Whitelisting Office365

Modified on Wed, 15 Mar 2023 at 02:24 AM

Mail Flow Rules


TABLE OF CONTENTS


Poweshell Version


First, connect with PowerShell to a new administrator session in Exchange. The following will work with Exchange Online (Office 365). For more information, please refer to the documentation.


Install-Module -Name ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName <ADMIN EMAIL>


Then, after authentication, create two new transport rules with the following commands:


New-TransportRule SecurePracticeBypassATPLinks -Comments "Disable M365 link filter for ATTACK Simulator Header" -Priority -0 -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeLinksProcessing" -SetHeaderValue "1" -SetSCL -1

New-TransportRule SecurePracticeBypassATPAttachments -Comments "Disable M365 attachment filter for ATTACK Simulator Header" -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" -SetHeaderValue "1"


Finally, review your rule priorities to make sure there are no other custom rules blocking spoofed phishing emails.


Get-TransportRule


If adjustments need to be made, refer to the official documentation mentioned above or use the Exchange Management Center, as shown below, to reorder rules via a web portal.


P.S. If at any time you need a script to remove our rules again, the following will work:


Remove-TransportRule -Identity "SecurePracticeBypassATPLinks" -Confirm:$false

Remove-TransportRule -Identity "SecurePracticeBypassATPAttachments" -Confirm:$false

Console Version

https://admin.exchange.microsoft.com/#/transportrules


Please make sure you have the following configuration. 



If not, follow these steps:



  1. Click on the + under the Rules subheading and select Bypass spam filtering. A new popup window will appear where you can configure the whitelist for our ip.
  2. In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" so that you can easily find it later.
  3. In "*Apply this rule if..." choose "The message headers..." and then "matches these text patterns" and type x-ats-simulation as the message header name and true in the value field.
  4. In the "Do the following..." section select: "Modify the message properties" and "set the spam confidence level (SCL)". Set the value to -1.
  5. Click the button to add another action.
  6. Choose "Modify the message properties" in the first select box and "set a message header" in the second one.
  7. Click on the first "Enter text" button and type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the pop-up window of the message header.
  8. Click on the second "Enter text" button and simply type 1 in the pop-up window of the header value.
  9. Check that your settings are similar to those shown in the image.
  10. On the Set Rule Settings page, make sure that the "Rule Mode" is set to "Enforce" and click Next.
  11. In the last step check the settings again and click Finish.
  12. In the list of rules, make sure that the new rule is activated. If it is disabled, click on the rule and activate the enable switch in the sidebar.
  13. Make sure that the rule has a high priority. We recommend setting the priority to 0.






Microsoft 365 Defender


Go to the Microsoft 365 Defender policies and rules page or click here to go directly https://security.microsoft.com/threatpolicy.


Antispam Inbound Policy Configuration


  1. Click on Antispam to review existing rules.
  2. Click on Antispam Inbound Policy (default) or create a new one if you can't find it.
  3. In the rule details sidebar, make sure you have our domains in the "Allowed domains" section.
  4. If not, click on "Edit allowed and blocked senders and domains".
  5. In the next section, click the "Allow domains" button.
  6. Add the following domains in the "Manage allowed domains" section:                     securityawareness.pro, nospamplus.com, inbox-guardian.com, mail-defender.com, proxysecurefilter.com, onemailfilter.com, notificationspace.com, mailsmtpfilter.com, gmailgateway.com, forwardfrom.com, outlookgateway.com, smtpemaillist.com, spamshieldplus.com, attacksimulator.com
  7. Click "Done" and then click "Save".




Review the rule to make sure that the settings have been saved correctly and that you see 14 domains in the "Allowed Domains" section.


Connection Filter Policy Configuration




  1. Click on "Connection filter policy (default)" or create a new one.
  2. In the sidebar of the connection filter policy, click on "Edit connection filter policy".
  3. In the "Always allow messages from the following IP addresses or address range" section type 168.245.96.234.
  4. Click "Save" and then "Close".



Advanced Delivery - Third Party Simulations

https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation


  1. Click the blue Add button
  2. In the sidebar of the phishing simulation, add the following settings:
    1. Sending domains: ats.securityawareness.pro, ats.nospamplus.com, ats.inbox-guardian.com, ats.mail-defender.com, ats.proxysecurefilter.com, ats.onemailfilter.com, ats.notificationspace.com, ats.mailsmtpfilter.com, ats.gmailgateway.com, ats.forwardfrom.com, ats.outlookgateway.com, ats.smtpemaillist.com, ats.spamshieldplus.com, ats.attacksimulator.com.
    2. Sending IP: 168.245.96.234
    3. Simulation URLs to allow: 
      ~guardme.site/*
      ~mail-link.dev/*
      ~linkedto.us/*
      ~safeserver.top/*
      ~safe-link.us/*
      ~shortiee.us/*
      ~protectize.us/*
      ~maxspeed.link/*
      ~websafe.link/*
      ~gofast.link/*
      ~webshield.us/*
      ~onlinefilter.eu/*
      ~insta-proxy.com/*
      ~safegateway.pro/*
      ~safeonline.pro/*
      ~server-defender.com/*
      ~pro-shield.one/*
      ~massive-storage.com/*
      ~aisecurezone.com/*
      ~alphasecurespace.com/*
      ~betaedition.com/*
      ~cdnsecurefilter.com/*
      ~ezsecurespace.com/*
      ~let-on.com/*
      ~secure-version.com/*

      Note: If there is a limit of 10 URLs, type the first 10 from the list above.
  3. Finally, click save

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article