Mail Flow Rules
TABLE OF CONTENTS
Poweshell Version
First, connect with PowerShell to a new administrator session in Exchange. The following will work with Exchange Online (Office 365). For more information, please refer to the documentation.
Install-Module -Name ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName <ADMIN EMAIL>
Then, after authentication, create two new transport rules with the following commands:
New-TransportRule SecurePracticeBypassATPLinks -Comments "Disable M365 link filter for ATTACK Simulator Header" -Priority -0 -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeLinksProcessing" -SetHeaderValue "1" -SetSCL -1 New-TransportRule SecurePracticeBypassATPAttachments -Comments "Disable M365 attachment filter for ATTACK Simulator Header" -HeaderContainsMessageHeader "x-ats-simulation" -HeaderContainsWords "true" -SetHeaderName "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" -SetHeaderValue "1"
Finally, review your rule priorities to make sure there are no other custom rules blocking spoofed phishing emails.
Get-TransportRule
If adjustments need to be made, refer to the official documentation mentioned above or use the Exchange Management Center, as shown below, to reorder rules via a web portal.
P.S. If at any time you need a script to remove our rules again, the following will work:
Remove-TransportRule -Identity "SecurePracticeBypassATPLinks" -Confirm:$false Remove-TransportRule -Identity "SecurePracticeBypassATPAttachments" -Confirm:$false
Console Version
https://admin.exchange.microsoft.com/#/transportrules
Please make sure you have the following configuration.
If not, follow these steps:
- Click on the + under the Rules subheading and select Bypass spam filtering. A new popup window will appear where you can configure the whitelist for our ip.
- In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" so that you can easily find it later.
- In "*Apply this rule if..." choose "The message headers..." and then "matches these text patterns" and type x-ats-simulation as the message header name and true in the value field.
- In the "Do the following..." section select: "Modify the message properties" and "set the spam confidence level (SCL)". Set the value to -1.
- Click the + button to add another action.
- Choose "Modify the message properties" in the first select box and "set a message header" in the second one.
- Click on the first "Enter text" button and type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the pop-up window of the message header.
- Click on the second "Enter text" button and simply type 1 in the pop-up window of the header value.
- Check that your settings are similar to those shown in the image.
- On the Set Rule Settings page, make sure that the "Rule Mode" is set to "Enforce" and click Next.
- In the last step check the settings again and click Finish.
- In the list of rules, make sure that the new rule is activated. If it is disabled, click on the rule and activate the enable switch in the sidebar.
- Make sure that the rule has a high priority. We recommend setting the priority to 0.
Microsoft 365 Defender
Go to the Microsoft 365 Defender policies and rules page or click here to go directly https://security.microsoft.com/threatpolicy.
Antispam Inbound Policy Configuration
| ![]() |
Review the rule to make sure that the settings have been saved correctly and that you see 14 domains in the "Allowed Domains" section.
Connection Filter Policy Configuration
| ![]() |
Advanced Delivery - Third Party Simulations
https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation
| ![]() |