Bypassing Clutter and Spam Filtering
To ensure our messages will bypass your Clutter folder as well as spam filtering within Exchange Admin Center, follow the steps below.
- Go to this link: https://admin.exchange.microsoft.com/#/
- Go to Mail Flow > Rules.
-
Click (+) Add a rule > Create a new rule.
Exchange Admin Center:
- Give the rule a name, such as "Bypass Clutter and Spam Filtering by IP Address".
- In the Apply this rule if... condition, select The sender..., then click "Select One" and choose "IP address is in any of these ranges or exactly matches".
- Add the following IPs one by one by clicking on "Add": 160.153.250.248 - 108.179.236.243 -190.210.135.44, then "OK".
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one," choose "set a message header".
- Click the "Enter text..." button to set the message header to this value: "X-MS-Exchange-Organization-BypassClutter" then "OK".
- In "value", click "Enter text" and type "true," then "Save". Clarification: both "X-MS-Exchange-Organization-BypassClutter" and "true" are case sensitive.
- Add an extra action below "Do the following..." to Modify the message properties. In "Select one", click Set the spam confidence level (SCL) to... and select Bypass Spam Filtering, then click "OK".
- Click "Next".
- Click "Save" to save the rule. This is how the Transport Rule should look:
- In "Set rule options," leave the default values and click "Next".
- In "Review and finish," leave the other options at their default settings and click "Finish".
Bypassing Junk folder
This rule will allow only simulated phishing emails from SMARTFENSE to bypass the Junk folder to ensure that your users are receiving simulated phishing emails in their inboxes.
- Click (+) Add a rule > Create a new rule.
- Give the rule a name, such as "SMARTFENSE - Skip Junk Filtering".
- In the Apply this rule if... condition, select The sender..., then click "Select One" and choose "IP address is in any of these ranges or exactly matches".
- Add the following IPs one by one by clicking on "Add": 160.153.250.248 - 108.179.236.243 -190.210.135.44, then "OK".
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one," choose "set a message header".
- Click the "Enter text..." button to set the message header to this value: "X-Forefront-Antispam-Report" then "OK".
- In "value" click "Enter text" and type "SFV:SKI;" then "Save". Note: For more information about this header, click here.
- Click Save.
This is how the Transport Rule should look:
Rules to exclude Advanced Threat Protection (ATP)
This section shows what to do when using Advanced Threat Protection (ATP) in your email environment and receiving fake clicks or fake attachment openings.
What needs to be done is to configure mail flow rules to bypass ATP Safe Link/Attachment Processing for phishing and ransomware simulation emails from SMARTFENSE IP addresses.
Note: We recommend that you allow at least two hours for the rules to propagate to all of your users. We also recommend testing the effectiveness of the rules with a small test group before launching the simulated phishing or ransomware campaigns to all your users again.
Rule to Bypass ATP Link
Below are the detailed steps to set up a flow rule to bypass the ATP Link Processing.
- Click (+) Add a rule > Create a new rule.
- Give the rule a name such as "Bypass ATP Links".
- In the Apply this rule if... condition, select The sender..., then click "Select One" and choose "IP address is in any of these ranges or exactly matches".
- Add the following IPs one by one by clicking on "Add": 160.153.250.248 - 108.179.236.243 -190.210.135.44, then "OK".
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one", choose "set a message header".
- Click the "Enter text..." button to set the message header to this value: "X-MS-Exchange-Organization-SkipSafeLinksProcessing" then "OK".
- In "value", click "Enter text" and type "1," then "Save". Note: For more information about this header, click here.
- Click Save.
This is how the Transport Rule should look:
Rule to Bypass ATP Attachment
Below are the detailed steps to set up a flow rule to bypass the ATP Attachment Processing:
- Click (+) Add a rule > Create a new rule.
- Give the rule a name such as "Bypass ATP Attachments".
- In the Apply this rule if... condition, select The sender..., then click "Select One" and choose "IP address is in any of these ranges or exactly matches".
- Add the following IPs one by one by clicking on "Add": 160.153.250.248 - 108.179.236.243 -190.210.135.44, then "OK".
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one", choose "set a message header".
- Click the "Enter text..." button to set the message header to this value: "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing", then "OK".
- In "value" click "Enter text" and type "1," then "Save".
- Click Save.
This is how the Transport Rule should look:
Rule Priority
Once the rules are created, they must be enabled, assigned the following priority, and stop processing at the last rule 'Bypass ATP Attachments'.
This is done by editing each rule, going to 'Edit rule settings'
We check the option to enable the rule.
Set the order from 0 to 3.
For the last rule for Bypass ATP Attachments, check "Stop processing more rules". Then, “Save”.
Once you have completed this configuration, wait for the new rule to propagate and then set up a test phishing simulation campaign for yourself or a small group to test your new whitelist rule.
Note: For best practices, we recommend leaving the other options at their default settings.