Team: Huntress Managed Security Awareness Training (SAT)
Product: Microsoft Office 365
Environment: Microsoft Office 365, Exchange Admin Center
Summary: Allowlist phish emails in Microsoft 365 Defender, Exchange, and ATP/Safe-Links
In Huntress Managed SAT, there are two possible delivery methods: SMTP and API message insertion. Depending on how the Provider integration was first set up in the Managed SAT platform, emails will either be delivered via API with SMTP as a fallback or via SMTP only. A misconfiguration of rules within the Microsoft portal can prevent the delivery of phishing emails via either method.
All 3 guides below must be followed to guarantee delivery of phishing emails in Microsoft 365 environments with different configurations and for fallback purposes. Skipping any of the below may prevent phishing emails from being delivered correctly.
The first guide we'll cover is for the Exchange Admin Center (EAC).
What are Transport Servers and EAC?
Transport servers are critical components of the Exchange architecture and are responsible for routing and delivering email messages via SMTP protocols. The EAC provides an interface for configuring Transport Rules (also known as Mail Flow Rules), which are policies that control how emails are handled as they move through the transport pipeline.
Why is this guide important?
This guide needs to be followed for all SMTP Standard delivery methods to ensure phishing email is routed correctly and that the messages will not be affected by other EAC rules or security policies that may be in place.
The Second guide covers (ATP) Active Threat Protection and Microsoft SafeLinks.
What is SafeLinks?
SafeLinks are part of Microsoft Defender for Office 365 and is primarily used to protect against harmful links that may not be detected immediately but are later flagged as dangerous. It works by scanning and rewriting URLs to route them through Microsoft's security services. When a user clicks on a link, SafeLinks checks the URL in real-time for known threats, such as phishing attempts or malware, and either allows the user to proceed or blocks access to the malicious content.
Why is this guide important?
This guide will prevent Microsoft ATP/SafeLinks from scanning or rewriting the Bait-Link URLs in our emails. It will also reduce the likelihood of false positive clicks during live scans and help prevent certain web links, which may be used in our phishing campaigns, from being blocked.
This guide will append an X-Note to the internet headers of the email at the Transport level. For this to work correctly, the email must be delivered via SMTP protocol. If you choose to use our "API message insertion to Microsoft 365" option described in our Microsoft integration guide. SafeLinks scanning will still apply as the messages are not being sent via SMTP and may still be blocked, filtered, or clicked. If you are facing a False Positive issue with Safelinks, you must disable the API Message Insertion option.
The Third and most important guide we'll cover is our Microsoft Defender Basic and Advanced guide.
What is the Microsoft Defender Basic and Advanced Phishing Simulator Allow list?
Microsoft Defender Basic is a simplified version of Microsoft's threat protection for small businesses, offering core features like anti-malware, anti-phishing, and basic threat detection, without the advanced capabilities of Microsoft Defender for Office 365.
A Phishing Simulator Allow List includes trusted URLs, emails, or domains that bypass security filters like Microsoft Defender's SafeLinks and ATP, ensuring phishing simulations aren't blocked when testing employee awareness. However, for the simulation to work correctly, the phishing simulation platform’s emails and links must bypass the regular security filters. This is why the other exclusions are essential as well.
Why is this Guide important?
This is a two-part guide. The first part covers basic Exclusions for Microsoft Defender. The second part is very important as it covers third-party phishing simulators. Previously, Microsoft had a hard limit of 20 domains for phishing simulators, but that was recently removed. If you've previously followed this guide, you may have left out a few of our potential phishing domains that can now be included. These guides work in conjunction with each other as long as both Step 1 and Step 2 are accomplished in the following guide.