Microsoft - How to Configure Whitelist Rules in Office 365 When Simulations Arrive with SMARTFENSE IPs

This article describes how to create the four transport rules in Office 365 that allow simulation emails to bypass Clutter, junk email filtering, and Advanced Threat Protection (ATP). Use this method when simulations arrive at your organization with SMARTFENSE's own IPs.

If simulations arrive from different IPs (because there is an intermediate antispam), configure the Whitelist by Header instead of by IP. See the article Microsoft - How to Configure Whitelist Rules in Office 365 When Simulations Come from Other IPs (by Header).

SMARTFENSE IPs

IPs to allow: 160.153.250.248, 190.210.135.44, 50.6.200.66, 52.16.33.192

The four rules in this article use exactly the same condition on these IPs. To keep the source of truth updated, check Settings > Security > Whitelist in your SMARTFENSE instance.

Summary of Rules to Create

Both the header names and their values are case-sensitive.

Access

1. Log in to the Exchange Admin Center at https://admin.exchange.microsoft.com/#/.
2. Go to Mail flow > Rules.
3. Click (+) Add a rule > Create a new rule.

Repeat the rule creation process for each of the four rules listed below.

Rule 1 — Bypass Clutter and Junk Email Filtering

1. Name the rule Bypass Clutter and Junk Email Filtering by IP.
2. Under Apply this rule if…, select The sender > IP address is in any of these ranges or exactly matches.
3. Add the three SMARTFENSE IPs one by one, and click Save.
4. Under Do the following…, select Modify the message properties > set a message header.
5. Set the header X-MS-Exchange-Organization-BypassClutter with the value true.
6. Add a second action: Set the spam confidence level (SCL) > Bypass spam filtering.
7. Click Next, keep the default values in Set rule settings and in Review and finish, then click Finish.

Rule 2 — Bypass Junk Email Folder

1. Name the rule SMARTFENSE - Bypass Junk Email Filtering.
2. Use the same IP condition as the previous rule.
3. For the action, select Modify the message properties > set a message header.
4. Set the header X-Forefront-Antispam-Report with the value SFV:SKI;.
5. Click Next and Finish.

Rules to Bypass Advanced Threat Protection

ATP can generate false positives when analyzing links and attachments in simulations. The following two rules prevent that automatic analysis.

We recommend waiting at least two hours for the rules to propagate to all your users. Test effectiveness with a small group before launching mass campaigns.

Rule 3 — Bypass ATP Links

1. Name the rule Bypass ATP Links.
2. Use the same IP condition.
3. For the action, set the header X-MS-Exchange-Organization-SkipSafeLinksProcessing with the value 1.
4. Click Next and Finish.

Rule 4 — Bypass ATP Attachments

1. Name the rule Bypass ATP Attachments.
2. Use the same IP condition.
3. For the action, set the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing with the value 1.
4. Click Next and Finish.

Enable the Rules and Assign Priority

Once the four rules are created, you must enable them and assign an execution order.

1. In the rules list, open each one in Edit rule settings.
2. Check the option to enable the rule.
3. Assign priorities 0, 1, 2, and 3 in the order indicated in the summary table.
4. Check Stop processing more rules only on the last rule (Bypass ATP Attachments).

💡 Best Practices

• Wait at least two hours after creating the four rules before testing simulations.
• Run a test campaign with a small group that includes you as administrator.
• Keep the default values for the rest of the options in each rule unless otherwise specified.
• Document the four rules in the client’s internal inventory, indicating name, target header, and configured value.
• Periodically review the SMARTFENSE IPs in Settings > Security > Whitelist and update the rules if the IPs change.