Mail Flow Rules

TABLE OF CONTENTS

Mail Flow Rules
- Poweshell Version
- Console Version
Microsoft 365 Defender

Poweshell Version

First, connect with PowerShell to a new administrator session in Exchange. The following will work with Exchange Online (Office 365). For more information, please refer to the documentation.

Install-Module -Name ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName <ADMIN EMAIL>

Then, after authentication, create two new transport rules with the following commands:

New-TransportRule SecurePracticeBypassATPLinks -Comments "Disable M365 link filter for ATTACK Simulator Header" -Priority -0 -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeLinksProcessing" -SetHeaderValue "1" -SetSCL -1

New-TransportRule SecurePracticeBypassATPAttachments -Comments "Disable M365 attachment filter for ATTACK Simulator Header" -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" -SetHeaderValue "1"

Finally, review your rule priorities to make sure there are no other custom rules blocking spoofed phishing emails.

Get-TransportRule

If adjustments need to be made, refer to the official documentation mentioned above or use the Exchange Management Center, as shown below, to reorder rules via a web portal.

P.S. If at any time you need a script to remove our rules again, the following will work:

Remove-TransportRule -Identity "SecurePracticeBypassATPLinks" -Confirm:$false

Remove-TransportRule -Identity "SecurePracticeBypassATPAttachments" -Confirm:$false

Console Version

https://admin.exchange.microsoft.com/#/transportrules

Please make sure you have the following configuration.

If not, follow these steps:

Click on the + under the Rules subheading and select Bypass spam filtering. A new popup window will appear where you can configure the whitelist for our ip.
In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" so that you can easily find it later.
In "*Apply this rule if..." choose "The message headers..." and then "matches these text patterns" and type x-ats-simulation as the message header name and true in the value field.
In the "Do the following..." section select: "Modify the message properties" and "set the spam confidence level (SCL)". Set the value to -1.
Click the + button to add another action.
Choose "Modify the message properties" in the first select box and "set a message header" in the second one.
Click on the first "Enter text" button and type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the pop-up window of the message header.
Click on the second "Enter text" button and simply type 1 in the pop-up window of the header value.
Check that your settings are similar to those shown in the image.
On the Set Rule Settings page, make sure that the "Rule Mode" is set to "Enforce" and click Next.
In the last step check the settings again and click Finish.
In the list of rules, make sure that the new rule is activated. If it is disabled, click on the rule and activate the enable switch in the sidebar.
Make sure that the rule has a high priority. We recommend setting the priority to 0.

Microsoft 365 Defender

Go to the Microsoft 365 Defender policies and rules page or click here to go directly https://security.microsoft.com/threatpolicy.

Antispam Inbound Policy Configuration

Click on Antispam to review existing rules.
Click on Antispam Inbound Policy (default) or create a new one if you can't find it.
In the rule details sidebar, make sure you have our domains in the "Allowed domains" section.
If not, click on "Edit allowed and blocked senders and domains".
In the next section, click the "Allow domains" button.
Add the following domains in the "Manage allowed domains" section: securityawareness.pro, nospamplus.com, inbox-guardian.com, mail-defender.com, proxysecurefilter.com, onemailfilter.com, notificationspace.com, mailsmtpfilter.com, gmailgateway.com, forwardfrom.com, outlookgateway.com, smtpemaillist.com, spamshieldplus.com, attacksimulator.com
Click "Done" and then click "Save".

Review the rule to make sure that the settings have been saved correctly and that you see 14 domains in the "Allowed Domains" section.

Connection Filter Policy Configuration

Click on "Connection filter policy (default)" or create a new one.
In the sidebar of the connection filter policy, click on "Edit connection filter policy".
In the "Always allow messages from the following IP addresses or address range" section type 168.245.96.234.
Click "Save" and then "Close".

Advanced Delivery - Third Party Simulations

https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation

Click the blue Add button
In the sidebar of the phishing simulation, add the following settings:
1. Sending domains: ats.securityawareness.pro, ats.nospamplus.com, ats.inbox-guardian.com, ats.mail-defender.com, ats.proxysecurefilter.com, ats.onemailfilter.com, ats.notificationspace.com, ats.mailsmtpfilter.com, ats.gmailgateway.com, ats.forwardfrom.com, ats.outlookgateway.com, ats.smtpemaillist.com, ats.spamshieldplus.com, ats.attacksimulator.com.
2. Sending IP: 168.245.96.234
3. Simulation URLs to allow:
  ~guardme.site/*
  ~mail-link.dev/*
  ~linkedto.us/*
  ~safeserver.top/*
  ~safe-link.us/*
  ~shortiee.us/*
  ~protectize.us/*
  ~maxspeed.link/*
  ~websafe.link/*
  ~gofast.link/*
  ~webshield.us/*
  ~onlinefilter.eu/*
  ~insta-proxy.com/*
  ~safegateway.pro/*
  ~safeonline.pro/*
  ~server-defender.com/*
  ~pro-shield.one/*
  ~massive-storage.com/*
  ~aisecurezone.com/*
  ~alphasecurespace.com/*
  ~betaedition.com/*
  ~cdnsecurefilter.com/*
  ~ezsecurespace.com/*
  ~let-on.com/*
  ~secure-version.com/*
  
  Note: If there is a limit of 10 URLs, type the first 10 from the list above.
Finally, click save

Whitelisting Office365 Print