Allowlisting in Microsoft / Office 365

Introduction to Advanced Delivery

The Advanced Delivery policy will ensure that our simulated phishing templates will be successfully delivered and achieve the following results:

• Filters in EOP and Microsoft Defender for Office 365 take no action on these messages.*
• Zero-hour Purge (ZAP) for spam and phishing take no action on these messages.*
• Default system alerts aren’t triggered for these scenarios.
• AIR and clustering in Defender for Office 365 ignores these messages.
• Admin submissions generates an automatic response saying that the message is part of a phishing simulation campaign and isn’t a real threat. Alerts and AIR will not be triggered. The admin submissions experience will show these messages as a simulated threat.
• When a user reports a phishing simulation message using the Report Phishing add-in for Outlook, the system will not generate an alert, investigation, or incident. The message will also show up on the User reported messages tab of the submissions page.
• Safe Links in Defender for Office 365 doesn’t block or detonate the specifically identified URLs in these messages.
• Safe Attachments in Defender for Office 365 doesn’t detonate attachments in these messages.

Note: If your MX Record is not on O365, you will need to complete the allowlisting steps that are found in this article.

Configuring the Advanced Delivery Policy

1. Log in to the Microsoft 365 Defender portal

2. Navigate to the menu on the left-hand side and select Policies & Rules under the Email & Collaboration section

3. Select Threat Policies

4. Select Advanced delivery under Rules

5. Click on Phishing Simulation at the top

6. If a policy isn’t created click Add. If you already have a policy in place, click Edit from that specific policy

7. Once the Add Third Party Simulations window pops up, complete the following sections:

   • Sending IP: Add the IP addresses listed in the Email Stack section of your Infosec IQ Account Settings. Please note that you will need to add the IP addresses one-by-one
   • (Optional) Simulation URLs to Allow: To ensure URLs present in simulation messages are not blocked. You may specify up to 10 entries, in the recommended URL syntax, for each field.
   • Domains: Add our DKIM domains, securityiqmail.net and securityiq-notifications.com

   Note: Do not add the domains listed in the Email Stack section of your Infosec IQ Account Settings. These are not the domains that Microsoft is looking at to see if the email should be successfully delivered.

8. Click Add

9. After configuring the policy, please wait for the settings to propagate before testing. Please note: it may take up to 12 hours for the settings to fully propagate.

Note: Infosec has updated all public phishy domains to use the same DKIM domain. This will allow you to send out any simulated phishing email without having to update the Advanced Delivery policy for every new campaign. Private phishy domains will have their DKIM domains updated upon request. Please open a support ticket if you have a private domain that you want the DKIM domain switched to securityiqmail.net.

image.png1625×878 183 KB

For more information regarding this update, please visit Microsoft’s knowledge base article

Other Considerations

Depending on the specifics of your Microsoft 365 configuration, it’s possible there are other rules that should be configured to assure mail is processed smoothly and cleanly. We recommend taking a look at the table of contents on our Additional O365/Exchange Allowlist Rules article to see if any of these special cases apply to you.