Mail Flow Rules
TABLE OF CONTENTS
- Mail Flow Rules
- Microsoft 365 Defender
First, connect with PowerShell to a new administrator session in Exchange. The following will work with Exchange Online (Office 365). For more information, please refer to the documentation.
Install-Module -Name ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName <ADMIN EMAIL>
Then, after authentication, create two new transport rules with the following commands:
New-TransportRule SecurePracticeBypassATPLinks -Comments "Disable M365 link filter for ATTACK Simulator Header" -Priority -0 -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeLinksProcessing" -SetHeaderValue "1" -SetSCL -1 New-TransportRule SecurePracticeBypassATPAttachments -Comments "Disable M365 attachment filter for ATTACK Simulator Header" -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" -SetHeaderValue "1"
Finally, review your rule priorities to make sure there are no other custom rules blocking spoofed phishing emails.
If adjustments need to be made, refer to the official documentation mentioned above or use the Exchange Management Center, as shown below, to reorder rules via a web portal.
P.S. If at any time you need a script to remove our rules again, the following will work:
Remove-TransportRule -Identity "SecurePracticeBypassATPLinks" -Confirm:$false Remove-TransportRule -Identity "SecurePracticeBypassATPAttachments" -Confirm:$false
Please make sure you have the following configuration.
If not, follow these steps:
- Click on the + under the Rules subheading and select Bypass spam filtering. A new popup window will appear where you can configure the whitelist for our ip.
- In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" so that you can easily find it later.
- In "*Apply this rule if..." choose "The message headers..." and then "matches these text patterns" and type x-ats-simulation as the message header name and true in the value field.
- In the "Do the following..." section select: "Modify the message properties" and "set the spam confidence level (SCL)". Set the value to -1.
- Click the + button to add another action.
- Choose "Modify the message properties" in the first select box and "set a message header" in the second one.
- Click on the first "Enter text" button and type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the pop-up window of the message header.
- Click on the second "Enter text" button and simply type 1 in the pop-up window of the header value.
- Check that your settings are similar to those shown in the image.
- On the Set Rule Settings page, make sure that the "Rule Mode" is set to "Enforce" and click Next.
- In the last step check the settings again and click Finish.
- In the list of rules, make sure that the new rule is activated. If it is disabled, click on the rule and activate the enable switch in the sidebar.
- Make sure that the rule has a high priority. We recommend setting the priority to 0.
Microsoft 365 Defender
Go to the Microsoft 365 Defender policies and rules page or click here to go directly https://security.microsoft.com/threatpolicy.
Antispam Inbound Policy Configuration
Review the rule to make sure that the settings have been saved correctly and that you see 14 domains in the "Allowed Domains" section.
Connection Filter Policy Configuration
Advanced Delivery - Third Party Simulations