Bypassing Microsoft 365 (formerly Office 365) Advanced Threat Protection (ATP) / Defender for Office

Support Desk
  • Updated
Follow

In order for Phishing Tackle's emails to function correctly, there are two sections that require additional rules to bypass all of Microsoft's Advanced Threat Protection system.

These two sections can be divided as follows (click to jump straight to that section):

 

Mail flow rules

NOTE:
As a precaution, we recommend waiting one hour after enabling the mail flow rules before testing them on a small group of recipients before running any large phishing campaigns. 

 

 Advanced Threat Protection (ATP) Attachment Bypass Rule

To bypass ATP Attachment Processing, set up the following mail flow rule:

Admin_Center_ATP_Attachment_Processing_Bypass_Rule.png

  1. Go to your MS Exchange/Office Admin Center and click "Mail Flow"
  2. Click the "+" and "Bypass spam filtering..."
  3. Give the rule a name, e.g. "Bypass ATP Attachment Processing"
  4. Hit "More Options"
  5. Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
    • Enter Phishing Tackle's IP (This can be found here), and hit "+
  6. Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
    • Set the message header: 
      • "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing"
    • to the value:
      • 1
  7. Hit Save

WARNING, PLEASE READ CAREFULLY:

The next rule to implement is dependant on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.

Do not implement BOTH rules below as they will interfere with each other.

 

If you do not know which Defender plan you have...

Simply follow the guide for PLAN 2. If the Safe Links policy (on step 4) is not available, you have PLAN 1.

 

Advanced Threat Protection (ATP) Link Bypass Rule

To bypass ATP Link Processing, set up the following mail flow rule:

Admin_Center_ATP_Link_Processing_Bypass_Rule.png

  1. Go to your MS Exchange/Office Admin Center and click "Mail Flow"
  2. Click the "+" and "Bypass spam filtering..."
  3. Give the rule a name, e.g. "Bypass ATP Link Processing"
  4. Hit "More Options"
  5. Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
    • Enter Phishing Tackle's IP (This can be found here), and hit "+
  6. Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
    • Set the message header: 
      • "X-MS-Exchange-Organization-SkipSafeLinksProcessing"
    • to the value:
      • 1
  7. Hit Save

 

URL rewriting rules

  1. Within the Phishing Tackle platform, go to  Organisation > Settings > Phishing Domains and leave the page open, you'll need it later on! Proceed to step 2.
    Microsoft_ATP_rules_2.2.png
  2. Visit your Microsoft 365 Admin Center and click "Security" to open the Office 365 Security & Compliance page.

    Microsoft_ATP_rules_2.3.png
  3. Click "Threat Management" > "Policy"


    Microsoft_ATP_rules_2.4.png
  4. Click Safe Links 

    Microsoft_ATP_rules_2.5.png
  5. Either the existing Link Policy and click "Edit policy" (as shown in the example above) or click the "Create" button to make a new one.

    Microsoft_ATP_rules_2.6.png  
  6. Finally, in the "Do not rewrite the following URLs" section, add the list of root domains from the page in Step 1. Each domain must be added using the format https://[rootdomain]/* so if you are adding the root domain "phishingdomain.com", you need to enter https://phishingdomain.com/*

 

 

Related articles