ... > Security.
- In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. If you do not see Advanced Delivery listed here, you can access it directly by going to "https://security.microsoft.com/advanceddelivery"
- On the Advanced delivery page, select the Phishing simulation tab, and then do one of the following steps:
- Click Edit.
- If there are no existing configured phishing simulations, click Add:
- On the Add third-party phishing simulation option that opens, configure the following settings:
-
Sending domain: Expand this setting and enter each of the below domains by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box.
- csatraining.online
- csatraining1.online
- csatraining2.online
- csatraining4.online
- csaphishtest1.co.uk
- csaphishtest2.co.uk
- csalearn.co.uk
- gdpreducation.co.uk
-
Sending IP: Expand this setting and enter the following IPv4 address by pressing Enter after each IP.
- 178.17.44.156
- 178.17.44.157
- 178.17.44.158
- 178.17.44.178
- 178.17.44.181
- 45.157.43.226
- 193.115.202.252
- 193.115.202.248
- Simulation URLs to allow: at this moment in time, this option is not required.
Once completed, it should be the same as below. When you're finished, do one of the following steps:
- First time: Click Add, and then click Close.
- Edit existing: Click Save and then click Close.
The third-party phishing simulation entries that you configured are displayed on the Phishing simulation tab. To make changes, click Edit on the tab.
Scenarios that require additional safelisting
Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed through a 3rd party email security solution), you will need to add the above IP addresses and domains to their safelisting configuration. These are solutions such as Mimecast, Proofpoint, Viper, Forcepoint to name just a few.
The CSA Team can provide a safelisting document to assist you with these solutions.
Bypassing Junk in Office 365
These steps explain how to set up an Exchange Mail Flow rule to bypass Junk/Spam Filtering for our Simulated Phishing emails.
- Log into your Office 365 portal and go into Admin > Show All … > Exchange
- Click on the Mail Flow drop-down section and then click on Rules.
- From here, click the + Symbol and create a new "Create a new rule" rule. This will open the New Rule screen.
- Give the rule a name, such as CSA Junk Bypass.
- Select Apply this rule if > The Sender > IP Address is in any of these ranges of exactly matches
- In the pop up box produced (or to edit a current rule, click the drawing pen) , enter the following IP addresses:
- 178.17.44.156
- 178.17.44.157
- 178.17.44.158
- 178.17.44.178
- 178.17.44.181
- 45.157.43.226
- 193.115.202.252
- 193.115.202.248
- Once all 7 IPs have been added, click OK to close the box.
- Under "Do the following" select "Modify the message properties".
- In the next box select "set the spam confidence level (SCL)" & select the score to "-1" which can also be done by via selecting "Bypass spam filtering".
-
- Click the + sign to add an action which will display as "And".
- Select Modify the message properties > Set a message header.
- Set the message header (By clicking on the underlined "*Enter Text")
X-MS-Exchange-Organization-BypassClutter to the value true. - NOTE: Both "X-MS-Exchange-Organization-BypassClutter" and "true" are case sensitive.
Save this.
- Under Properties / Settings of this rule (Edit rule settings):
- "Priority" must be set to 0.
- Make sure the mode for this rule is set to Enforce
- Stop processing more rules should be Disabled/not ticked.
- Click Save. An example of the completed rule is below.
Completed Junk Bypass Rule:
Bypassing ATP Link Processing
The steps below explain how to set up a mail flow rule to bypass ATP link processing:
- Log into your Office 365 portal and go into Admin > Show All ... > Exchange
- Click on the Mail Flow drop-down section and then click on Rules. From here, click the + Symbol and Create a new rule.
- After creating the rule, select More Options..., this is found towards the bottom of the page.
- After creating the rule, select More Options..., this is found towards the bottom of the page.
- Give the rule a name, such as CSA ATP Bypass.
- Select Apply this rule if > The Sender > IP Address is in any of these ranges of exactly matches
- In the box produced, enter the following IP addresses:
- 178.17.44.156
- 178.17.44.157
- 178.17.44.158
- 178.17.44.178
- 178.17.44.181
- 45.157.43.226
- 193.115.202.252
- 193.115.202.248
- Once all 7 IPs have been added, click OK to close the box
- Under Do the following click on Select one > Modify the message properties > set a message header
- Set the message header X-MS-Exchange-Organization-SkipSafeLinksProcessing to 1
- NOTE: The message header is Case Sensitive.
- Under Properties / Settings of this rule (Edit rule settings):
- "Priority" must be set to 1.
- Make sure the mode for this rule is set to Enforce.
- Stop processing more rules should be Enabled/ticked.
- Click Save. An example of the completed rule is below.
Completed ATP Bypass Rule:
Comments
0 comments
Please sign in to leave a comment.