Allowlisting via Microsoft Advanced Delivery

Support Desk
  • Updated
Follow

Adding the following Advanced Delivery policies will allow our phishing simulations and training notifications to reach your mail server without being intercepted by Microsoft Defender. 

Existing Rules

In your Microsoft 365 Exchange admin center, there were allow listing rules that facilitated the delivery of your simulated phishing emails. With the release of Microsoft's "secure by default" feature, some of these rules have been disabled for security reasons. 

The disabled rules are listed below:
  • Allowed sender lists or allowed domain lists (anti-spam policies)
  • Outlook Safe Senders
  • IP Allow List

What are Microsoft 365 Advanced Delivery Policies?

In Microsoft 365, an advanced delivery policy can override several security configurations. The affected security configurations are listed below:

  • Filtering in EOP/Microsoft Defender 
  • ZAP (zero-hour auto purge)
  • Default system alerts
  • AIR/Clustering for Defender
The ability to override these security configurations affects simulated phishing emails in the following ways:
  • Admin Submissions can determine that phishing security tests are not real threats, and alerts from AIR are not triggered.
  • Safe Links are not blocked.
  • Safe Attachments are not blocked.
  • Malware verdicts still cannot be bypassed.
  • Microsoft Report Phish Button causes false positives if an attachment is used.

If you require further reading on Advanced Delivery, see this Microsoft article. Microsoft has an external guide on how to add an advanced delivery policy to allow third-party phishing simulations. Linked here.

Note: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), Microsoft's secure by default is not available.

If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online.

If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.

What you need to do

To allow our emails to pass through correctly, please follow the steps below. 

Step 1 - Add an advanced delivery policy to allow third-party phishing simulations

Once you have added Phishing Tackle's technical information, we can deliver emails without being filtered and identified as a threat.

  1. Visit the Microsoft Defender portal Advanced Delivery settings page by clicking here.
  2. You will need to add our sending domain and IP addresses, which can be found in our technical allowlisting information here.
  3. In ‘Domain’, enter: "tacklephishing.com".
  4. In ‘Sending IP’, enter: "52.56.150.127", "35.177.22.237".
  5. Once completed, your third-party phishing simulation information should match the example image below. (tacklephishing.com is our sending domain, and our sending IPs are 52.56.150.127, 35.177.22.237).
    Add_third_party_phishing_simulations.png

  6. In ‘Simulation URLs to allow’, add the simulated phishing links you would like to use. We recommend adding all of our phishing domains using the format: "DomainName.com/*".

    For a full list of phishing domains used, please view our knowledge base article: How to Find Phishing Tackle’s Phishing URLs (for URL filtering).

Step 2 - Add an internal and external spoofed sender allow entry in Microsoft Defender

The benefit of adding Phishing Tackle as a spoofed sender is that our messages will no longer be displayed within Microsoft Defender spoof intelligence insight. This reduces the number of false positives generated.

  1. Microsoft has an external guide on how to create an allow entry for a spoofed sender. Linked here.
  2. For each entry, just add a wildcard (*) followed by our IP address (see images below).
  3. For "spoof type" you should have one Internal and one External domain pair.
  4. Once this has been completed your spoofed sender allow entry should look the same as the images below.

Internal:

Internal_Domain_Pair.png

External:

External_Domain_Pair.png

Note: Once you have completed the instructions outlined in this article, we recommend creating a test phishing campaign with a small group of recipients. This will allow you to ensure that the simulated phishing email successfully reaches their inbox without being blocked. Our knowledge base article, Creating a Test Phishing Campaign will explain how to create a test phishing campaign.

 

Troubleshooting

If you have added the Microsoft 365 Advanced Delivery Policies above and simulated phishing emails are still arriving in your spam or junk mail folder, we recommend allowlisting by email header. Our knowledge base article that explains how to allowlist by email header can be found here.

 

Allowlisting can sometimes require some trial and error. If you require any further assistance, please contact our support team by clicking here.

Related articles