Team: Huntress Managed Security Awareness Training (SAT)
Environment: Microsoft Defender for Office 365 (Safe Links)
Summary: How to configure Microsoft Defender Safe Links to help ensure SAT phishing campaigns are delivered.
Overview
To ensure accurate delivery and reporting for your Huntress SAT campaign, configure Microsoft’s Advanced Delivery (Phishing Simulation) policy as the primary method. If Advanced Delivery cannot be used, apply a Safe Links exclusion. If neither option is possible, use a transport-rule header bypass as a fallback. Failure to follow one of these paths can result in phishing emails being blocked or inaccurate click data being recorded.'
In this Article
Primary Method: Advanced Delivery
Secondary Method: Safe Links Exclusion
Optional PowerShell Configuration Method
Fallback Method: Transport Rule Bypass
Important Note on Policy Precedence
Primary Method: Advanced Delivery
See "Step 2. Advanced Phishing Simulator Allowlist" of this guide to configure the Phishing Simulation tab under Advanced Delivery for the SAT sending domains and IPs.
Secondary Method: Safe Links Exclusion
- Navigate to the Microsoft Defender portal at https://security.microsoft.com/.
- In the left navigation pane, go to Email & collaboration > Policies & rules > Threat policies.
- Under Policies, select Safe Links.
- Identify the policy that applies to your users and select it to begin editing.
- Select Edit protection settings or Manage policy.
- Locate the section titled "Do not rewrite the following URLs in email".
- Add the required SAT phishing domains to the exclusion list manually or use the Optional PowerShell Configuration Method.
- Select Save to finalize your changes and allow time for the policy to propagate.
Optional PowerShell Configuration Method
For administrators who prefer using the command line for bulk updates, the following script can be utilized to modify your Safe Links policy exclusions. Note: You must replace "SL-Protection" with the specific policy name located during Step 4 of the Secondary Method: Safe Links Exclusion. Select Save to finalize your changes and allow time for the policy to propagate.
# Install and connect to Exchange Online
install-module ExchangeOnlineManagement
import-module ExchangeOnlineManagement
connect-exchangeonline
# Add Huntress SAT domains to the 'Do not rewrite' list
Set-SafeLinksPolicy -Identity "SL-Protection" -DoNotRewriteUrls @{Add=
"amazonsecurity.org/*",
"breach-notice.com/*",
"feedback-collection.com/*",
"mycurricula.com/*",
"alerts.mycurricula.com/*",
"phish.mycurricula.com/*",
"securitynotifications.org/*",
"security-updater.com/*",
"filesharingnow.com/*",
"mailbox-quota.com/*",
"passwordsnotification.com/*",
"securelinkedin.com/*",
"fraud-assistance.com/*",
"payment-process.com/*",
"news-article.com/*",
"invite-meeting.com/*",
"feedback-collect.com/*",
"businessnotice.org/*",
"databoxonline.com/*",
"electronic-hr.com/*",
"emailtransaction.com/*",
"governmentnotice.org/*",
"notificationservices.org/*"
}
Fallback Method: Transport Rule Bypass
- Create a new mail flow rule in your Exchange/Office Admin center
- Give the rule a name such as "Bypass ATP Links".
- Click More options....
- From the Apply this rule if…. drop-down menu, select The senders then select IP address is in any of these ranges or exactly matches.
- Enter our IP address :
18.205.140.116 (Phishing Server)
168.245.36.66 (Training Server) - From the Do the following… drop-down menu, select Modify the message properties... and then set a message header.
- Click the first *Enter text... link and set the message header to:
- X-MS-Exchange-Organization-SkipSafeLinksProcessing
- Click the second *Enter text... link and set the value to: 1
- Click Save.
- Click the first *Enter text... link and set the message header to:
Important Note On Policy Precedence
If your tenant utilizes Microsoft's Standard or Strict Preset Security Policies, those policies often take a higher precedence (priority) than any custom Safe Links exclusion you set.
You have two options for proceeding:
- Modify the Preset Policy: The most direct solution is to modify the exclusions within the Preset Policy itself, as outlined in the Secondary Method (if applicable).
- Use an Alternative Bypass Method: If you are unable to modify the Preset Security Policy, you can implement an override by configuring the Advanced Delivery Phishing Simulation Policy instead. See "Step 2. Advanced Phishing Simulator Allowlist" from the Allowlist Phishing Emails in Microsoft Office 365 Defender Basic and Advanced for instructions as well as the Microsoft Catch-All Exclusion Guide for Phishing for further instructions.