Additional M365/Exchange Allowlist Rules

The below scenarios require admins to configure additional allowlist rules in their Exchange Admin Center:

• Learners forward messages internally
• MX Record Doesn’t Point to Office 365
• Remove External Tag from Training Emails
• Prevent Microsoft’s report phishing options from marking learners as phished

Learners forward messages internally

Once an email is forwarded, all of the header information that the Advanced Delivery policy looks for is removed. When this happens, Office 365 will scan the forwarded message causing the learner to be marked as phished (false positive). In order to circumvent these false positives, we recommend configuring one of the below options:

• Option One: Block the forwarded email and send a response back to the learner that it was a simulated phishing message.
• Option Two: Delete the forwarded message and send an incident report to a specific recipient with the email attached.

Note: This article only addresses the Microsoft 365 configuration. If you have other security measures in place there may be additional configuration needed. Please contact Infosec support if you need assistance determining the source of a phished event.

Option One

Block the forwarded email and send a response back to the learner that it was a simulated phishing message.

1. Login to the Exchange Admin Center
2. Expand Mail Flow on the left-hand side and select Rules
3. Click on the “+” and create a new rule
4. Click more options
5. Give your rule a name: “Infosec IQ Email Forwarding Rule”
6. In the apply this rule if… dropdown menu, select the recipient… domain is and specify your organization’s domain (or the domain that the email is being forwarded to)
7. Add another condition, and select a message header… includes any of these words
   • Header name value: In-Reply-To
   • Words or phrases: securityiq.infosecinstitute.com
8. In the Do the following dropdown menu, select Block the Message… reject the message and include the explanation ‘This is a simulated phishing message’
   

Option Two

Delete the forwarded message and send an incident report to a specific recipient. An admin can specific what specific message properties to include in the report when creating the rule.

1. Login to the Exchange Admin Center
2. Expand Mail Flow on the left-hand side and select Rules
3. Click on the “+” and create a new rule
4. Click more options
5. Give your rule a name: “Infosec IQ Email Forwarding Rule”
6. In the apply this rule if… dropdown menu, select the recipient… domain is and specify your organization’s domain (or the domain that the email is being forwarded to)
7. Add another condition, and select a message header… includes any of these words
   • Header name value: In-Reply-To
   • Words or phrases: securityiq.infosecinstitute.com
8. In the Do the following… dropdown menu, select block the message… delete the message without notifying anyone
9. Click add action and new dropdown menu select generate incident report and send it to…
   • Specify the email address the incident report should be sent to
   • Select which message properties you want to include.
     
     

     Screenshot 2021-12-07 110834.png786×650 69 KB

If you are including the original email attached, you will need to create two additional rules to bypass safe links and attachment scanning:

Bypass Safe Links Scanning

1. Click the + icon and then select Create a new rule… from the menu.
2. Create a name for the rule such as “Infosec IQ Safe Links Bypass”.
3. Click on More options to view additional menus.
4. Use the drop-down menu under Apply this rule if…a message header… includes any of these words
   • Header name value: In-Reply-To
   • Words or phrases: securityiq.infosecinstitute.com
5. Use the drop-down menu under * Do the following… and then select Modify the message properties… Set a message header
6. Select **Enter text…" next to set the message header and enter the following:
   X-MS-Exchange-Organization-SkipSafeLinksProcessing
7. Select Enter text… next to to the value and enter the following: 1
8. Click Save.

Bypass Safe Attachment Scanning

1. Click the + icon and then select Create a new rule… from the menu.
2. Create a name for the rule such as “Infosec IQ Safe Attachment Bypass”.
3. Click on More options to view additional menus.
4. Use the drop-down menu under Apply this rule if…a message header… includes any of these words
   • Header name value: In-Reply-To
   • Words or phrases: securityiq.infosecinstitute.com
5. Use the drop-down menu under * Do the following… and then select Modify the message properties… Set a message header
6. Select **Enter text…" next to set the message header and enter the following:
   X-MS-Exchange-Organization-SkipSafeAttachmentProcessing
7. Select Enter text… next to to the value and enter the following: 1
8. Click Save.

MX Record Doesn't Point to Office 365

The below mail flow rules will need to be configured in your Exchange Admin Center to successfully receive emails from Infosec IQ.

Bypass spam filtering

1. From the Exchange admin center, under the Mail flow menu, select rules .
2. Click the + icon and then select Create a new rule… from the menu.
3. Create a name for the rule such as “Infosec IQ Header Bypass”.
4. Click on More options to view additional menus.
5. Use the drop-down menu under Apply this rule if… to select the following conditions A message header… includes any of these words .
6. Click Enter text and type X-PHISH
7. Next click the link for * Enter words… and type InfoSec Institute into the text field then hit the + icon to add it then click the OK button.
8. Use the drop-down menu under * Do the following… and then select Modify the message properties… --> Set the spam confidence level (SCL) to select " Bypass Spam Filtering " from the drop-down menu.
9. Click Save.

Bypass Safe Links Scanning

1. Click the + icon and then select Create a new rule… from the menu.
2. Create a name for the rule such as “Infosec IQ Safe Links Bypass”.
3. Click on More options to view additional menus.
4. Use the drop-down menu under Apply this rule if…a message header… includes any of these words
   • Header name value: X-PHISH
   • Words or phrases: InfoSec Institute
5. Use the drop-down menu under * Do the following… and then select Modify the message properties… Set a message header
6. Select **Enter text…" next to set the message header and enter the following:
   X-MS-Exchange-Organization-SkipSafeLinksProcessing
7. Select Enter text… next to to the value and enter the following: 1
8. Click Save.

Bypass Safe Attachment Scanning

1. Click the + icon and then select Create a new rule… from the menu.
2. Create a name for the rule such as “Infosec IQ Safe Attachment Bypass”.
3. Use the drop-down menu under Apply this rule if…a message header… includes any of these words
   • Header name value: X-PHISH
   • Words or phrases: InfoSec Institute
4. Use the drop-down menu under * Do the following… and then select Modify the message properties… Set a message header
5. Select **Enter text…" next to set the message header and enter the following:
   X-MS-Exchange-Organization-SkipSafeAttachmentProcessing
6. Select Enter text… next to to the value and enter the following: 1
7. Click Save.

Remove External Tag from Training Emails

1. Navigate to the Exchange Admin Center
2. Expand the Mail Flow section on the left-hand side and select rules
3. Select the rule that is adding the External Tag for external senders and click on the edit pencil
4. Inside the rule click add exception
5. From the Except if… dropdown menu select The sender… address matches any of these patterns
6. Add the email address of our training notifications:
   • NA Instance: notifications@securityiq-notifications.com
   • EU Instance: notifications@securityiqeu-notifications.com
7. Click Save

Prevent Microsoft’s report phishing options from marking learners as phished

Learners who use the built-in Microsoft report phishing or report as junk options will be marked as phished because reported emails are inspected by a Microsoft service. This can lead to inaccurate campaign results otherwise proactive learners being shown as “phished” in the system. The following mail flow rule will identify any outbound message being sent to the Microsoft report phishing destination with our header value and block then delete the message preventing any inspection of the email and false phishing events.

1. From the Exchange admin center, under the Mail flow menu, select rules .
2. Click the + icon and then select Create a new rule… from the menu.
3. Create a name for the rule such as “Infosec IQ - MS Report Phishing Bypass”.
4. Click on More options to view additional menus.
5. Use the drop-down menu under Apply this rule if… "The recipient address includes…
6. Click Enter text and add the following email addresses.
   • phish@office365.microsoft.com
   • junk@office365.microsoft.com
7. Click the add condition button
8. Use the drop-down menu under Apply this rule if… to select the following conditions The subject or body includes…
9. Add all infosec IQ IP addresses into this section. Please refer to the account settings in the platform for this list.
10. Use the drop-down menu under * Do the following… and then select Block the message… --> Delete the message without notifying anyone.
11. Click Save.