This description is based on the status of the Microsoft 365 Portal in June 2023. Changes to the user interface on the part of Microsoft are possible at any time and must be taken into account accordingly in the implementation.
All information without warranty.
Configuration of Whitelisting for Awareness PLUS in Microsoft 365 (former: Office365)
Last adaption: 02.2025
New:
- Konfiguration der Spoofingintelligenz für IP-Range ergänzt
- Re-arrangement of the configuration steps
- New sections:
- Advanced delivery for Microsoft 365 Defender
- Secure links in Microsoft 365 Defender
- Configure spoof intelligence
- Whitelisting of technical senders
- Exchange Online Protection spam filter and clutter folder
This article refers to a Resellerpreview
-
Whitelisting
In order to ensure that the simulated phishing emails from the Awareness PLUS training are not blocked by the Microsoft mail server or Microsoft Defender, whitelisting must be configured at various points.
The individual steps should be performed in the given order.
The individual steps should be performed in the given order.
Basic configuration
Advanced delivery for phishing simulations for Microsoft 365 Defender
Fig.1
Log in to the MS365 portal at https://login.microsoftonline.com
Fig.2
Menu Security
Fig.3
Menu Policies and rules
Fig.4
Menu Threat policies
Fig.5
Menu Advanced delivery
Fig.6
Click on Phishing-Simulation and then on Edit to add entries.
Fig.7
Enter the domain of the technical sender here (the entire part following the "@" of the email address, e.g. admin@ttt-point.de → ttt-point.de).
Enter the IPv4 addresses (Listing of all used addresses).
Enter the IPv4 addresses (Listing of all used addresses).
Enter the Simulations-URLs used in the phishing links into the field. The format for entering the URLs is "anyideas.de".
The domains used in the phishing simulation can be stored in Microsoft 365 Defender (formerly Advanced Threat Protection - ATP) so that no warning message is displayed.
Set up secure links in Microsoft 365 Defender
Fig.1
- Login to Microsoft
- Select menu Security
Fig.2
Policies and Rules tab
Fig.3
Click the Threat Policy button
Fig.4
Click on Safe Links
Fig.5
Assign a Name and a Description if necessary
Fig.6
Specify the domain of your own organization as the recipient domain
Fig.7
- Selects that URLs can be rewritten
- User clicks should be trackable
- Users should be able to click through to the original URL
- Click on Manage 0 URLs
Fig.8
Select Add URLs button
Fig.9
Enter URLs that are located under "Simulation" → "Whitelisting" → "List of used domains in phishing links". Keep to the format https://domain/*.
Configure spoof intelligence
Fig.1
Log in to the MS365 portal at https://login.microsoftonline.com
Fig.2
Menu Security
Fig.3
Menu Policies and rules
Fig.4
Menu Threat policies
Fig.5
Tenant allow/block list menu
Fig.6
Click Block button
Fig.7
- 1. Wert: Der Einfachheit halber kann ein * als Wildcard verwendet werden
- 2. Wert: (getrennt durch ein Komma) Die IPv4-Adresse wie im Whitelisting
- Falls im Whitelisting mehrere IP-Adressen zu sehen sind, muss für jede IP-Adresse eine Zeile geschrieben werden.
- Falls eine IP-Range zu sehen ist, müssen alle IP-Adressen aus dieser Range (exklusive der Netzwerk- und Broadcast-Adresse) hinzugefügt werden. Für die IP-Range 18.153.184.0/27 müssen die folgenden Einträge hinzugefügt werden:also der ersten und letzten Adresse
*, 18.153.184.1
*, 18.153.184.2
*, 18.153.184.3
*, 18.153.184.4
*, 18.153.184.5
*, 18.153.184.6
*, 18.153.184.7
*, 18.153.184.8
*, 18.153.184.9
*, 18.153.184.10
*, 18.153.184.11
*, 18.153.184.12
*, 18.153.184.13
*, 18.153.184.14
*, 18.153.184.15
*, 18.153.184.16
*, 18.153.184.17
*, 18.153.184.18
*, 18.153.184.19
*, 18.153.184.20 *, 18.153.184.21
*, 18.153.184.22
*, 18.153.184.23
*, 18.153.184.24
*, 18.153.184.25
*, 18.153.184.26
*, 18.153.184.27
*, 18.153.184.28
*, 18.153.184.29
*, 18.153.184.30 - Spoof-Typ Intern
- Aktion Zulassen
- Schaltfläche klicken
- Es sind max. 20 Einträge pro Speichervorgang möglich
Further steps
If the above instructions for whitelisting Microsoft products are not sufficient, the following additional steps may help:
Bypass spam and clutter filters in exchange
Fig.1
Log in to the MS365 portal at https://login.microsoftonline.com
Fig.2
Menu Security
Fig.3
Menu Exchange message-trace
Fig.4
Expand menu Mail flow and select submenu rules
Fig.5
- Click on the Add a rule button
- Select Create a new rule from the drop-down menu
Fig.6
- Assign a unique name for the rule (here: Avoid spam and clutter filters
- In the drop-down menu Apply this rule when..., select the entry
- In the drop-down menu, select the entry
- Click on Enter words
Fig.7
Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with . In the figure are example IPs that are not used!
Fig.8
- In the drop-down menu Proceed as follows: select the entry
- then select in the next menu
Fig.9
Enter the following values
- Message-header (1): X-MS-Exchange-Organization-BypassClutter
- Value (2): true
Fig.10
- Click for Proceed as follows
- Select the entry in the drop-down menu
- Select the entry in the submenu
Fig.11
- Select the option
- Close the window with
Fig.12
- Click on
- The bypassing of the spam and cutter filter is thus completed
Setting up the IP permission list
Fig.1
Log in to the MS365 portal at https://login.microsoftonline.com
Fig.2
Menu Security
Fig.3
Menu Policies and rules
Fig.4
Menu Threat policies
Fig.5
Menu Anti-spam
Fig.6
Click on the entry Connection filter policy
Fig.7
Click on the link Connection filter policy
Fig.8
Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with Save. In the figure are example IPs that are not used!
Fig.9
Ready permission list
Setting up technical senders
Fig.1
Log in to the MS365 portal at https://login.microsoftonline.com
Fig.2
Menu Security
Fig.3
Menu Guidelines and rules
Fig.4
Menu Threat policies
Fig.6
Menu Anti-spam
Fig.7
Click on the entry Antispam Setup Line (Default)
Fig.8
In the pop-up window, click on Edit allowed and blocked senders and domains
Fig.9
Under Sender(x) click on Manage x senders
Fig.10
Click on Add senders in the Manage Allowed Senders window
Fig.11
Enter the e-mail address of the technical sender from the section Whitelisting phishing simulation.
Click on to save the entries.If the mails still end up in the quarantine, the displayed sender (e.g. sender@anyideas.de) must be entered in addition to the technical sender. </li
Click on to save the entries.
Bypass junk filter
Another rule is needed to bypass the junk filter
Fig.1
Log in to the MS365 portal at https://login.microsoftonline.com
Fig.2
Menu Security
Fig.3
Menu Exchange message-trace
Fig.4
Expand menu Mail flow and select submenu rules
Fig.5
- Click on Add a rule
- Click on Create New Rule in the drop-down menu
Fig.6
- Assign a unique name for the rule (here i.g.: Bypass Junk Filter by IP Address )
- Select for Apply this rule if
- Select
- Click on Enter words. For that see next figure
Fig.7
Enter the IP adress(es) from the section Whitelisting phishing simulation and confirm with . In the figure are example IPs that are not used!
Fig.8
- Select in Do the following
- Select
- Enter the header message (3) and the value (4) by clicking on Enter text
Fig.9
Enter the following values:
- For message header (1): x-Forefront-Antispam-Report
- For Value (2): SFV:SKI;
- Then click on
Fig.10
- For Rule mode Enforce is selected
- At Severity is sufficient
- At will can be set between which times this rule should be active
Fig.11
Check if the settings are correct and then click