Whitelisting in Microsoft 365

Note
This description is based on the status of the Microsoft 365 Portal in June 2023. Changes to the user interface on the part of Microsoft are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.

Configuration of Whitelisting for Awareness PLUS in Microsoft 365 (former: Office365)

Last adaption: 06.2023

New:

Re-arrangement of the configuration steps
New sections:
- Advanced delivery for Microsoft 365 Defender
- Secure links in Microsoft 365 Defender
- Configure spoof intelligence
- Whitelisting of technical senders
- Exchange Online Protection spam filter and clutter folder

notempty

This article refers to a Resellerpreview

-

Whitelisting

In order to ensure that the simulated phishing emails from the Awareness PLUS training are not blocked by the Microsoft mail server or Microsoft Defender, whitelisting must be configured at various points.
The individual steps should be performed in the given order.

Basic configuration

Advanced delivery for phishing simulations for Microsoft 365 Defender

Fig.1

Log in to the MS365 portal at https://login.microsoftonline.com

Fig.2

Menu Security

Fig.3

Menu Policies and rules

AWP MS365 Menu Bedrohungsrichtlinien-en.png

Fig.4

Menu Threat policies

AWP MS365 Defender Menü Erweiterte Zustellung-en.png

Fig.5

Menu Advanced delivery

AWP MS365 Defender SecOps-Postfach Simulation-en.png

Fig.6

Click on Phishing-Simulation and then on Edit to add entries.

AWP MS365 Defender Drittanbieter-Phishing-Simulation bearbeiten-en.png

Fig.7

Enter the domain of the technical sender here (the entire part following the "@" of the email address, e.g. admin@ttt-point.de → ttt-point.de).
Enter the IPv4 addresses (Listing of all used addresses).

Enter the Simulations-URLs used in the phishing links into the field. The format for entering the URLs is "anyideas.de".

Then Add

Microsoft 365 Defender warning

The domains used in the phishing simulation can be stored in Microsoft 365 Defender (formerly Advanced Threat Protection - ATP) so that no warning message is displayed.

Set up secure links in Microsoft 365 Defender

Fig.1

Login to Microsoft
Select menu Security

Fig.2

Policies and Rules tab

Fig.3

Click the Threat Policy button

AWP MS365 Menu Bedrohungsrichtlinien Sichere-Links-en.png

Fig.4

Click on Safe Links

AWP Defender Ihre Richtlinie bennen-en.png

Fig.5

Assign a Name and a Description if necessary

AWP Defender Benutzer und Domänen-en.png

Fig.6

Specify the domain of your own organization as the recipient domain

AWP Defender URL und Klick-Schutzeinstellungen-en.png

Fig.7

Selects that URLs can be rewritten
User clicks should be trackable
Users should be able to click through to the original URL
Click on Manage 0 URLs

AWP Defender URLS verwalten oder hinzufügen-en.png

Fig.8

Select Add URLs button

AWP Defender Benutzerdefinierte URL eingeben-en.png

Fig.9

Enter URLs that are located under "Simulation" → "Whitelisting" → "List of used domains in phishing links". Keep to the format https://domain/*.

Configure spoof intelligence

Fig.1

Log in to the MS365 portal at https://login.microsoftonline.com

Fig.2

Menu Security

Fig.3

Menu Policies and rules

Fig.4

Menu Threat policies

AWP MS365 Defender Menü Mandatenzulassungsliste-en.png

Fig.5

Tenant allow/block list menu

AWP MS365 Defender Menü Mandatenzulassungsliste hinzufügen-en.png

Fig.6

Click Block button

AWP MS365 Defender Spoofing Domanes eintragen-en.png

Fig.7

The first value must be the spoofed user (display name in the e-mail), which can be found under: Choose tenant, in the column "Sender".
Second value (separated by a comma) must be the IPv4 address as from Whitelisting. Since there are multiple IP addresses, a complete entry for a spoofed user looks like this:

user1@Anyideas.de, first IPv4 address
user1@Anyideas.de, second IPv4 address
user1@Anyideas.de, third IPv4 address

The Spoof type must be "Internal" and the Action must be set to "Allow".

Further steps

If the above instructions for whitelisting Microsoft products are not sufficient, the following additional steps may help:

Bypass spam and clutter filters in exchange

Fig.1

Log in to the MS365 portal at https://login.microsoftonline.com

Fig.2

Menu Security

Fig.3

Menu Exchange message-trace

Fig.4

Expand menu Mail flow and select submenu rules

AWP MS365 Menu Exchange Regeln hinzufügen-en.png

Fig.5

Click on the Add a rule button
Select Create a new rule from the drop-down menu

AWP MS365 Menu Exchange Regel anlegen-en.png

Fig.6

Assign a unique name for the rule (here: Avoid spam and clutter filters
In the drop-down menu Apply this rule when..., select the entry The Sender
In the drop-down menu, select the entry IP is in one of these ranges or equals
Click on Enter words

Fig.7

Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with OK. In the figure are example IPs that are not used!

Fig.8

In the drop-down menu Proceed as follows: select the entry Change message properties
then select in the next menu Set message header

Exchange Spam-Clutter Regel Nachrichtenkopf festlegen-en.png

Fig.9

Enter the following values

Message-header (1): X-MS-Exchange-Organization-BypassClutter
Value (2): true

Exchange Regel Aktion SCL-Bewertung-en.png

Fig.10

Click for Proceed as follows
Select the entry Modify the message properties in the drop-down menu
Select the entry Set SCL-Rating (Spam Confidence Level) in the submenu

Exchange Regel Spamfilterung umgehen-en.png

Fig.11

Select the Bypass spam filtering option
Close the window with Save

AWP Exchange Regel Spamfilterung abgeschlossen-en.png

Fig.12

Click on Next
The bypassing of the spam and cutter filter is thus completed

Setting up the IP permission list

Fig.1

Log in to the MS365 portal at https://login.microsoftonline.com

Fig.2

Menu Security

Fig.3

Menu Policies and rules

Fig.4

Menu Threat policies

Fig.5

Menu Anti-spam

AWP MS365 Menu Verbindungsrichtlinie-en.png

Fig.6

Click on the entry Connection filter policy

AWP MS365 Menu Verbindungsrichtlinie bearbeiten-en.png

Fig.7

Click on the link Connection filter policy

AWP MS365 Menu Verbindungsrichtlinie IP-Adressen-en.png

Fig.8

Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with Save. In the figure are example IPs that are not used!

Fig.9

Ready permission list

Setting up technical senders

Fig.1

Log in to the MS365 portal at https://login.microsoftonline.com

Fig.2

Menu Security

Fig.3

Menu Guidelines and rules

Fig.4

Menu Threat policies

Fig.6

Menu Anti-spam

AWP MS365 Antispam-Einrichtungslinie Standard-en.png

Fig.7

Click on the entry Antispam Setup Line (Default)

Fig.8

In the pop-up window, click on Edit allowed and blocked senders and domains

AWP MS365 Zugelassene-blockierte-Absender-Domänen Absender-en.png

Fig.9

Under Sender(x) click on Manage x senders

AWP MS365 Zulässige-Absender-verwalten-en.png

Fig.10

Click on Add senders in the Manage Allowed Senders window

Fig.11

Enter the e-mail address of the technical sender from the section Whitelisting phishing simulation.
Click on Add senders to save the entries.

If the mails still end up in the quarantine, the displayed sender (e.g. sender@anyideas.de) must be entered in addition to the technical sender. </li

Bypass junk filter

Another rule is needed to bypass the junk filter

Fig.1

Log in to the MS365 portal at https://login.microsoftonline.com

Fig.2

Menu Security

Fig.3

Menu Exchange message-trace

Fig.4

Expand menu Mail flow and select submenu rules

Fig.5

Click on Add a rule
Click on Create New Rule in the drop-down menu

Fig.6

Assign a unique name for the rule (here i.g.: Bypass Junk Filter by IP Address )
Select the sender for Apply this rule if
Select IP adress is in any of these ranges or exactly matches
Click on Enter words. For that see next figure