Threat Defense phishing templates simulate real-life phishing attacks, and as expected, your mail server may block them. To accurately gauge how your organization handles phishing attacks, and to better prepare your end users for real attacks, our templates must reach your end users. Whitelisting our servers will prevent our templates from ending up in your end users’ Junk or Spam folders or blocked entirely.


This document outlines how to properly whitelist our servers and disable any additional spam filters in your Exchange mail server. For other SMTP servers, please whitelist the Threat Defense server IP address (52.228.117.29) and disable any Spam filters.


BrainStorm’s simulated phishing email servers can be whitelisted in one of two ways. For the best Threat Defense experience, we recommend using SMTP Direct Send only.


  1. SMTP Direct Send (recommended) – available in Office 365 only. This method allows QuickHelp to send email from any email address, even one that does not exist in or has a different domain from your Exchange Server. To configure a Sending Profile using an email with a sender/domain outside of your organization (e.g. @microsoft.com), you must use SMTP Direct Send. Also, any message limits associated with individual email accounts (SMTP Auth) will be avoided by using Direct Send. 
  2. SMTP Auth – same process in either your Exchange 2013, 2016, or Office 365 environment. SMTP Auth requires that a mailbox be created in your Exchange server and allows QuickHelp to connect to your Exchange server and send email from that account (used in the Admin Portal configuration) or from any other Exchange account. This last is determined by your Exchange configuration, which will be discussed below. If you create multiple Sending Profiles for your Phishing Campaigns, part (or all) of this configuration will need to be completed for each sender.


Either of these options will allow our simulated phishing emails to bypass this Microsoft Exchange Online Protection (EOP) mail filter.


SMTP Direct Send (recommended)

To configure Direct Send, you will need to complete the following steps:


Identify the MX record (this will be used in the QuickHelp Admin Portal)

Configure your IP Allow List

Bypass Clutter and Spam Filtering

Bypass the Junk Folder (M365 Only)

Create a Connector to Prevent Deferments (M365 Only)


Indentify the MX Record

  1. Log in to the Microsoft 365 admin center
  2. Click Settings > Domains
  3. Click your domain (e.g. contoso.com)

  4. Click the DNS records tab
  5. In the Exchange Online section, click MX
  6. In the MX record pop-up, copy the Points to address or Value field (e.g. contoso-com.mail.protection.outlook.com) and save it somewhere accessible

    NOTE: This will be used in the Host field of the Sending Profile

  7. Click Done


IP Allow List

  1. Log in to the Office 365 Security & Compliance Center
  2. Click Threat Management > Policy > Anti-spam
  3. In the Anti-spam settings, expand the Connection filter policy (always ON) section
  4. Click Edit Policy
  5. Click Edit next to the IP Allow List in the Connection filter policy dialog
  6. In the IP Allow List dialog, enter 52.228.117.29 in the Address or address range: field
  7. Click the + icon
  8. Click Save


Bypassing Clutter and Spam Filtering

  1. Log in to the Exchange Admin Portal

  2. Click mail flow > rules

  3. Click the + icon
  4. Select Bypass spam filtering…
  5. Enter a name in the Name field
  6. Select The sender… > IP address is in any of these ranges or exactly matches from the *Apply this rule if… pulldown menu
  7. Enter 52.228.117.29 in the specify IP address ranges dialog
  8. Click the + icon
  9. Click OK
  10. Select Modify the message properties… > set a message header from the *Do the following pulldown menu
  11. Click the first *Enter text…
  12. Enter X-MS-Exchange-Organization-BypassClutter in the message header text field
    NOTE: This is case sensitive
  13. Click OK
  14. Click the second *Enter text… 
  15. Enter true in the header value text field
    NOTE: This is case sensitive
  16. Click OK
  17. Click add action
  18. From the pulldown menu select Modify the message properties… > set the spam confidence level (SCL)
  19. From the specify SCL dialog, choose Bypass spam filtering
  20. Click OK
    NOTE: We recommend leaving the other options at their default settings
  21. Click Save


Bypassing the Junk Folder (M365 Only)

  1. Log in to the Exchange Admin Portal
  2. Click mail flow > rules
  3. Click the + icon
  4. Select Bypass spam filtering…
  5. Enter a name in the Name field
  6. Select The sender… > IP address is in any of these ranges or exactly matches from the *Apply this rule if… pulldown menu
  7. Enter 52.228.117.29 in the specify IP address ranges dialog
  8. Click the + icon
  9. Click OK
  10. Select Modify the message properties… > set a message header from the *Do the following pulldown menu
  11. Click the first *Enter text…
  12. Enter X-Forefront-Antispam-Report in the message header text field
    NOTE: This is case sensitive
  13. Click OK
  14. Click the second *Enter text… 
  15. Enter SFV:SKI;CAT:NONE; in the header value text field
    NOTE: This is case sensitive
  16. Click OK
  17. Click Save
    NOTE: If this rule does not come immediately after the Bypassing Clutter and Spam filtering rule created above, please edit this rule, and under Properties, set the Priority to directly follow the previous rule. Also note that the priority/position of both of these rules need to be high enough so that other rules won’t filter Threat Defense emails before these rules are enforced.


Connector to Prevent Deferment (M365 Only)

Adding a connector will prevent your emails from being deferred in Microsoft 365 due to Microsoft's rate limiting or similar settings.

  1. Log in to the Exchange Admin Portal
  2. Click mail flow > connectors
  3. Click the + icon
  4. From the From pulldown menu, select Partner organization
  5. From the To pulldown menu, select Office 365
  6. Click Next
  7. Enter a name in the Name field
  8. Enter a description (optional)
  9. Click Next
  10. Select Use the sender’s IP address radio button
  11. Click Next
  12. Click the + icon
  13. Enter 52.228.117.29 in the add ip address dialog
  14. Click OK
  15. Click Next
  16. Select Reject email messages if they aren’t sent over TLS
  17. Click Next
  18. Review the connector settings – if they are correct, click Save


--Stop Here for Direct Send--



SMTP Auth

  1. Connect to Exchange Online Powershell
  2. Check the value of the SmtpClientAuthenticationDisabled property by running the command: Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
  3. If the value is true, run Set-TransportConfig -SmtpClientAuthenticationDisabled $false
  4. Disconnect from Exchange Online Powershell (Disconnect-ExchangeOnline)
  5. Log in to the Office Admin Portal
  6. Click Users > Active Users
  7. Search for the account that will be used as the User Name of the Sending Profile
  8. Click on the Display Name
  9. From the User pop-up on the right-hand side, click the Mail tab
  10. Click Manage email apps
  11. In the Manage email apps dialog, check Authenticated SMTP
  12. Click Save Changes
    NOTE: If the Sending Profile’s Sender Name and Sender Email are different than the User Name, please follow the next steps. If they are the same, stop here.
  13. In the Office Admin Portal, click Users > Active Users
  14. Search for the account that will be used as the Sender Email of the Sending Profile
  15. Click on the Display Name
  16. From the User pop-up on the right-hand side, click the Mail tab
  17. Click Send as permissions
  18. In the Add send as permissions field, type in the account that will be used as the User Name of the Sending Profile
  19. Click on the user from the results
  20. Click Save Changes

Repeat these steps, as needed, for each Sending Profile. Depending on how you configure your Sending Profiles, you may only need to repeat steps 13-20.