Jump to:navigation, search
Wiki
































  • Note
    This description is based on the status of the Microsoft 365 Portal in June 2023. Changes to the user interface on the part of Microsoft are possible at any time and must be taken into account accordingly in the implementation.
    All information without warranty.
  • De.png
    En.png
    Fr.png








    Configuration of Whitelisting for Awareness PLUS in Microsoft 365  (former: Office365)
    Last adaption: 06.2023
    New:
    • Re-arrangement of the configuration steps
    • New sections:
      • Advanced delivery for Microsoft 365 Defender
      • Secure links in Microsoft 365 Defender
      • Configure spoof intelligence
      • Whitelisting of technical senders
      • Exchange Online Protection spam filter and clutter folder
    notempty
    This article refers to a Resellerpreview
    -


    Whitelisting
    In order to ensure that the simulated phishing emails from the Awareness PLUS training are not blocked by the Microsoft mail server or Microsoft Defender, whitelisting must be configured at various points.
    The individual steps should be performed in the given order.


    Basic configuration





























    Advanced delivery for phishing simulations for Microsoft 365 Defender

    AWP MS365 Anmeldung-en.png
    Fig.1
    Log in to the MS365 portal at https://login.microsoftonline.com
    AWP MS365 Menu Sicherheit-en.png
    Fig.2
    Menu Security
    AWP MS365 Menu Richtlinien-en.png
    Fig.3
    Menu Policies and rules
    AWP MS365 Menu Bedrohungsrichtlinien-en.png
    Fig.4
    Menu Threat policies
    AWP MS365 Defender Menü Erweiterte Zustellung-en.png
    Fig.5
    Menu Advanced delivery
    AWP MS365 Defender SecOps-Postfach Simulation-en.png
    Fig.6
    Click on Phishing-Simulation and then on Edit to add entries.
    AWP MS365 Defender Drittanbieter-Phishing-Simulation bearbeiten-en.png
    Fig.7
    Enter the domain of the technical sender here (the entire part following the "@" of the email address, e.g. admin@ttt-point.de → ttt-point.de).
    Enter the IPv4 addresses (Listing of all used addresses).


    Enter the Simulations-URLs used in the phishing links into the field. The format for entering the URLs is "anyideas.de".

    Then Add








































    Microsoft 365 Defender warning

    The domains used in the phishing simulation can be stored in Microsoft 365 Defender (formerly Advanced Threat Protection - ATP) so that no warning message is displayed.

    Set up secure links in Microsoft 365 Defender

    AWP MS365 Menu Sicherheit-en.png
    Fig.1
    AWP MS365 Menu Richtlinien-en.png
    Fig.2
    Policies and Rules tab
    AWP MS365 Menu Bedrohungsrichtlinien-en.png
    Fig.3
    Click the Threat Policy button
    AWP MS365 Menu Bedrohungsrichtlinien Sichere-Links-en.png
    Fig.4
    Click on Safe Links
    AWP Defender Ihre Richtlinie bennen-en.png
    Fig.5
    Assign a Name and a Description if necessary
    AWP Defender Benutzer und Domänen-en.png
    Fig.6
    Specify the domain of your own organization as the recipient domain
    AWP Defender URL und Klick-Schutzeinstellungen-en.png
    Fig.7
    1. Selects that URLs can be rewritten
    2. User clicks should be trackable
    3. Users should be able to click through to the original URL
    4. Click on Manage 0 URLs
    AWP Defender URLS verwalten oder hinzufügen-en.png
    Fig.8
    Select Add URLs button
    AWP Defender Benutzerdefinierte URL eingeben-en.png
    Fig.9
    Enter URLs that are located under "Simulation" → "Whitelisting" → "List of used domains in phishing links". Keep to the format https://domain/*.








































    Configure spoof intelligence

    AWP MS365 Anmeldung-en.png
    Fig.1
    Log in to the MS365 portal at https://login.microsoftonline.com
    AWP MS365 Menu Sicherheit-en.png
    Fig.2
    Menu Security
    AWP MS365 Menu Richtlinien-en.png
    Fig.3
    Menu Policies and rules
    AWP MS365 Menu Bedrohungsrichtlinien-en.png
    Fig.4
    Menu Threat policies
    AWP MS365 Defender Menü Mandatenzulassungsliste-en.png
    Fig.5
    Tenant allow/block list menu
    AWP MS365 Defender Menü Mandatenzulassungsliste hinzufügen-en.png
    Fig.6
    Click Block button
    AWP MS365 Defender Spoofing Domanes eintragen-en.png
    Fig.7
    The first value must be the spoofed user (display name in the e-mail), which can be found under: Choose tenantSosafe-Home.svg Start page Sosafe-dropdown.svg Simulation Sosafe-check-badge.svgSosafe-check-circle.svg Email Templates , in the column "Sender".
    Second value (separated by a comma) must be the IPv4 address as from Whitelisting. Since there are multiple IP addresses, a complete entry for a spoofed user looks like this:
    • user1@Anyideas.de, first IPv4 address
    • user1@Anyideas.de, second IPv4 address
    • user1@Anyideas.de, third IPv4 address

    The Spoof type must be "Internal" and the Action must be set to "Allow".











    Further steps

    If the above instructions for whitelisting Microsoft products are not sufficient, the following additional steps may help:






























    Bypass spam and clutter filters in exchange

    AWP MS365 Anmeldung-en.png
    Fig.1
    Log in to the MS365 portal at https://login.microsoftonline.com
    AWP MS365 Menu Sicherheit-en.png
    Fig.2
    Menu Security
    AWP MS365 Menu Exchange-en.png
    Fig.3
    Menu Exchange message-trace
    AWP MS365 Menu Exchange Regeln-en.png
    Fig.4
    Expand menu Mail flow and select submenu rules
    AWP MS365 Menu Exchange Regeln hinzufügen-en.png
    Fig.5
    • Click on the Add a rule button
    • Select Create a new rule from the drop-down menu
    AWP MS365 Menu Exchange Regel anlegen-en.png
    Fig.6
    • Assign a unique name for the rule (here: Avoid spam and clutter filters
    • In the drop-down menu Apply this rule when..., select the entry The Sender
    • In the drop-down menu, select the entry IP is in one of these ranges or equals
    • Click on Enter words
    Exchange Regel IP-Adressen-en.png
    Fig.7
    Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with OK. In the figure are example IPs that are not used!
    Exchange Regel Nachrichtenkopf-en.png
    Fig.8
    • In the drop-down menu Proceed as follows: select the entry Change message properties
    • then select in the next menu Set message header
    Exchange Spam-Clutter Regel Nachrichtenkopf festlegen-en.png
    Fig.9
    Enter the following values
    • Message-header (1): X-MS-Exchange-Organization-BypassClutter
    • Value (2): true
    Exchange Regel Aktion SCL-Bewertung-en.png
    Fig.10
    • Click for Proceed as follows
    • Select the entry Modify the message properties in the drop-down menu
    • Select the entry Set SCL-Rating (Spam Confidence Level) in the submenu
    Exchange Regel Spamfilterung umgehen-en.png
    Fig.11
    • Select the Bypass spam filtering option
    • Close the window with Save
    AWP Exchange Regel Spamfilterung abgeschlossen-en.png
    Fig.12
    • Click on Next
    • The bypassing of the spam and cutter filter is thus completed







































    Setting up the IP permission list

    AWP MS365 Anmeldung-en.png
    Fig.1
    Log in to the MS365 portal at https://login.microsoftonline.com
    AWP MS365 Menu Sicherheit-en.png
    Fig.2
    Menu Security
    AWP MS365 Menu Richtlinien-en.png
    Fig.3
    Menu Policies and rules
    AWP MS365 Menu Bedrohungsrichtlinien-en.png
    Fig.4
    Menu Threat policies
    AWP MS365 Menu Antispam-en.png
    Fig.5
    Menu Anti-spam
    AWP MS365 Menu Verbindungsrichtlinie-en.png
    Fig.6
    Click on the entry Connection filter policy
    AWP MS365 Menu Verbindungsrichtlinie bearbeiten-en.png
    Fig.7
    Click on the link Connection filter policy
    AWP MS365 Menu Verbindungsrichtlinie IP-Adressen-en.png
    Fig.8
    Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with Save. In the figure are example IPs that are not used!
    AWP MS365 Menu Zulassungsliste-en.png
    Fig.9
    Ready permission list








































    Setting up technical senders

    AWP MS365 Anmeldung-en.png
    Fig.1
    Log in to the MS365 portal at https://login.microsoftonline.com
    AWP MS365 Menu Sicherheit-en.png
    Fig.2
    Menu Security
    AWP MS365 Menu Richtlinien-en.png
    Fig.3
    Menu Guidelines and rules
    AWP MS365 Menu Bedrohungsrichtlinien-en.png
    Fig.4
    Menu Threat policies
    AWP MS365 Menu Antispam-en.png
    Fig.6
    Menu Anti-spam
    AWP MS365 Antispam-Einrichtungslinie Standard-en.png
    Fig.7
    Click on the entry Antispam Setup Line (Default)
    AWP MS365 Popup zugelassene-blockierte-Absender-Domänen-en.png
    Fig.8
    In the pop-up window, click on Edit allowed and blocked senders and domains
    AWP MS365 Zugelassene-blockierte-Absender-Domänen Absender-en.png
    Fig.9
    Under Sender(x) click on Manage x senders
    AWP MS365 Zulässige-Absender-verwalten-en.png
    Fig.10
    Click on Add senders in the Manage Allowed Senders window
    AWP MS365 Sender-hinzufügen-en.png
    Fig.11
    Enter the e-mail address of the technical sender from the section Whitelisting phishing simulation.
    Click on Add senders to save the entries.
  • If the mails still end up in the quarantine, the displayed sender (e.g. sender@anyideas.de) must be entered in addition to the technical sender. </li





































  • Bypass junk filter

    Another rule is needed to bypass the junk filter

    AWP MS365 Anmeldung-en.png
    Fig.1
    Log in to the MS365 portal at https://login.microsoftonline.com
    AWP MS365 Menu Sicherheit-en.png
    Fig.2
    Menu Security
    AWP MS365 Menu Exchange-en.png
    Fig.3
    Menu Exchange message-trace
    AWP MS365 Menu Exchange Regeln-en.png
    Fig.4
    Expand menu Mail flow and select submenu rules
    AWP MS365 Menu Exchange Regeln hinzufügen-en.png
    Fig.5
    • Click on Add a rule
    • Click on Create New Rule in the drop-down menu
    AWP Echange Junkregel anlegen-en.png
    Fig.6
    • Assign a unique name for the rule (here i.g.: Bypass Junk Filter by IP Address )
    • Select the sender for Apply this rule if
    • Select IP adress is in any of these ranges or exactly matches
    • Click on Enter words. For that see next figure
    Exchange Regel IP-Adressen-en.png
    Fig.7
    Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with OK. In the figure are example IPs that are not used!
    AWP Exchange Junkregel Nachrichtenkopf-en.png
    Fig.8
    • Select Modify the message properties in Do the following
    • Select set a message header
    • Enter the header message (3) and the value (4) by clicking on Enter text
    Exchange Regel Nachrichtenkopf festlegen-en.png
    Fig.9
    Enter the following values:
    • For message header (1): x-Forefront-Antispam-Report
    • For Value (2): SFV:SKI;
    • Then click on Next
    AWP MS365 Exchange Junkregel Schritt2-en.png
    Fig.10
    • For Rule mode Enforce is selected
    • At Severity Not specified is sufficient
    • At will can be set between which times this rule should be active
    AWP MS365 Exchange Junkregel Schritt3-en.png
    Fig.11
    Check if the settings are correct and then click Finish