Adding the following Advanced Delivery policies will allow our phishing simulations and training notifications to reach your mail server without being intercepted by Microsoft Defender.
The disabled rules are listed below:
- Allowed sender lists or allowed domain lists (anti-spam policies)
- Outlook Safe Senders
- IP Allow List
What are Microsoft 365 Advanced Delivery Policies?
In Microsoft 365, an advanced delivery policy can override several security configurations. The affected security configurations are listed below:
- Filtering in EOP/Microsoft Defender
- ZAP (zero-hour auto purge)
- Default system alerts
- AIR/Clustering for Defender
- Admin Submissions can determine that phishing security tests are not real threats, and alerts from AIR are not triggered.
- Safe Links are not blocked.
- Safe Attachments are not blocked.
- Malware verdicts still cannot be bypassed.
- Microsoft Report Phish Button causes false positives if an attachment is used.
If you require further reading on Advanced Delivery, see this Microsoft article.
Note: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), Microsoft's secure by default is not available.
If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online.
If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.
What you need to do
To allow our emails to pass through correctly, please follow the steps below.
Step 1 - Add an advanced delivery policy to allow third-party phishing simulations
Once you have added Phishing Tackle's technical information, we can deliver emails without being filtered and identified as a threat.
- Microsoft has an external guide on how to add an advanced delivery policy to allow third-party phishing simulations. Linked here.
- You will need to add our sending domain and our IP addresses which is found in our technical allowlisting information here.
- You will not need to specify a "Simulation URL to allow", this can be left empty.
- Once this has been completed your third-party phishing simulation information should look the same as the image below ("tacklephishing.com" is our sending domain and our sending IP is "220.127.116.11", "18.104.22.168").
Step 2 - Add an internal and external spoofed sender allow entry in Microsoft Defender
The benefit of adding Phishing Tackle as a spoofed sender is that our messages will no longer be displayed within Microsoft Defender spoof intelligence insight. This reduces the number of false positives generated.
- Microsoft has an external guide on how to create an allow entry for a spoofed sender. Linked here.
- For each entry, just add a wildcard (*) followed by our IP address (see images below).
- For "spoof type" you should have one Internal and one External domain pair.
- Once this has been completed your spoofed sender allow entry should look the same as the images below.
Allowlisting can sometimes require some trial and error. If you require any further assistance, please contact our support team by clicking here.