Mail Flow Rules

TABLE OF CONTENTS


Poweshell Version


First, connect with PowerShell to a new administrator session in Exchange. The following will work with Exchange Online (Office 365). For more information, please refer to the documentation.


Install-Module -Name ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName <ADMIN EMAIL>


Then, after authentication, create two new transport rules with the following commands:


New-TransportRule SecurePracticeBypassATPLinks -Comments "Disable M365 link filter for emails from the ATTACK Simulator IP" -Priority -0 -SenderIpRanges 168.245.96.234, 159.183.233.198 -SetHeaderName "X-MS-Exchange-Organization-SkipSafeLinksProcessing" -SetHeaderValue "1" -SetSCL -1

New-TransportRule SecurePracticeBypassATPAttachments -Comments "Disable M365 attachment filter for ATTACK Simulator IP" -SenderIpRanges 168.245.96.234, 159.183.233.198 -SetHeaderName "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" -SetHeaderValue "1"


Finally, review your rule priorities to make sure there are no other custom rules blocking spoofed phishing emails.


Get-TransportRule


If adjustments need to be made, refer to the official documentation mentioned above or use the Exchange Management Center, as shown below, to reorder rules via a web portal.


P.S. If at any time you need a script to remove our rules again, the following will work:


Remove-TransportRule -Identity "SecurePracticeBypassATPLinks" -Confirm:$false

Remove-TransportRule -Identity "SecurePracticeBypassATPAttachments" -Confirm:$false


Console Version

https://admin.exchange.microsoft.com/#/transportrules


Please follow these steps:


  1. Click on the + Add a rule button under the Rules subheading and select Modify message. A new popup window will appear where you can configure the whitelist for our ip.
  2. In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" to easily find it later.
  3. In "*Apply this rule if..." choose "The sender..." and then "IP address is any of these ranges or exactly matches". Type the ATTACK Simulator sender IPs 168.245.96.234 y 159.183.233.198 in the popup, click Add and the Save.
  4.  Make sure that the rule looks similar to the screenshot below: 
  5. In the "Do the following..." section, select: "Modify the message properties" and "set the spam confidence level (SCL)". Select "Bypass spam filtering" in the sidebar window and click Save
  6. Make sure the rule looks similar to the screenshot below: 
  7. In the Do the following section, click the + button
  8. A new rule would appear. Configure this new rule by choosing "Modify the message properties" in the first select option and "Set a message header" in the second field. Click on the first "Enter text" button, type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the sidebar window that appears, and press Save. Click the second "Enter text" button and simply type in the sidebar window that appears and press Save.
  9. Make sure the rule looks similar to the screenshot below: 
  10. Check that your settings are similar to those in the image below, and click Next if everything is ok.
  11. On the Set rule settings page, select the Enforce option and click Next. 
  12. Review the settings and click Finish 


Console Version (old)

https://admin.exchange.microsoft.com/#/transportrules


Please follow these steps:



  1. Click on the + under the Rules subheading and select Bypass spam filtering. A new popup window will appear where you can configure the whitelist for our ip.
  2. In the "New rule" pop-up window, start by giving the rule a name. You can call it "ATTACK Simulator" so that you can easily find it later.
  3. In "*Apply this rule if..." choose "The message headers..." and then "matches these text patterns" and type x-ats-simulation as the message header name and true in the value field.
  4. In the "Do the following..." section select: "Modify the message properties" and "set the spam confidence level (SCL)". Set the value to -1.
  5. Click the button to add another action.
  6. Choose "Modify the message properties" in the first select box and "set a message header" in the second one.
  7. Click on the first "Enter text" button and type X-MS-Exchange-Organization-SkipSafeLinksProcessing in the pop-up window of the message header.
  8. Click on the second "Enter text" button and simply type 1 in the pop-up window of the header value.
  9. Check that your settings are similar to those shown in the image.
  10. On the Set Rule Settings page, make sure that the "Rule Mode" is set to "Enforce" and click Next.
  11. In the last step check the settings again and click Finish.
  12. In the list of rules, make sure that the new rule is activated. If it is disabled, click on the rule and activate the enable switch in the sidebar.
  13. Make sure that the rule has a high priority. We recommend setting the priority to 0.






Microsoft 365 Defender


Go to the Microsoft 365 Defender policies and rules page or click here to go directly https://security.microsoft.com/threatpolicy.


Antispam Inbound Policy Configuration


  1. Click on Antispam to review existing rules.
  2. Click on Antispam Inbound Policy (default) or create a new one if you can't find it.
  3. In the rule details sidebar, make sure you have our domains in the "Allowed domains" section.
  4. If not, click on "Edit allowed and blocked senders and domains".
  5. In the next section, click the "Allow domains" button.
  6. Add the following domains in the "Manage allowed domains" section:                     securityawareness.pro, nospamplus.com, inbox-guardian.com, mail-defender.com, proxysecurefilter.com, onemailfilter.com, notificationspace.com, mailsmtpfilter.com, gmailgateway.com, forwardfrom.com, outlookgateway.com, smtpemaillist.com, spamshieldplus.com, attacksimulator.com
  7. Click "Done" and then click "Save".




Review the rule to make sure that the settings have been saved correctly and that you see 14 domains in the "Allowed Domains" section.


Connection Filter Policy Configuration




  1. Click on "Connection filter policy (default)" or create a new one.
  2. In the sidebar of the connection filter policy, click on "Edit connection filter policy".
  3. In the "Always allow messages from the following IP addresses or address range" section type 168.245.96.234 and 159.183.233.198.
  4. Click "Save" and then "Close".



Advanced Delivery - Third Party Simulations

https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation


  1. Click the blue Add button
  2. In the sidebar of the phishing simulation, add the following settings:
    1. Sending domains: ats.securityawareness.pro, ats.nospamplus.com, ats.inbox-guardian.com, ats.mail-defender.com, ats.proxysecurefilter.com, ats.onemailfilter.com, ats.notificationspace.com, ats.mailsmtpfilter.com, ats.gmailgateway.com, ats.forwardfrom.com, ats.outlookgateway.com, ats.smtpemaillist.com, ats.spamshieldplus.com, ats.attacksimulator.com.
    2. Sending IP: 168.245.96.234 and 159.183.233.198
    3. Simulation URLs to allow: 
      ~guardme.site/*
      ~mail-link.dev/*
      ~linkedto.us/*
      ~safeserver.top/*
      ~safe-link.us/*
      ~shortiee.us/*
      ~protectize.us/*
      ~maxspeed.link/*
      ~websafe.link/*
      ~gofast.link/*
      ~webshield.us/*
      ~onlinefilter.eu/*
      ~insta-proxy.com/*
      ~safegateway.pro/*
      ~safeonline.pro/*
      ~server-defender.com/*
      ~pro-shield.one/*
      ~massive-storage.com/*
      ~aisecurezone.com/*
      ~alphasecurespace.com/*
      ~betaedition.com/*
      ~cdnsecurefilter.com/*
      ~ezsecurespace.com/*
      ~let-on.com/*
      ~secure-version.com/*

      Note: If there is a limit of 10 URLs, type the first 10 from the list above.
  3. Finally, click save