Mail Flow Rules
TABLE OF CONTENTS
Poweshell Version
First, connect with PowerShell to a new administrator session in Exchange. The following will work with Exchange Online (Office 365). For more information, please refer to the documentation.
Install-Module -Name ExchangeOnlineManagement Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName <ADMIN EMAIL>
Then, after authentication, create two new transport rules with the following commands:
New-TransportRule SecurePracticeBypassATPLinks -Comments "Disable M365 link filter for emails from the ATTACK Simulator IP" -Priority -0 -SenderIpRanges 168.245.96.234, 159.183.233.198 -SetHeaderName "X-MS-Exchange-Organization-SkipSafeLinksProcessing" -SetHeaderValue "1" -SetSCL -1 New-TransportRule SecurePracticeBypassATPAttachments -Comments "Disable M365 attachment filter for ATTACK Simulator IP" -SenderIpRanges 168.245.96.234, 159.183.233.198 -SetHeaderName "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" -SetHeaderValue "1"
Finally, review your rule priorities to make sure there are no other custom rules blocking spoofed phishing emails.
Get-TransportRule
If adjustments need to be made, refer to the official documentation mentioned above or use the Exchange Management Center, as shown below, to reorder rules via a web portal.
P.S. If at any time you need a script to remove our rules again, the following will work:
Remove-TransportRule -Identity "SecurePracticeBypassATPLinks" -Confirm:$false Remove-TransportRule -Identity "SecurePracticeBypassATPAttachments" -Confirm:$false
Console Version
https://admin.exchange.microsoft.com/#/transportrules
Please follow these steps:
- Click on the + Add a rule button under the Rules subheading and select Modify message. A new popup window will appear where you can configure the whitelist for our ip.
- In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" to easily find it later.
- In "*Apply this rule if..." choose "The sender..." and then "IP address is any of these ranges or exactly matches". Type the ATTACK Simulator sender IPs 168.245.96.234 y 159.183.233.198 in the popup, click Add and the Save.
- Make sure that the rule looks similar to the screenshot below:
- In the "Do the following..." section, select: "Modify the message properties" and "set the spam confidence level (SCL)". Select "Bypass spam filtering" in the sidebar window and click Save.
- Make sure the rule looks similar to the screenshot below:
- In the Do the following section, click the + button
- A new rule would appear. Configure this new rule by choosing "Modify the message properties" in the first select option and "Set a message header" in the second field. Click on the first "Enter text" button, type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the sidebar window that appears, and press Save. Click the second "Enter text" button and simply type 1 in the sidebar window that appears and press Save.
- Make sure the rule looks similar to the screenshot below:
- Check that your settings are similar to those in the image below, and click Next if everything is ok.
- On the Set rule settings page, select the Enforce option and click Next.
- Review the settings and click Finish
Console Version (old)
https://admin.exchange.microsoft.com/#/transportrules
Please follow these steps:
- Click on the + under the Rules subheading and select Bypass spam filtering. A new popup window will appear where you can configure the whitelist for our ip.
- In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" so that you can easily find it later.
- In "*Apply this rule if..." choose "The message headers..." and then "matches these text patterns" and type x-ats-simulation as the message header name and true in the value field.
- In the "Do the following..." section select: "Modify the message properties" and "set the spam confidence level (SCL)". Set the value to -1.
- Click the + button to add another action.
- Choose "Modify the message properties" in the first select box and "set a message header" in the second one.
- Click on the first "Enter text" button and type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the pop-up window of the message header.
- Click on the second "Enter text" button and simply type 1 in the pop-up window of the header value.
- Check that your settings are similar to those shown in the image.
- On the Set Rule Settings page, make sure that the "Rule Mode" is set to "Enforce" and click Next.
- In the last step check the settings again and click Finish.
- In the list of rules, make sure that the new rule is activated. If it is disabled, click on the rule and activate the enable switch in the sidebar.
- Make sure that the rule has a high priority. We recommend setting the priority to 0.
Microsoft 365 Defender
Go to the Microsoft 365 Defender policies and rules page or click here to go directly https://security.microsoft.com/threatpolicy.
Antispam Inbound Policy Configuration
| ![]() |
Review the rule to make sure that the settings have been saved correctly and that you see 14 domains in the "Allowed Domains" section.
Connection Filter Policy Configuration
| ![]() |
Advanced Delivery - Third Party Simulations
https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation
| ![]() |