Threat Defense phishing templates simulate real-life phishing attacks, and as expected, your mail server may block them. To accurately gauge how your organization handles phishing attacks, and to better prepare your end users for real attacks, our templates must reach your end users. Whitelisting our servers will prevent our templates from ending up in your end users’ Junk or Spam folders or blocked entirely.


This document outlines how to properly whitelist our servers and disable any additional spam filters in your Exchange mail server. For other SMTP servers, please whitelist the Threat Defense server IP address (52.228.117.29) and disable any Spam filters (e.g. Proofpoint's Rate Control).


BrainStorm’s simulated phishing email servers can be whitelisted in one of two ways. For the best Threat Defense experience, we recommend using SMTP Direct Send only.


  1. SMTP Direct Send (recommended) – available in Office 365 only. This method allows QuickHelp to send email from any email address, even one that does not exist in or has a different domain from your Exchange Server. To configure a Sending Profile using an email with a sender/domain outside of your organization (e.g. @microsoft.com), you must use SMTP Direct Send. Also, any message limits associated with individual email accounts (SMTP Auth) will be avoided by using Direct Send. 
  2. SMTP Auth – same process in either your Exchange 2013, 2016, or Office 365 environment. SMTP Auth requires that a mailbox be created in your Exchange server and allows QuickHelp to connect to your Exchange server and send email from that account (used in the Admin Portal configuration) or from any other Exchange account. This last is determined by your Exchange configuration, which will be discussed below. If you create multiple Sending Profiles for your Phishing Campaigns, part (or all) of this configuration will need to be completed for each sender.


Either of these options will allow our simulated phishing emails to bypass this Microsoft Exchange Online Protection (EOP) mail filter.


Note: You may need to do additional domain whitelisting to bypass Windows Defender. See the Microsoft Windows Defender Domain Whitelisting article.


SMTP Direct Send (recommended)

To configure Direct Send, you will need to complete the following steps:


Identify the MX record (this will be used in the QuickHelp Admin Portal)

Configure your IP Allow List

Bypass Clutter and Spam Filtering

Bypass the Junk Folder (M365 Only)

Create a Connector to Prevent Deferments (M365 Only)


Identify the MX Record

  1. Log in to the Microsoft 365 admin center
  2. Click Settings > Domains
  3. Click your domain (e.g. contoso.com)

  4. Click the DNS records tab
  5. In the Microsoft Exchange section, click MX
  6. In the MX record pop-up, copy the Points to address or Value field (e.g. contoso-com.mail.protection.outlook.com) in the Expected record section and save it somewhere accessible.

    NOTE: This will be used in the Host field of the Sending Profile

  7. Click Done


Configure IP Allow List

  1. Login to your Microsoft Windows Defender.
  2. Click Email & Collaberation > Policies & Rules > Threat Policies > Anti-spam
  3. In the Anti-spam policies section click on the Connection filter policy.
  4. Scroll down and click Edit Connection filter policy 
  5. In the IP Allow List dialog, enter 52.228.116.29 in the  Always allow messages from the following IP Address or address range field. Click Save.


Bypassing Clutter and Spam Filtering

  1. Log in to the Exchange Admin Portal

  2. Click mail flow > rules and click the plus icon 

  3. Select Bypass spam filtering…
  4. Enter a name in the Name field, such as Threat Defense Bypass Spam
  5. From the *Apply this rule if… pulldown menu Select The sender… > IP address is in any of these ranges or exactly matches.
  6. Enter 52.228.117.29 in the specify IP address ranges dialog
  7. Click the plus icon
  8. Click OK
  9.  From the *Do the following pulldown menu select Modify the message properties… > set a message header
  10. Click the first *Enter text…
  11.  In the message header text field enter X-MS-Exchange-Organization-BypassClutter
    NOTE: This is case sensitive
  12. Click OK
  13. Click the second *Enter text… 
  14. In the header value text field enter true
    NOTE: This is case sensitive
  15. Click OK
  16. Click add action
  17. From the and pulldown menu select Modify the message properties… > set the spam confidence level (SCL)
  18. From the specify SCL dialog, choose Bypass spam filtering
  19. Click OK
    NOTE: We recommend leaving the other options at their default settings
  20. Click Save


Bypassing the Junk Folder (M365 Only)

  1. Log in to the Exchange Admin Portal
  2. Click mail flow > rules
  3. Click the + icon
  4. Select Bypass spam filtering…
  5. Enter a name in the Name field, such as Threat Defense Bypass Junk Folder
  6. From the *Apply this rule if… pulldown menu select The sender… > IP address is in any of these ranges or exactly matches
  7. In the specify IP address ranges dialog enter 52.228.117.29 
  8. Click the plus icon to add the IP address and click OK.
  9.  From the *Do the following pulldown menu select Modify the message properties… > set a message header
  10. Click the first *Enter text…
  11. Enter X-Forefront-Antispam-Report in the message header text field
    NOTE: This is case sensitive
  12. Click OK
  13. Click the second *Enter text… 
  14. Enter SFV:SKI;CAT:NONE; in the header value text field
    NOTE: This is case sensitive
  15. Click OK
  16. Click Save

    NOTE:  Please note that the priority/position of both of these rules needs to be high enough so other rules won't filter Threat Defense emails before these rules are in force.


Connector to Prevent Deferment (M365 Only)

Adding a connector will prevent your emails from being deferred in Microsoft 365 due to Microsoft's rate limiting or similar settings.

  1. Log in to the Exchange Admin Portal
  2. Click Mail flow > Connectors
  3. Click the Add a Connector icon
  4. From the Connection from menu, select Partner organization and verify that under the Connection To section Office 365 is selected.
  5. Click Next
  6. Enter a name in the Name field, such as Threat Defense Connector, enter a description (optional) and verify that Turn It On is checked. Click Next
  7. Select By verifying that the IP address of the sending server matches on of the following IP addresses, which belong to your organization radio button
  8. Enter 52.228.117.29 and click the plus to the right to add the IP addressClick Next9. Select Reject email messages if they aren’t sent over TLS. Click Next.
  9. Review the connector settings – if they are correct, click Create Connector 


--Stop Here for Direct Send--



SMTP Auth

  1. Connect to Exchange Online Powershell
  2. Check the value of the SmtpClientAuthenticationDisabled property by running the command: Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled
  3. If the value is true, run Set-TransportConfig -SmtpClientAuthenticationDisabled $false
  4. Disconnect from Exchange Online Powershell (Disconnect-ExchangeOnline)
  5. Log in to the Office Admin Portal
  6. Click Users > Active Users
  7. Search for the account that will be used as the User Name of the Sending Profile
  8. Click on the Display Name
  9. From the User pop-up on the right-hand side, click the Mail tab
  10. Click Manage email apps
  11. In the Manage email apps dialog, check Authenticated SMTP
  12. Click Save Changes
    NOTE: If the Sending Profile’s Sender Name and Sender Email are different than the User Name, please follow the next steps. If they are the same, stop here.
  13. In the Office Admin Portal, click Users > Active Users
  14. Search for the account that will be used as the Sender Email of the Sending Profile
  15. Click on the Display Name
  16. From the User pop-up on the right-hand side, click the Mail tab
  17. Click Send as permissions
  18. In the Add send as permissions field, type in the account that will be used as the User Name of the Sending Profile
  19. Click on the user from the results
  20. Click Save Changes

Repeat these steps, as needed, for each Sending Profile. Depending on how you configure your Sending Profiles, you may only need to repeat steps 13-20.