Bypassing Microsoft 365 (formerly Office 365) Advanced Threat Protection (ATP) / Defender for Office

Support Desk
  • Updated
Follow

IMPORTANT NOTICE: Since Microsoft rolled out the "Secure by Default" standard in October 2021, the required method of allowlisting has changedTo correctly allowlist in Exchange and Office 365 environments, please see our article Allowlisting via Microsoft Advanced Delivery.

In order for Phishing Tackle's emails to function correctly, there are two sections that require additional rules to bypass all of Microsoft's Advanced Threat Protection system.

These two sections can be divided as follows (click to jump straight to that section):

 

Mail flow rules

NOTE:
As a precaution, we recommend waiting one hour after enabling the mail flow rules before testing them on a small group of recipients before running any large phishing campaigns. 

 

 Advanced Threat Protection (ATP) Attachment Bypass Rule

NOTE:

If you are using a cloud-based spam filter you must create a mail flow rule to bypass ATP link processing by email header. This is because your cloud-based spam filter will change the IP address of the mail we send.

To configure an ATP bypass Rule when a cloud-based spam filter is in use follow the steps below but change:

  • Step 5 - Under "Apply this rule if..." change "Sender IP address is in the range..." to "A message header" and select "includes any of these words".
    • Enter Phishing Tackle's header value (This can be found in our Allowlisting technical information knowledge base article here), and hit "+".
  • Continue the same process from Step 6.

To bypass ATP Attachment Processing, set up the following mail flow rule:

Admin_Center_ATP_Attachment_Processing_Bypass_Rule.png

  1. Go to your MS Exchange/Office Admin Center and click "Mail Flow"
  2. Click the "+" and "Bypass spam filtering..."
  3. Give the rule a name, e.g. "Bypass ATP Attachment Processing"
  4. Hit "More Options"
  5. Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
    • Enter Phishing Tackle's IP (This can be found here), and hit "+
  6. Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
    • Set the message header: 
      • "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing"
    • to the value:
      • 1
  7. Hit Save

WARNING, PLEASE READ CAREFULLY:

The next rule to implement is dependant on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.

Do not implement BOTH rules below as they will interfere with each other.

 

If you do not know which Defender plan you have...

Simply follow the guide for PLAN 2If the Safe Links policy (on step 4) is not available, you have PLAN 1.

 

Plan 1 - Advanced Threat Protection (ATP) Link Bypass Rule

NOTE:

If you are using a cloud-based spam filter you must create a mail flow rule to bypass ATP link processing by email header. This is because your cloud-based spam filter will change the IP address of the mail we send.

To configure an ATP bypass Rule when a cloud-based spam filter is in use follow the steps below but change:

  • Step 5 - Under "Apply this rule if..." change "Sender IP address is in the range..." to "A message header" and select "includes any of these words".
    • Enter Phishing Tackle's header value (This can be found in our Allowlisting technical information knowledge base article here) and hit "+".
  • Continue the same process from Step 6.

To bypass ATP Link Processing, set up the following mail flow rule:

Admin_Center_ATP_Link_Processing_Bypass_Rule.png

  1. Go to your MS Exchange/Office Admin Center and click "Mail Flow"
  2. Click the "+" and "Bypass spam filtering..."
  3. Give the rule a name, e.g. "Bypass ATP Link Processing"
  4. Hit "More Options"
  5. Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
    • Enter Phishing Tackle's IP (This can be found here), and hit "+
  6. Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
    • Set the message header: 
      • "X-MS-Exchange-Organization-SkipSafeLinksProcessing"
    • to the value:
      • 1
  7. Hit Save

 

Plan 2 - URL rewriting rules

  1. Within the Phishing Tackle platform, go to  Organisation > Settings > Phishing Domains and leave the page open, you'll need it later on! Proceed to step 2.
    Microsoft_ATP_rules_2.2.png
  2. Visit your Microsoft 365 Admin Center and click "Security" to open the Office 365 Security & Compliance page.

    Microsoft_ATP_rules_2.3.png
  3. Click "Threat Management" > "Policy"


    Microsoft_ATP_rules_2.4.png
  4. Click Safe Links 

    Microsoft_ATP_rules_2.5.png
  5. Either the existing Link Policy and click "Edit policy" (as shown in the example above) or click the "Create" button to make a new one.

    Microsoft_ATP_rules_2.6.png  
  6. Finally, in the "Do not rewrite the following URLs" section, add the list of root domains from the page in Step 1. Each domain must be added using the format https://[rootdomain]/* so if you are adding the root domain "phishingdomain.com", you need to enter https://phishingdomain.com/*

 

 

Related articles