How to whitelist by Header in Office 365
This is an alternate setup in case the setup by IP address is not possible to carry out.
This generally happens when checking the email flow and it is detected that emails are not coming with the IPs of SMARTFENSE, which are located in the platform section Settings > Security > Whitelist. This can be due to technologies such as antispam, etc.
Here we show where to check if the IP received in the email is not from SMARTFENSE. Go to the Exchange Admin Center at https://admin.exchange.microsoft.com/#/ from the Mail Flow > Message Trace > Start a trace option. Then, set data such as the recipient or sender, establish a time, and after the list of emails is generated, select the desired email. In the information window that opens on the right, at the bottom in the More Information option, check the email IP. If it does not match one of our IPs, proceed with the configuration using the header as explained in this guide:
You can find our IPs in the section of our platform under Settings > Security > Whitelist:
To create rules by Header, Office 365 allows around 100 characters, so you'll need to shorten the default Header found in the SMARTFENSE platform to use it in Header rules.
Steps to shorten Header in the SMARTFENSE platform:
- Access your SMARTFENSE platform.
- In the Settings > Security > Whitelist section, go to the "Phishing and Ransomware email header" subsection.
- Click "Customize Header".
- Remove characters from the end forward until you have approximately a 100-character Header. You can copy the header into Notepad to remove the necessary characters.
- Then, paste the modified header back into the SMARTFENSE platform.
- Click on "Save" at the end of the section.
Bypassing Clutter and Spam Filtering
- Go to this link: https://admin.exchange.microsoft.com/#/
- Go to Mail Flow > Rules.
- Click (+) Add a rule > Create a new rule.
- Give the rule a name, such as "Bypass Clutter and Spam Filtering by Email Header".
- On the Apply this rule if... condition. Select The message headers... Then click "Select one" and choose "includes any of these words".
- Click "Enter text..." to set the message header to this value: "X-PHISHINGSIMULATION" then "Save".
- In "Enter words", write/copy the header found in the Settings > Security > Whitelist section under "Phishing and Ransomware email header" within your SMARTFENSE platform. Click "Add", then "Save". (Remember that you only need to copy the first 100 characters of the header.)
- Next, under "Do the following..." in the "Select one" drop-down menu, choose Modify the message properties. Then in the adjacent "Select one" drop-down, choose Set the spam confidence level (SCL) to... And in the "Select one" drop-down menu, choose Bypass Spam Filtering, then click "Save".
- Add a second action under "Do the following..." by clicking the "+" sign. Again, select "Modify the message properties". In the adjacent "Select one" dropdown, choose "a message header" and in the Enter words field, type "X-MS-Exchange-Organization-BypassClutter". Click "Enter text..." and type true.
- Click "Save" to save the rule. This is how the Rule should look:
- Click "Next".
- In "Set rule options," leave the default values and click "Next".
- In "Review and finish", leave the other values at their default settings and click "Finish".
Bypassing Junk folder
This rule will allow only simulated phishing emails from SMARTFENSE to bypass the Junk folder to ensure that your users are receiving simulated phishing emails in their inboxes.
- Click (+) Add a rule > Create a new rule.
- Give the rule a name, such as "SMARTFENSE - Skip Junk Filtering".
- On the Apply this rule if... condition. Select The message headers... Then click "Select one" and choose "includes any of these words".
- Click "Enter text..." to set the message header to this value: "X-PHISHINGSIMULATION" then "Save".
- In "Enter words," write/copy the header found in the Settings > Security > Whitelist section under "Phishing and Ransomware email header" within your SMARTFENSE platform. Click "Add", then "Save". (Remember that you only need to copy the first 100 characters of the header.)
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one", choose "set a message header".
- Click "Enter text..." to set the message header to this value: "X-Forefront-Antispam-Report" then "Save".
- In "value" click "Enter text" and type "SFV:SKI;" then "Save". This is how the Rule should look:
- Click "Next".
- In "Set rule options," leave the default values and click "Next".
- In "Review and finish", leave the other values at their default settings and click "Finish".
Rules to exclude Advanced Threat Protection (ATP)
This section shows what to do when using Advanced Threat Protection (ATP) in your email environment and receiving fake clicks or fake attachment openings.
What needs to be done is to configure mail flow rules to bypass ATP Safe Link/Attachment Processing for phishing and ransomware simulation emails from SMARTFENSE IP addresses.
Note: We recommend that you allow at least two hours for the rules to propagate to all of your users. We also recommend testing the effectiveness of the rules with a small test group before launching the simulated phishing or ransomware campaigns to all your users again.
Rule to Bypass ATP Link
Below are the detailed steps to set up a flow rule to bypass the ATP Link Processing.
- Click (+) Add a rule > Create a new rule.
- Give the rule a name such as "Bypass ATP Links".
- On the Apply this rule if... condition. Select The message headers... Then click "Select one" and choose "includes any of these words".
- Click "Enter text..." to set the message header to this value: "X-PHISHINGSIMULATION" then "Save".
- In "Enter words", write/copy the header found in the Settings > Security > Whitelist section under "Phishing and Ransomware email header" within your SMARTFENSE platform. Click "Add", then "Save". (Remember that you only need to copy the first 100 characters of the header.)
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one", choose "set a message header".
- Click "Enter text..." to set the message header to this value: "X-MS-Exchange-Organization-SkipSafeLinksProcessing" then "Save".
- In "value" click "Enter text" and type "1," then "Save". This is how the Rule should look:
- Click "Next."
- In "Set rule options", leave the default values and click "Next".
- In "Review and finish", leave the other values at their default settings and click "Finish".
Rule to Bypass ATP Attachment
Below are the detailed steps to set up a flow rule to bypass the ATP Attachment Processing:
- Click (+) Add a rule > Create a new rule.
- Give the rule a name such as "Bypass ATP Attachments".
- On the Apply this rule if... condition. Select The message headers... Then click "Select one" and choose "includes any of these words".
- Click "Enter text..." to set the message header to this value: "X-PHISHINGSIMULATION" then "Save".
- In "Enter words", write/copy the header found in the Settings > Security > Whitelist section under "Phishing and Ransomware email header" within your SMARTFENSE platform. Click "Add", then "Save". (Remember that you only need to copy the first 100 characters of the header.)
- Click the "Do the following" drop-down and select Modify the message properties, and in "Select one", choose "set a message header".
- Click "Enter text..." to set the message header to this value: "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing", then "Save".
- In "value" click "Enter text" and type "1," then "Save". This is how the Rule should look:
- Click "Next."
- In "Set rule options", leave the default values and click "Next".
- In "Review and finish", leave the other values at their default settings and click "Finish".
Rule Priority
Once the rules are finalized, they must be enabled, assigned the following priority, and stop processing at the last rule 'Bypass ATP Attachments'.
This is done by editing each rule and going to 'Edit rule settings'.
We check the option to enable the rule.
Set the order from 0 to 3.
For the last rule for Bypass ATP Attachments, check "Stop processing more rules". Then, “Save”.
Once you have completed this configuration, wait for the new rule to propagate and then set up a test phishing simulation campaign for yourself or a small group to test your new whitelist rule.
Note: For best practices, we recommend leaving the other options at their default settings.