Bypassing Microsoft 365 (formerly Office 365) Advanced Threat Protection (ATP) / Defender for Office - By IP Address – Knowledge Base

IMPORTANT NOTICE: Since Microsoft rolled out the "Secure by Default" standard in October 2021, the required method of allowlisting has changed. To correctly allowlist in Exchange and Office 365 environments, please see our article Allowlisting via Microsoft Advanced Delivery.

In order for Phishing Tackle's emails to function correctly, there are two sections that require additional rules to bypass all of Microsoft's Advanced Threat Protection system.

These two sections can be divided as follows (click to jump straight to that section):

Mail flow rules
URL rewriting rules

Mail flow rules

NOTE:
As a precaution, we recommend waiting one hour after enabling the mail flow rules before testing them on a small group of recipients before running any large phishing campaigns.

Advanced Threat Protection (ATP) Attachment Bypass Rule - By IP address

NOTE:

If you are using a cloud-based spam filter you must create a mail flow rule to bypass ATP link processing by email header. This is because your cloud-based spam filter will change the IP address of the mail we send. To configure an ATP bypass Rule when a cloud-based spam filter is in use please follow this guide.

To bypass ATP Attachment Processing, set up the following mail flow rule:

Log into the Microsoft 365 (formerly Office 365) portal and select "Admin centers" > "Exchange".
Select "Mail flow" to expand the settings menu then select "Rules".
Click "Add a rule".
Click "Create a new rule".
Give the rule a name, e.g., "Bypass ATP Attachment Processing - IP Address".
Under "Apply this rule if" select "The Sender..." > "IP address is in any of these ranges or exactly matches"
Then enter each of Phishing Tackle's IP addresses, clicking the "Add" button for each. (A complete list of our IP addresses can be found here.) Then hit "Save".
Under "*Do the following" select "Modify the message properties..." > "set a message header".
Edit the properties of this by selecting the "Enter text" buttons:

Use the following entries:
Set the message header to "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" and set the value to "1".
Click "Next".
Leave all settings in "Set rule settings" as their default values and click "Next".
Review your settings and click "Finish".

WARNING, PLEASE READ CAREFULLY:

The next rule to implement is dependent on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.

If you use Plan 1, please ONLY implement the Advanced Threat Protection (ATP) Link Bypass Rule - By IP Address
If you use Plan 2, please ONLY implement the URL rewriting rules.

Do not implement BOTH rules below as they will interfere with each other.

If you do not know which Defender plan you have...

Simply follow the guide for PLAN 2. If the Safe Links policy (on step 5) is not available, you have PLAN 1.

Plan 1 - Advanced Threat Protection (ATP) Link Bypass Rule - By IP Address

To bypass ATP Link Processing, set up the following mail flow rule:

Log into the Microsoft 365 (formerly Office 365) portal and select "Admin centers" > "Exchange".
Select "Mail flow" to expand the settings menu then select "Rules".
Click "Add a rule".
Click "Create a new rule".
Give the rule a name, e.g. "Bypass ATP Link Processing - IP Address".
Under "Apply this rule if" select "The Sender" > "IP address is in any of these ranges or exactly matches".
Then enter each of Phishing Tackle's IP addresses, clicking the "Add" button for each. (A complete list of our IP addresses can be found here.) Then hit "Save".
Under "*Do the following" select "Modify the message properties..." > "set a message header".
Edit the properties of this by selecting the "Enter text" buttons:

Use the following entries:
Set the message header to "X-MS-Exchange-Organization-SkipSafeLinksProcessing" set the value to"1".
Click "Next".
Leave all settings in "Set rule settings" as their default values and click "Next".
Review your settings and click "Finish".

Plan 2 - URL rewriting rules

The full list of Phishing Tackle phishing URLs can be found within the Phishing Tackle platform. Our knowledge base article here will explain how to access this list. leave the page open, you'll need it later on!
Log into the Microsoft 365 (formerly Office 365) portal and select Admin centers > Security.
Under "Email & collaboration" in the left-hand column click "Policies & rules".
Click "Threat policies".
Click "Safe Links".
Click "Create".
Enter a name for your Policy, then click "Next".
Specify the users, groups, or domains you would like to use this policy. Then click "Next".
For the "Email" section we recommend disabling:
- Apply Safe Links to email messages sent within the organization.
- Wait for URL scanning to complete before delivering the message.
Under "Do not rewrite the following URLs in email" click "Manage 0 URLs"
Click "Add URLs".
Finally, in the "ADD URLs" section, add the list of root domains from the page in Step 1. Each domain must be added using the format https://[rootdomain]/* so if you are adding the root domain "phishingdomain.com", you need to enter https://phishingdomain.com/*

You can find all our phishing domains here.
Click "Save".
Click "Done".
The settings within "Teams", "Office 365 Apps", and "Click protection settings" can be left as the default setting.
Click "Next".
The notification settings can be left as the default setting.
Click "Next".
Review your ATP Link Policy and click "Submit".

Please let us know if you require any further assistance, you can contact our support team by clicking here. Or by sending an email to support@phishingtackle.com