Threat Defense phishing templates simulate real-life phishing attacks, and as expected, your mail server may block them. To accurately gauge how your organization handles phishing attacks and to better prepare your end users for real attacks, our templates must reach your end users. Whitelisting our servers will prevent our templates from ending up in your end users’ Junk or Spam folders or being blocked entirely.
This document outlines how to properly whitelist our servers and disable any additional spam filters in your Exchange mail server. For other SMTP servers, please whitelist the Threat Defense server IP address (52.228.117.29) and disable any Spam filters (e.g. Proofpoint's Rate Control).
QuickHelp’s simulated phishing email servers can be whitelisted in one of two ways. For the best Threat Defense experience, we recommend using SMTP Direct Send only.
- SMTP Direct Send (recommended) – available in Office 365 only. This method allows QuickHelp to send email from any email address, even one that does not exist in or has a different domain from your Exchange Server. To configure a Sending Profile using an email with a sender/domain outside of your organization (e.g. @microsoft.com), you must use SMTP Direct Send. Also, any message limits associated with individual email accounts (SMTP Auth) will be avoided by using Direct Send.
- SMTP Auth – same process in either your Exchange 2013, 2016, or Office 365 environment. SMTP Auth requires that a mailbox be created in your Exchange server and allows QuickHelp to connect to your Exchange server and send email from that account (used in the Admin Portal configuration) or from any other Exchange account. This last is determined by your Exchange configuration, which will be discussed below. If you create multiple Sending Profiles for your Phishing Campaigns, part (or all) of this configuration will need to be completed for each sender.
Either of these options will allow our simulated phishing emails to bypass this Microsoft Exchange Online Protection (EOP) mail filter.
Note: You may need to do additional domain whitelisting to bypass Windows Defender. See the Microsoft Windows Defender Domain Whitelisting article.
SMTP Direct Send (recommended)
To configure Direct Send, you will need to complete the following steps:
Identify the MX record (this will be used in the QuickHelp Admin Portal)
Bypass Clutter and Spam Filtering
Bypass the Junk Folder (M365 Only)
Create a Connector to Prevent Deferments (M365 Only)
Identify the MX Record
- Log in to the Microsoft 365 admin center
- Click Settings > Domains
- Click your domain (e.g. contoso.com)
- Click the DNS records tab
- In the Microsoft Exchange section, click MX
- In the MX record pop-up, copy the Points to address or Value field (e.g. contoso-com.mail.protection.outlook.com) in the Expected record section and save it somewhere accessible.
NOTE: This will be used in the Host field of the Sending Profile
Click Done
Configure IP Allow List
- Login to your Microsoft Windows Defender.
- Click Email & Collaberation > Policies & Rules > Threat Policies > Anti-spam
- In the Anti-spam policies section click on the Connection filter policy (Default).
- In the pop-out scroll down and click Edit Connection filter policy
- In the Always on | Priority Lowest enter 52.228.117.29
- Click Save.
Bypassing Clutter and Spam Filtering
Log in to the Exchange Admin Portal
Click mail flow > rules and click the plus icon (Add a rule)
- Select Create a new rule
- Enter a name in the Name field, such as Threat Defense Bypass Spam
- From the *Apply this rule if… pulldown menu Select The sender… > IP address is in any of these ranges or exactly matches.
- Enter 52.228.117.29 in the specify IP address ranges dialog
- Click Add
- Click Save
- From the *Do the following pulldown menu select Modify the message properties… > set a message header
- Click the first *Enter text…
- In the message header text field enter X-MS-Exchange-Organization-BypassClutter
NOTE: This is case sensitive - Click Save
- Click the second *Enter text…
- In the header value text field enter true
NOTE: This is case sensitive - Click Save
- Click + icon
- From the and pulldown menu select Modify the message properties… > set the spam confidence level (SCL)
- From the specify SCL dialog, choose Bypass spam filtering
- Click Save
NOTE: We recommend leaving the other options at their default settings - Click Next > Next > Finish > Done
Bypassing ATP Link Processing
- Log in to the Exchange Admin Portal.
Click mail flow > rules and click the plus icon (Add a rule)
Select Create a new rule.
Enter a name in the Name field, such as Threat Defense Bypass ATP Link Processing.
In "Apply this rule if" select "The Sender" > "IP address is in any of these ranges or exactly matches".
Enter 52.228.117.29 in the specified IP address ranges dialog.
.In "*Do the following," select "Modify the message properties..." > "Set a message header"
Click the first *Enter text…
In the message header text field, enter X-MS-Exchange-Organization-SkipSafeLinksProcessing
NOTE: This is case sensitiveClick the second *Enter text… and set the value to 1.
Click Save.
Bypassing the Junk Folder (M365 Only)
- Log in to the Exchange Admin Portal
- Click mail flow > rules
- Click + Add a Rule
- Select Create a new rule
- Enter a name in the Name field, such as Threat Defense Bypass Junk Folder
- From the *Apply this rule if… pulldown menu select The sender… > IP address is in any of these ranges or exactly matches
- In the specify IP address ranges dialog enter 52.228.117.29
- Click the Add icon to add the IP address and click Save.
- From the *Do the following pulldown menu select Modify the message properties… > set a message header
- Click the first *Enter text…
- Enter X-Forefront-Antispam-Report in the message header text field
NOTE: This is case sensitive - Click Save
- Click the second *Enter text…
- Enter SFV:SKI;CAT:NONE; in the header value text field
NOTE: This is case sensitive and requires the semi-colon - Click Save
- Click Next > Next > Finish > Done
NOTE: Please note that the priority/position of both of these rules needs to be high enough so other rules won't filter Threat Defense emails before these rules are in force.
Connector to Prevent Deferment (M365 Only)
Adding a connector will prevent your emails from being deferred in Microsoft 365 due to Microsoft's rate limiting or similar settings.
- Log in to the Exchange Admin Portal
- Click Mail flow > Connectors
- Click the Add a Connector icon
- From the Connection from menu, select Partner organization and verify that under the Connection To section Office 365 is selected.
- Click Next
- Enter a name in the Name field, such as Threat Defense Connector, enter a description (optional) and verify that Turn It On is checked. Click Next
- Select By verifying that the IP address of the sending server matches on of the following IP addresses, which belong to your organization radio button
- Enter 52.228.117.29 and click the plus (+) to the right to add the IP address. Click Next9. Select Reject email messages if they aren’t sent over TLS. Click Next.
- Review the connector settings – if they are correct, click Create Connector > Done
--Stop Here for Direct Send--
SMTP Auth
- Connect to Exchange Online Powershell
- Check the value of the SmtpClientAuthenticationDisabled property by running the command: Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
- If the value is true, run Set-TransportConfig -SmtpClientAuthenticationDisabled $false
- Disconnect from Exchange Online Powershell (Disconnect-ExchangeOnline)
- Log in to the Office Admin Portal
- Click Users > Active Users
- Search for the account that will be used as the User Name of the Sending Profile
- Click on the Display Name
- From the User pop-up on the right-hand side, click the Mail tab
- Click Manage email apps
- In the Manage email apps dialog, check Authenticated SMTP
- Click Save Changes
NOTE: If the Sending Profile’s Sender Name and Sender Email are different than the User Name, please follow the next steps. If they are the same, stop here. - In the Office Admin Portal, click Users > Active Users
- Search for the account that will be used as the Sender Email of the Sending Profile
- Click on the Display Name
- From the User pop-up on the right-hand side, click the Mail tab
- Click Send as permissions
- In the Add send as permissions field, type in the account that will be used as the User Name of the Sending Profile
- Click on the user from the results
- Click Save Changes
Repeat these steps, as needed, for each Sending Profile. Depending on how you configure your Sending Profiles, you may only need to repeat steps 13-20.