How to whitelist by IP address in Office 365
This document will cover how to whitelist our simulated phishing email servers in your Office 365 environment (the process is the same for all three mail servers).
The goal is to allow SMARTFENSE to send simulated phishing emails to bypass your Microsoft Exchange Online Protection (EOP) mail filter. This setup will allow only simulated phishing emails from SMARTFENSE to bypass this filter.
First of all, set up an IP Allow list that includes our IP addresses. Next, set up a mail flow rule to allow incoming mail to bypass both the Clutter folder, as well as Microsoft's EOP spam filter. You must set up both in the allow list successfully.
Once the configuration is done, it may take some time for those settings to propagate.
We recommend that you wait 1-2 hours and then set up a simulated phishing campaign for yourself or a small group to test out your new whitelisting rules.
The instructions for setting up these rules are shown below (the instructions below show screenshots for Office 365).
Configuring the delivery of third-party phishing simulations to users
- Open Microsoft 365 Defender portal at https://security.microsoft.com. (In the left menu Policies & rules > Threat Policies > Rules Section > Advanced Delivery) To go directly to the Advanced Delivery page, open https://security.microsoft.com/advanceddelivery.
- Go to the Phishing Simulation section and click on Add.
- Add the IPs and domains used by SMARTFENSE to create simulations.
160.153.250.248 |
108.179.236.243 |
190.210.135.44 |
livefense.com |
smartfense.com |
takesecurity.com |
palertbutton.com phishalertbutton.com |
4. The setting should be as shown in the image below.
Information source: https://docs.microsoft.com/es-es/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide
Connector to receive email from external simulations
A new Microsoft Security update suggests creating a connector to modify this default security setting.
From this change onwards, the emails sent will be received by the recipients. This change resolves the incident that this new Microsoft change caused.
In this Microsoft link it is explained how to create the connector mentioned above:
You can create connectors to apply security restrictions to mail exchanges with a partner organization.
This section describes the process of setting up a connector.
For the new EAC:: Exchange admin center (microsoft.com), Or from the Microsoft 365 Defender Portal at: https://security.microsoft.com, in the left menu search "Exchange message tracey" it open Exchange Admin Center.
- Navigate to Mail flow > Connectors. The Connectors screen appears.
- Click + Add a connector. The New connector screen appears
- Under Connection from, choose Partner Organization
- Click Next. The Connector name screen appears.
- Provide a name for the connector (for example, SMARTFENSE) and click Next. The Authenticating sent email screen appears.
- Choose By verifying that the IP address of the sending server matches one of the following IP addresses, which belong exclusively to your partner organization. Provide these IPs:
160.153.250.248
108.179.236.243
190.210.135.44 - Click Next. The Security restrictions screen appears.
- Check the check box for Reject email messages if they aren't sent over TLS.
- Click Next. The Review connector screen appears.
- Review the settings you have configured, and click Create connector.
The connector is created.
This is the result of the connector:
Spoof intelligence insight in EOP
This rule will allow emails received by the user not to show spoofing alerts.
- Go to https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem (In the left menu Policies & rules > Threat Policies > Rules Section >Tenant Allow/Block Lists > Spoofed senders)
- Click on the Add button.
- Enter the address that will be used in the phishing test and the domain address from which it will be sent.
- In the example below administracion@empresareal.com is the sender that the user who receives the email will see and livefense.com is the domain from which it is actually being sent. If you want to add all scenario senders that come from our servers use "*,livefense.com"
Information source: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/learn-about-spoof-intelligence?view=o365-worldwide