To ensure that our phishing simulation emails are delivered successfully to your inbox and not marked as spam, you'll need to add our domain and IP address to the allowlist in your Microsoft 365 Admin Center.
Prerequisites
You will need administrator access to the Microsoft 365 Defender portal. Specifically, a role with security administration privileges is required.
Steps to Allowlist by Domain and IP Address
There are two primary methods to accomplish this. The first method, which uses "Advanced Delivery" rules, is more straightforward and will be our starting point. However, this feature may not be available to all Microsoft 365 users, so in this case, we will also guide you through an alternative fallback method.
Method #1 - Advanced Delivery Rules
Log in to the Microsoft 365 Defender portal: Visit the Microsoft 365 Defender portal and log in with your administrator account.
Navigate to "Policies & rules": Once logged in, go to the main menu and find "Policies & rules" in the left navigation pane.
Click on "Threat policies": Click the "Threat policies" link in the list that appears.
Select "Advanced delivery": Click "Advanced delivery". This section manages overrides for special system use cases. If this option is not available, go to Method #2 below.
Go to the "Phishing simulations" tab: On the next page, click the "Phishing simulations" tab in the horizontal navigation bar.
Add or edit policy: Now, you can either add a new policy or edit an existing one. Click the blue "Add" button to set up a new policy, or if a policy already exists, click the "Edit" button (represented by a pencil icon).
Enter Guardz domain: In the "Domain" field, input "mailpercents.com" - the domain used by Guardz for phishing simulations.
Enter Guardz sending IP: In the "Sending IP" field, input "149.72.40.178" - the IP address used by Guardz for sending the phishing simulations.
Save your settings: After you've made all the necessary changes, make sure to save your settings to complete the setup. It may take up to 24 hours for these changes to take effect.
Method #2 - If the "Advanced delivery" Option is Not Available
Click on "Anti-spam": On the same "Threat policies" page, under the "Policies" section, click on "Anti-spam".
Access the connection filter policy: Click "Connection filter policy (Default)".
Edit the connection filter policy: After opening the Connection filter policy, select "Edit connection filter policy". This allows you to adjust the settings for messages from different IP addresses.
Add the IP to the allowlist: In the "Always allow messages from the following IP addresses or address range" section, enter the IP address 149.72.40.178. This is the IP address used by Guardz for sending phishing simulations.
Save the connection filter policy: After entering the IP address, click the "Save" button to apply the changes. Make sure it is done correctly - it should look like this:
Navigate to transport rules: Now, navigate to the mail flow rules page in the Exchange admin center at https://admin.exchange.microsoft.com/#/transportrules.
Create a new rule: Click "+ Add a rule" and then "Create a new rule".
Configure the new rule:
Name the rule (e.g., "Guardz Phishing Simulation").
Select "Apply this rule if > The sender > IP address is in any of these ranges or exactly matches", and input the IP address 149.72.40.178 again.
Select "Do the following > Modify the message properties > set a message header".
In the line below, click on "Enter text" and set the message header "X-MS-Exchange-Organization-BypassClutter" to the value "true".
Click the plus (+) button next to "Do the following" to add another action.
In the new row that was added (under "And"), select "Do the following > Modify the message properties > set the spam confidence level (SCL)", make sure "Bypass spam filtering" is selected, and click on "Save".
Review the rule: Click on "Next" twice, and review the rule - it should look like below:
Save the rule: After reviewing, click "Finish" to complete the setup. It may take up to 24 hours for these changes to take effect.
Steps to allowlist on Microsoft Defender - Safe Links
If you are using Defender for Office 365 the Safe Links feature will cause the phishing campaigns to automatically register an open and click events.
We'll need to make changes within the security portal and exchange online to exclude our phishing emails.
Open https://security.microsoft.com and click “Policies & rules” in the main navigation on the left under E-mail and collaboration.
Then, click on “Safe links”, and you will see a list of policies.
If the policy list is empty, create a new policy with “Create” and ensure all relevant domains are included in its scope.
If you already have a policy, click the policy entry to reveal its full details and a click “Edit protection settings” (this is further down), to continue:
Scroll a bit down until you find the section “Do not rewrite the following URLs,” which has a form to add new URLs.
In this list addhttps://mailpercents.com/* that is used in our phishing campaigns.
- - - -
The steps in the security portal are now complete.
Let's move towards an online exchange. Open https://admin.exchange.microsoft.com/ and click on “Mail Flow” and then on “Rules”
Click on “Add a rule”, enter a Name and select “The Sender” in “Apply this rule if” en choose “IP address Is in any of these ranges or exactly matches”.
Enter the IP-address that is sending the phishing mail: 149.72.40.178
At “Do the following”, choose “Modify the message properties” and “Set a message header”.
Enter the message header “X-MS-Exchange-Organization-SkipSafeLinksProcessing” and the value to “1”
Click on 'Save' and don’t forget to Turn on this newly created rule. You can do so by clicking on the newly created rule again and flipping the switch.
