Team: Huntress SAT
Product: Microsoft Office 365
Environment: SAT, Microsoft Office 365
Summary: Allowlist SAT email in Microsoft 365 Defender
This article will cover how to Allowlist SAT's training email and phishing simulator email servers in Microsoft 365 Defender. This is a 2 Step guide, and both steps must be followed to guarantee phishing email delivery.
Step 1. Basic Allowed List
Sign in to Microsoft 365 Defender portal
- Scroll down and select Email & Collaboration
- Select Policies & rules
- Select Threat policies in the list
5. Select Anti-spam inbound policy (Default)
6. Scroll down to Allowed And Blocked Senders and domains to Select Edit allowed and blocked senders and domains in the fly-out at the bottom of the list.
7. In the fly-out under Allowed, select Allowed domains
8. Click the Add Domains + button to add the following domains one at a time and press Enter/Return to add them to the list.
- mycurricula.com
- alerts.mycurricula.com
- phish.mycurricula.com
- securitynotifications.org
- security-updater.com
- amazonsecurity.org
- breach-notice.com
- filesharingnow.com
- mailbox-quota.com
- passwordsnotification.com
- securelinkedin.com
- fraud-assistance.com
- payment-process.com
- news-article.com
- invite-meeting.com
- feedback-collect.com
- businessnotice.org
- databoxonline.com
- electronic-hr.com
- emailtransaction.com
- employee-services.org
- governmentnotice.org
- notificationservices.org
9. When finished select the Add domains button
10. Select Done
11. Click Save
You have now completed the Basic Allowlisting of Security Awareness Training email and notifications. To Allow our Phishing Simulation Servers and Domains follow Step 2 below to bypass Microsofts Advanced Filtering that is not bypassed in Step 1. This includes :
- Content Filtering
- High confidence spam
- High-confidence phishing email
Step 2. Advanced Phishing Simulator Allowlist
Sign in to Microsoft 365 Defender portal
- Scroll down and select Email & Collaboration
- Select Policies & Rules
- Select Threat policies in the list
4. Scroll down to the Rules section and select Advanced delivery
5. Select the Phishing Simulation tab and then select Edit
6. Under Sending Domain add the following SAT Domains and Phishing Domains (one at a time then press Enter/Return to confirm the domain). Currently, Microsoft only allows for 30 domains to be added. Make sure to include the Default Notification domains and adjust the rest of the list as necessary to better suit your target audience if you are using another phishing simulator.Defaults in phishing scenarios:
- amazonsecurity.org
- breach-notice.com
- employee-services.org
- feedback-collect.com
- filesharingnow.com
- fraud-assistance.com
- invite-meeting.com
- mailbox-quota.com
- news-article.com
- passwordsnotification.com
- payment-process.com
- securelinkedin.com
- security-updater.com
- securitynotifications.org
- notificationservices.org
- databoxonline.com
- businessnotice.org
- electronic-hr.com
- emailtransaction.com
- governmentnotice.org
7. Under Sending IP add the following SAT IPs
- 18.205.140.116 (Phishing Server)
- 168.245.36.66 (Training Server)
8. When finished select Save.
PowerShell
If you are familiar with using PowerShell in the Microsoft Office 365 environment the following PS command can be run in place of manually setting up Defender for the phishing simulated email. The powershell below assumes "Advanced delivery" has not yet been configured as well as no previous PhishSimOverridePolicy set up. Also note that the order you run the commands is important:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "amazonsecurity.org/*","breach-notice.com/*","employee-services.org/*","feedback-collect.com/*","filesharingnow.com/*","fraud-assistance.com/*","invite-meeting.com/*","mailbox-quota.com/*","news-article.com/*","passwordsnotification.com/*","payment-process.com/*","securelinkedin.com/*","security-updater.com/*","securitynotifications.org/*","notificationservices.org/*","databoxonline.com/*","emailtransaction.com/*","electronic-hr.com/*" -NoExpiration
Connect-IPPSSession
New-PhishSimOverridePolicy -Name PhishSimOverridePolicy
New-ExoPhishSimOverrideRule -Name PhishSimOverrideRule -Policy "PhishSimOverridePolicy" -Domains "mycurricula.com","alerts.mycurricula.com","phish.mycurricula.com","securitynotifications.org","security-updater.com","amazonsecurity.org","breach-notice.com","filesharingnow.com","mailbox-quota.com","passwordsnotification.com","securelinkedin.com","fraud-assistance.com","payment-process.com","news-article.com","invite-meeting.com","feedback-collect.com","businessnotice.org","databoxonline.com","electronic-hr.com","emailtransaction.com","employee-services.org","governmentnotice.org","notificationservices.org" -SenderIpRanges 18.205.140.116,168.245.36.66
What does this shell accomplish?
- Adds the sending IPs 18.205.140.116 and 168.245.36.66
- Adds the sending smtp domain found in all message headers: phish[.]mycurricula[.]com
- Adds the links I've identified for user tracking so they won't be detonated or scanned resulting in false clicks:
mycurricula.com/*
and
emailtransaction.com/*
How do you connect to Microsoft 365 with PowerShell?
Now that you are finished with your allowed listing for your Microsoft 365 account, we recommend a Delivery test via Settings > Phishing > Deliverability test in SAT. Then send an assignment notification and/or phishing campaign to yourself or a small group of employees to verify the allowed listing was successful before launching SAT to your staff.
*If you have any messages that get placed in the user's junk email folders, add all SAT Phishing domains to the allowed list described in Step 1.
If these steps don’t resolve the issue, let us know by submitting a ticket to our support team.