Email Whitelisting – Defender Advanced Delivery

0
8
0
Attack Simulations

This section ensures attack simulation emails can be successfully delivered to your end-users. The following applies to Microsoft 365 Defender, Microsoft Defender for Office 365 and Microsoft Exchange Online Protection (EOP).

An Advanced Delivery Policy must be created in Microsoft 365 to prevent simulation emails from being automatically classified such as high confidence phish and quarantined.

If your organization does not use Microsoft 365, or to whitelist for more advanced use-cases, follow rules as outlined here.

The phishing simulation domains to be whitelisted can be obtained from the Settings > Simulation Domains section of the OutThink Command Centre. Alternatively, contact your Customer Success Representative.

Configuring Defender Advanced Delivery Policy

Follow the below instructions to configure a Defender Advanced Delivery Policy. Refer to the Microsoft documentation for further details, or to configure using Powershell instead.

  1. Login to the Microsoft 365 Defender Portal at https://security.microsoft.com/.
  2. Navigate to Email & Collaboration -> Policies & rules -> Threat policies -> Advanced delivery -> Phishing simulation.
    (You can navigate directly here using https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation).
  3. If there are no existing Phishing simulations configured, click Add. Otherwise click Edit
  4. In the Add Third Party Phishing Simulations flyout that appears, configure the following settings:
    • Domain:
      Click Expand icon and ensure every OutThink phishing simulation domain is listed.
      For example, for the domain phish-domain.com, enter mail.phish-domain.com.

    • Sending IP:
      Click Expand icon and ensure the IP Addresses of the OutThink phishing simulation mail servers are listed, as follows:

      147.253.222.115
      199.15.227.83
    • Simulation URLs to allow:
      Add a simulation URL in the following format for every simulation domain.
      For example, for the domain phish-domain.com, enter phish-domain.com/*.

  5. When finished, click Add.

Troubleshooting

Following the configuration of whitelisting rules in Microsoft Defender as shown in this article, it is still possible that emails are still being delivered to junk or spam.

If you use a third-party firewall, such as Proofpoint or Mimecast, the IP address from which the phishing emails originate may be rewritten, causing the emails to appear to come from a different IP address than the one you whitelisted.

Change Log

New IP Address – Updated September 2023

The following IP Address has been added for future compatibility. If you have not already included this IP Address in the whitelisting rules above, please do so.

199.15.227.83

Banner photo by Markus Spiske

Was this helpful?

8 / 0