In order for Phishing Tackle's emails to function correctly, there are two sections that require additional rules to bypass all of Microsoft's Advanced Threat Protection system.
These two sections can be divided as follows (click to jump straight to that section):
Mail flow rules
NOTE:
As a precaution, we recommend waiting one hour after enabling the mail flow rules before testing them on a small group of recipients before running any large phishing campaigns.
As a precaution, we recommend waiting one hour after enabling the mail flow rules before testing them on a small group of recipients before running any large phishing campaigns.
Advanced Threat Protection (ATP) Attachment Bypass Rule
To bypass ATP Attachment Processing, set up the following mail flow rule:
- Go to your MS Exchange/Office Admin Center and click "Mail Flow"
- Click the "+" and "Bypass spam filtering..."
- Give the rule a name, e.g. "Bypass ATP Attachment Processing"
- Hit "More Options"
- Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
- Enter Phishing Tackle's IP (This can be found here), and hit "+"
- Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
- Set the message header:
- "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing"
- to the value:
- 1
- Set the message header:
- Hit Save
WARNING, PLEASE READ CAREFULLY:
The next rule to implement is dependant on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.
- If you use Plan 1, please ONLY implement the Advanced Threat Protection (ATP) Link Bypass Rule.
- If you use Plan 2, please ONLY implement the URL rewriting rules.
Do not implement BOTH rules below as they will interfere with each other.
If you do not know which Defender plan you have...
Simply follow the guide for PLAN 2. If the Safe Links policy (on step 4) is not available, you have PLAN 1.
Advanced Threat Protection (ATP) Link Bypass Rule
To bypass ATP Link Processing, set up the following mail flow rule:
- Go to your MS Exchange/Office Admin Center and click "Mail Flow"
- Click the "+" and "Bypass spam filtering..."
- Give the rule a name, e.g. "Bypass ATP Link Processing"
- Hit "More Options"
- Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
- Enter Phishing Tackle's IP (This can be found here), and hit "+"
- Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
- Set the message header:
- "X-MS-Exchange-Organization-SkipSafeLinksProcessing"
- to the value:
- 1
- Set the message header:
- Hit Save
URL rewriting rules
- Within the Phishing Tackle platform, go to Organisation > Settings > Phishing Domains and leave the page open, you'll need it later on! Proceed to step 2.
- Visit your Microsoft 365 Admin Center and click "Security" to open the Office 365 Security & Compliance page.
- Click "Threat Management" > "Policy"
- Click Safe Links
- Either the existing Link Policy and click "Edit policy" (as shown in the example above) or click the "Create" button to make a new one.
- Finally, in the "Do not rewrite the following URLs" section, add the list of root domains from the page in Step 1. Each domain must be added using the format https://[rootdomain]/* so if you are adding the root domain "phishingdomain.com", you need to enter https://phishingdomain.com/*