How to whitelist by Header in Exchange 2013, 2016
This is an alternate setup in case the setup by IP address is not possible to carry out.
This generally happens when checking the email flow and it is detected that emails are not coming with the IPs of SMARTFENSE, which are located in the platform section Settings > Security > Whitelist. This can be due to technologies such as antispam, etc.
Here we show where to check if the IP received in the email is not from SMARTFENSE, from the Mail Flow option > Message Trace > Start a trace. Then, set data such as the recipient or sender, establish a time, and after the list of emails is generated, select the desired email. In the information window that opens on the right, at the bottom in the More Information option, view the email IP. If it does not match one of our IPs, proceed with the configuration using the header as explained in this guide: Here is an example of how it is displayed in Office 365.
You can find our IPs in the section of our platform under Settings > Security > Whitelist:
To create rules by Header, Exchange allows around 100 characters, so you'll need to shorten the default Header found in the SMARTFENSE platform to use it in Header rules.
Steps to shorten Header on the SMARTFENSE platform:
- Access your SMARTFENSE platform.
- In the Settings > Security > Whitelist section, go to the "Phishing and Ransomware email header" subsection.
- Click "Customize Header".
- Remove characters from the end forward until you have approximately a 100-character Header. You can copy the header into Notepad to remove the necessary characters.
- Then, paste the modified header back into the platform.
- Click on "Save" at the end of the section.
Bypassing Clutter and Spam Filtering
- Log into your mail server admin portal and click Admin.
- Click on the menu on Exchange.
- Click on the Mail Flow section.
- Click the (+) Create a new rule button under Mail Flow > Rules.
- Give the rule a name, such as "Bypass Clutter & Spam Filtering by Email Header".
- Click More options.
- Click Apply this rule if… then select A message header > includes any of these words.
- On the right side of that rule, you will see Enter text... and Enter words...
- Click Enter text... and type X-PHISHINGSIMULATION, then click Enter words… and type the header found in the Whitelist section in the SMARTFENSE platform and click the big + sign.
How to set the message header configuration:
- Next, under Do the following… ensure that this field is set to Set the spam confidence level (SCL) to… and Bypass spam filtering is set on the right side.
- Add a second action in Do the following... to modify the message properties > set the message header X-MS-Exchange-Organization-BypassClutter, then click Enter text... and type true.
As explained, here is an example of the final rule configured:
Bypassing Junk folder
- Click the (+) Create a new rule button under Mail Flow > Rules.
- Give the rule a name, such as "Bypass Spam Filtering".
- Click More options.
- Click Apply this rule if… then select A message header > includes any of these words.
- On the right side of that rule, you will see Enter text... and Enter words...
- Click Enter text... and type X-PHISHINGSIMULATION, then click Enter words… and type the header found in the Whitelist section in the SMARTFENSE platform and click the big + sign.
- Next, in Do the following... to modify the message properties, set a message header, and make sure to set the message header to "X-Forefront-Antispam-Report". Then, click on "Enter text..." and type "SFV:SKI;".
Rules to exclude Advanced Threat Protection (ATP)
This section shows what to do when using Advanced Threat Protection (ATP) in your email environment and receiving fake clicks or fake attachment openings.
What needs to be done is to configure mail flow rules to bypass ATP Safe Link/Attachment Processing for phishing and ransomware simulation emails from SMARTFENSE IP addresses.
Note: We recommend that you allow at least two hours for the rules to propagate to all of your users. We also recommend testing the effectiveness of the rules with a small test group before launching the simulated phishing or ransomware campaigns to all your users again.
Rule to Bypass ATP Link
Below are the detailed steps to set up a flow rule to bypass the ATP Link Processing.
- Click the (+) Create a new rule button under Mail Flow > Rules.
- Give the rule a name such as "Bypass ATP Links".
- Click More options.
- Click Apply this rule if… then select A message header > includes any of these words.
- On the right side of that rule, you will see Enter text... and Enter words...
- Click Enter text... and type X-PHISHINGSIMULATION, then click Enter words… and type the header found in the Whitelist section in the SMARTFENSE platform and click the big + sign.
- Next, in Do the following... to modify the message properties, set a message header, and make sure to set the message header to "X-MS-Exchange-Organization-SkipSafeLinksProcessing". Then, click on "Enter text..." and type "1".
Rule to Bypass ATP Attachment
Below are the detailed steps to set up a flow rule to bypass the ATP Attachment Processing:
- Click the (+) Create a new rule button under Mail Flow > Rules.
- Give the rule a name such as "Bypass ATP Attachments".
- Click More options.
- Click Apply this rule if… then select A message header > includes any of these words.
- On the right side of that rule, you will see Enter text... and Enter words...
- Click Enter text... and type X-PHISHINGSIMULATION, then click Enter words… and type the header found in the Whitelist section in the SMARTFENSE platform and click the big + sign.
- Next, in Do the following... to modify the message properties, set a message header, and make sure to set the message header to "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing". Then, click on "Enter text..." and type "1".
Once you have completed this configuration, wait for the new rule to propagate and then set up a test phishing simulation campaign for yourself or a small group to test your new whitelist rule.
Note: For best practices, we recommend leaving the other options in their default settings.