This document will cover all aspects of whitelisting in Office 365 to allow our simulated phishing emails through.
Estimated time for completion is 15 minutes.
Microsoft Advanced Delivery Phishing Simulation
This guide is take you through the configuration details to utilise Microsoft’s specific ruleset to allow a 3rd party Phishing Simulation services provider, such as CSA, to safely delivery educational e-mails into your environment.
What do you need to know before you begin?
-
You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, open https://security.microsoft.com/advanceddelivery.
-
You need to be assigned permissions before you can do the procedures in this article:
- To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.
- For read-only access to the advanced delivery policy, you need to be a member of the Global Reader or Security Reader role groups.
For more information, see Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online.
Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy
- Head to the Microsoft 365 Defender Portal, this can be found by accessing the Office 365 Admin Center > Show all ... > Security.
- In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. If you do not see Advanced Delivery listed here, you can access it directly by going to Advanced delivery - Microsoft 365 security
- On the Advanced delivery page, select the Phishing simulation tab, and then do one of the following steps:
- Click Edit.
- If there are no existing configured phishing simulations, click Add:
- On the Add third-party phishing simulation option that opens, configure the following settings:
- Sending domain: Expand this setting and enter each of the below domains by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box.
- csatraining.online
- csatraining1.online
- csaphishtest1.co.uk
- csaphishtest2.co.uk
- csalearn.co.uk
- gdpreducation.co.uk
- Sending IP: Expand this setting and enter the following IPv4 address by pressing Enter after each IP.
- 178.17.44.156
- 178.17.44.157
- 178.17.44.158
- 178.17.44.178
- 109.108.147.96
- 109.108.147.136
- Simulation URLs to allow: at this moment in time, this option is not required.
Once completed, it should be the same as below. When you're finished, do one of the following steps:
- First time: Click Add, and then click Close.
- Edit existing: Click Save and then click Close.
The third-party phishing simulation entries that you configured are displayed on the Phishing simulation tab. To make changes, click Edit on the tab.
Scenarios that require additional whitelisting
Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed through a 3rd party email security solution), you will need to add the above IP addresses and domains to their whitelisting configuration. These are solutions such as Mimecast, Proofpoint, Viper, Forcepoint to name just a few.
The CSA Team can provide a whitelisting document to assist you with these solutions.
Bypassing Junk in Office 365
These steps explain how to set up an Exchange Mail Flow rule to bypass Junk/Spam Filtering for our Simulated Phishing emails.
- Log into your Office 365 portal and go into Admin > Show All ... > Exchange
- Click on the Mail Flow drop-down section and then click on Rules. From here, click the + Symbol and create a new "Bypass Spam Filtering" rule. This will open the New Rule screen.
- Give the rule a name, such as CSA Junk Bypass.
- Select Apply this rule if > The Sender > IP Address is in any of these ranges of exactly matches
- In the box produced, enter the following IP addresses:
- 178.17.44.156
- 178.17.44.157
- 178.17.44.158
- 178.17.44.178
- 109.108.147.96
- 109.108.147.136
- Once all 6 IPs have been added, click OK to close the box.
- Under Do the following select add action
-
- Select Modify the message properties > Set a message header
- Set the message header (By clicking on the underlined "*Enter Text")
X-MS-Exchange-Organization-BypassClutter to the value true. - NOTE: Both "X-MS-Exchange-Organization-BypassClutter" and "true" are case sensitive.
- Under Properties of this rule:
- Make sure the mode for this rule is set to Enforce
- Stop processing more rules should also be enabled.
- Click Save. An example of the completed rule is below.
Completed Junk Bypass Rule
Bypassing ATP Link Processing
The steps below explain how to set up a mail flow rule to bypass ATP link processing:
- Log into your Office 365 portal and go into Admin > Show All ... > Exchange
- Click on the Mail Flow drop-down section and then click on Rules. From here, click the + Symbol and Create a new rule.
- After creating the rule, select More Options..., this is found towards the bottom of the page.
- Give the rule a name, such as CSA ATP Bypass.
- Select Apply this rule if > The Sender > IP Address is in any of these ranges of exactly matches
- In the box produced, enter the following IP addresses:
- 178.17.44.156
- 178.17.44.157
- 178.17.44.158
- 178.17.44.178
- 109.108.147.96
- 109.108.147.136
- Once all 6 IPs have been added, click OK to close the box.
- Under Do the following click on Select one > Modify the message properties > set a message header
- Set the message header X-MS-Exchange-Organization-SkipSafeLinksProcessing to 1
- NOTE: The message header is Case Sensitive.
- Under Properties of this rule:
- Make sure the mode for this rule is set to Enforce
- Stop processing more rules should also be disabled.
- Click Save. An example of the completed rule is below.
Completed ATP Bypass Rule
Comments
0 comments
Please sign in to leave a comment.