Skip to main content

Microsoft - How to Configure Whitelist Rules in Office 365 When Simulations Come from Other IPs (by Header)

  • Updated

This article describes how to create the four transport rules in Office 365 using a custom Header, instead of SMARTFENSE IPs. Use this method when simulations arrive at your organization from IPs different from SMARTFENSE’s, typically because there is an intermediate antispam or other technology that rewrites the source IP.

If simulations arrive with SMARTFENSE’s own IPs, configure the Whitelist by IP instead of by Header. See the article Microsoft - How to Configure Whitelist Rules in Office 365 When Simulations Arrive with SMARTFENSE IPs.

Office 365 Limitation: each Header rule supports about 100 characters. The default SMARTFENSE header exceeds this limit, so it must be shortened before configuring the rules.

Verify Whether Simulations Arrive with SMARTFENSE IPs or Not

Before choosing between the IP method and the Header method, verify which IP the emails are coming from.

  1. Log in to the Exchange Admin Center at https://admin.exchange.microsoft.com/#/.
  2. Go to Mail flow > Message trace > Start a trace.
  3. Set recipient, sender, and time range.
  4. Select the email from the list.
  5. In the detail pane, look for the More information field at the bottom and check the source IP.
  6. Compare that IP with those published in your SMARTFENSE instance, under Settings > Security > Whitelist.

If the IP does not match any of SMARTFENSE’s, continue with the Header configuration described in this article.

Shorten the Header in SMARTFENSE

  1. Log in to the SMARTFENSE platform.
  2. Go to Settings > Security > Whitelist.
  3. Locate the section Phishing and Ransomware Email Header.
  4. Press the Customize Header button.
  5. Paste the header into a plain text editor (for example, Notepad) and delete characters from the end forward until it is about 100 characters.
  6. Paste the shortened header back into SMARTFENSE.
  7. Press Save.

Keep the shortened header, as you will use it in all four Office 365 rules.

Summary of Rules to Create

All four rules use exactly the same condition on the header X-PHISHINGSIMULATION with the value of the custom SMARTFENSE header.

# Rule Name Header Set Value
1 Bypass Clutter and Junk Mail Filtering by Header X-MS-Exchange-Organization-BypassClutter true
2 SMARTFENSE - Bypass Junk Mail Filtering X-Forefront-Antispam-Report SFV:SKI;
3 Bypass ATP Links X-MS-Exchange-Organization-SkipSafeLinksProcessing 1
4 Bypass ATP Attachments X-MS-Exchange-Organization-SkipSafeAttachmentProcessing 1

Access

  1. Log in to the Exchange Admin Center at https://admin.exchange.microsoft.com/#/.
  2. Go to Mail flow > Rules.
  3. Press (+) Add a rule > Create a new rule.

Repeat the creation process for each of the four listed rules.

Rule 1 — Bypass Clutter and Junk Mail Filtering

  1. Name it Bypass Clutter and Junk Mail Filtering by Header.
  2. Under Apply this rule if…, select Message header > includes any of these words.
  3. In Enter text, type X-PHISHINGSIMULATION.
  4. In Enter words, paste the custom header from the SMARTFENSE platform.
  5. Under Do the following…, select Set the spam confidence level (SCL) > Bypass spam filtering.
  6. Add a second action: Modify message properties > set a message header.
  7. Set the header X-MS-Exchange-Organization-BypassClutter with value true.
  8. Press Next, keep the default values, and press Finish.

Rule 2 — Bypass Junk Mail Folder

  1. Name it SMARTFENSE - Bypass Junk Mail Filtering.
  2. Use the same header condition.
  3. For the action, set the header X-Forefront-Antispam-Report with value SFV:SKI;.
  4. Press Next and Finish.

Rules to Bypass Advanced Threat Protection

We recommend waiting at least two hours for the rules to propagate to all your users. Test effectiveness with a small group before launching mass campaigns.

Rule 3 — Bypass ATP Links

  1. Name it Bypass ATP Links.
  2. Use the same header condition.
  3. Set the header X-MS-Exchange-Organization-SkipSafeLinksProcessing with value 1.
  4. Press Next and Finish.

Rule 4 — Bypass ATP Attachments

  1. Name it Bypass ATP Attachments.
  2. Use the same header condition.
  3. Set the header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing with value 1.
  4. Press Next and Finish.

Enable the Rules and Assign Priority

  1. In the rules list, open each one in Edit rule settings.
  2. Check the option to enable the rule.
  3. Assign priorities 0, 1, 2, and 3 in the order indicated in the summary table.
  4. Check Stop processing more rules only on the last rule (Bypass ATP Attachments).

💡 Best Practices

  • Shorten the header in SMARTFENSE before creating the rules in Office 365 to avoid silent errors due to excess characters.
  • Always verify with a message trace whether simulations arrive with SMARTFENSE IPs before choosing the Header method.
  • Wait at least two hours after creating the rules before testing simulations.
  • Launch a test campaign with a small group including yourself as administrator.
  • Keep the default values for the rest of the options in each rule, unless explicitly instructed otherwise.
  • Document the custom header configured in SMARTFENSE so you can replicate it if it is rotated.

Related to

Related articles