To ensure that our phishing simulation emails are delivered successfully and not marked as spam, admins need to add our domain and IP address to the allowlist in the Microsoft 365 Admin Center.
Prerequisites: administrator access to the Microsoft 365 Defender portal (specifically a role with security administration privileges is required).
Part 1: Ensuring Emails are Successfully Received
Method #1 - Advanced Delivery Rules are Available
Step 1: Log in to the Microsoft 365 Defender Portal
Go to the Microsoft 365 Defender portal
Sign in using your administrator credentials
Step 2: Access Email & Collaboration Policies
In the left-hand navigation pane, go to: Email & Collaboration > Policies & Rules
Step 3: Open Threat Policies
Click on the "Threat policies" option that appears under “Policies & Rules”
Step 4: Access Advanced Delivery
Select "Advanced delivery" from the list of options
This section is used for configuring overrides and exceptions for special use cases like phishing simulations
Note: If "Advanced delivery" is not visible, refer to Method #2 below
Step 5: Navigate to the Phishing Simulations Tab
In the Advanced delivery section, go to the "Phishing simulations" tab in the horizontal menu bar
Step 6: Add or Edit a Simulation Policy
You can now either:
Click the "Add" button to create a new policy
or
Click the pencil icon (Edit) next to an existing policy to modify it
Step 7: Configure Guardz Simulation Details
In the policy form:
Domain: Enter mailpercents.com
(This is the domain Guardz uses for sending simulation emails)Sending IP: Enter 149.72.40.178
(This is the IP address Guardz uses for simulation delivery)
Step 8: Save Your Settings
Click "Save" to apply the changes
Please note:
Changes may take up to 24 hours to take effect across the system.
Method #2 - If "Advanced delivery" Option is Not Available
Step 1: Log in to the Microsoft 365 Defender Portal
Go to the Microsoft 365 Defender portal
Sign in using your administrator credentials
Step 2: Access Email & Collaboration Policies
In the left-hand navigation pane, go to: Email & Collaboration > Policies & Rules
Step 3: Open Threat Policies
Click on the "Threat policies" option that appears under “Policies & Rules”
On the same "Threat policies" page, under the "Policies" section, click on "Anti-spam"
Navigate to: Connection Filter Policy (Default)
Click on "Edit connection filter policy"
Step 4: Add Guardz IP to the Allowlist
In the section labeled:
Always allow messages from the following IP addresses or address rangeEnter the following IP address: 149.72.40.178
Step 5: Save the Policy
Click "Save" to apply your changes
Confirm that the IP has been added successfully
Step 6: Access the Mail Flow Rules
Go to the Exchange Admin Center (Transport Rules)
Step 7: Create a New Rule
Click "+ Add a rule" and select "Create a new rule"
Step 8: Configure the Rule
Name the Rule: Guardz
Apply this rule if:
The sender is IP address is in any of these ranges or exactly matchesEnter the IP address:
149.72.40.178Do the Following (First Action):
Modify the message properties is Set a message headerIn the line below set the header configuration:
Click on ‘Enter text’
Message Header name: X-MS-Exchange-Organization-BypassClutter
Click on ‘Enter text’
Value: true
Step 9: Add Another Action
Click the plus (+) icon and make sure the record is added under ‘And’
Do the Following (Second Action):
Modify the message properties is Set the spam confidence level (SCL)Set it to: Bypass spam filtering
Click on save
Step 10: Review and Finalize
Click "Next" twice to review the rule configuration
Ensure the rule reflects all specified conditions and actions
Step 11: Save and Enable the Rule
Click "Finish" to save the rule
Locate the newly created rule in the list
Click the rule and toggle the Enable button to "On"
Part 2: Avoiding False Positive Results
Phishing simulations may be flagged by Microsoft Defender for Office 365 due to the Safe Links feature. This can result in false positives, such as automatic email opens or link clicks. To ensure accurate results, follow the steps below to properly allowlist URLs and IP addresses in both Microsoft Defender and Exchange Online.
A. Configure Safe Links in Microsoft Defender:
Step 1: Open Microsoft Security Portal
Navigate to: https://security.microsoft.com
In the left-hand menu, go to E-mail & collaboration > Policies & rules > Threat policies
Step 2: Access or Create a Safe Links Policy
Click on Safe Links to view existing policies
If no policy is listed:
Click Create to define a new Safe Links policy
Ensure all relevant domains are included in the policy's scope
If a policy already exists:
Click the existing policy to open its details
Step 3: Edit the Protection Settings
Scroll down and click Edit protection settings
Step 4: Add URL to Exception List
Find the section called ‘Do not rewrite the following URLs’
Add the following URL to the list:
https://mailpercents.com/*
At this point, configuration in the Microsoft Defender portal is complete.
B. Configure an Allowlist Rule in Exchange Online
Step 1: Open Exchange Admin Center
Navigate to: https://admin.exchange.microsoft.com
Step 2: Create a Mail Flow Rule
In the left-hand menu, click Mail Flow > Rules
Click Add a rule, then choose to create a new rule
Step 3: Define Rule Conditions
Enter a name for the rule (e.g., "Allowlist Phishing Simulation IP")
Under Apply this rule if, select The sender > IP address is in any of these ranges or exactly matches
Enter the IP address: 149.72.40.178
Step 4: Set Header to Skip Safe Links
Under Do the following, choose:
Modify the message properties > Set a message headerSet the following values:
Header name: X-MS-Exchange-Organization-SkipSafeLinksProcessing
Value: 1
Step 5: Save and Enable the Rule
Click Save to create the rule
After saving, locate the new rule in the list, click it, and ensure the rule is turned on by toggling the switch
Final notes:
For full coverage, it is recommended to add the domain and IP address in both the Microsoft Defender portal and the Exchange Online rule.
After completing the setup, run a test phishing campaign using the newly allowlisted domain to confirm that the configuration works correctly.
These instructions are intended for educational use only. Phishing simulations must be conducted to raise security awareness and educate users. They must never be used to mislead, exploit, or collect sensitive information.