Microsoft 365 Defender Third Party Phishing Simulation Configuration
|
Section |
Details |
Date of Change |
|
Section B Step 11-14 Point 2: |
Steps added for the routing setup |
November 16th, 2021 |
|
Sending Domains |
Added a new SMTP server "34.237.252.20" to improve email deliverability |
November 29th, 2021 |
|
Section 3 |
Added a new SMTP server to fix email delivery issues for error code "451 4.7.50" Server is busy in Exchange Online. |
January 27th, 2022
|
|
Section 2, Step 5 |
Exporting Sending Domains links updated |
January 28th, 2022 |
|
Section 2, Simulation URLs to allow |
Old URL "*.secureawareness.net /*" replaced with "*.cloudsurveillance.net |
February 10th, 2022 |
|
Updated Section 2, Step 5 |
Prevent Outlook from blocking content in your emails and displaying a Safe Senders Warning |
April 10th, 2022 |
|
Preventing Microsoft Defender from rewriting BullPhish ID campaign links |
New procedure
|
July 10, 2023
|
|
Fix email delivery issues procedure |
Step 6: Added BullPhish ID IP addresses |
July 19, 2023 |
Objectives: This guide will help you configure the delivery of third-party phishing simulations to Microsoft 365 Defender.
Note: Secure by default is unavailable if your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first). If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, go to Manage mail flow using a third-party cloud service with Exchange Online. If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.
Before you can whitelist BullPhish ID using advanced delivery policies, you'll need to have the appropriate permissions. To create, modify, or remove settings in a progressive delivery policy, you must be a member of the Security Administrator role group in the Microsoft Security & Compliance Center and the Organization Management role group in Microsoft Exchange Online.
You must be a member of the Global Reader or Security Reader role groups for read-only access to an advanced delivery policy. For more information about Microsoft permissions, see Microsoft's Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online articles.
1. Open Microsoft 365 Defender portal, go to Email & Collaboration » Policies & Rules » Threat policies page » Rules section » Advanced delivery. Or follow the link.
2. On the Advanced delivery page, select the Phishing simulation tab, and then do one of the following steps:
Click Edit or,
If there are no configured phishing simulations, click Add.
3. On the Edit third-party phishing simulation flyout that opens, configure the following settings:
- Sending Domain: Pre-requisite: Please click on the following link to download the up-to-date list of sending domains. If you want to download the file manually, access the Bullphish ID portal under the Guides section. Expand the 'Sending Domain' setting and enter the sending domains available in the downloaded list from the previous point by clicking in the box, entering a value, and presenting Enter or selecting the value displayed below the box. Repeat this step as many times as necessary.
- Sending IP: Expand this setting and enter IPv4 addresses below by clicking in the box, entering a value, and then pressing Enter or selecting the value displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Values to be added are:
- 168.245.13.192 (SendGrid IP – Needed for sending notification emails)
- 34.237.252.20 (New SMTP Server IP – Where we send Phishing & Training Email from)
- 54.211.230.155 (NAT gateway IP – IP address of background processes that initiate sending Phishing & Training Emails)
- 18.233.13.154 (Fallback – Secondary IP)
- 3.18.16.105 (Fallback – Secondary IP)
- 3.18.67.92 (Fallback – Secondary IP)
- 3.17.244.221 (Fallback – Secondary IP)
- 3.18.32.205 (Fallback – Secondary IP)
Simulation URLs to allow: Expand this setting and enter the following URLs by clicking in the box, entering a value, pressing Enter, or selecting the values displayed below the box.
- service-noreply.info/*
- bpidtr.com/*
- *.bpidtr.com/*
- *.cloudsurveillance.net/*
To remove an existing value, click remove next to the value.
Once you're finished, do one of the following steps:
First time: Click Add, and then Close.
Edit existing: Click Save and then click Close.
The third-party phishing simulation entries you configure are displayed on the Phishing Simulation tab. To make changes, click Edit on the tab.
Preventing Outlook from blocking content in your emails and displaying a Safe Senders Warning
Emails from domains not on the Outlook Safe Senders list may display a warning, and some email content, including images, may be blocked.
To prevent the 'Some content in this message has been blocked because the sender isn't in your Safe sender's list' message from showing up, you will need to add BullPhish ID Sending domains to the Outlook Safe Sender lists of each of your end-users:
- Open PowerShell.
- Execute the following command if the ExchangeOnlineManagement module is not installed:
Install-Module ExchangeOnlineManagement
- Execute the following command to import the module:
Import-Module ExchangeOnlineManagement
- Connect to Exchange Online https://docs.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
Connect-ExchangeOnline -UserPrincipalName <UPN>
- Execute the following script to add BullPhish ID Sending domains to each of your end-users Outlook Safe Sender lists. Adding senders to the user's safe senders list will remove the "Some content of this message has been blocked." banner and allow the mail client to download images in emails from the sender automatically. If images are downloaded, opens will be recorded when a user views the email."
$users = Get-EXOMailbox
$senders = "example@example.com" #add safe senders here, in quotes and comma-separated
foreach($user in $users){
$out = 'Adding Trusted Senders to {0}' -f $user.UserPrincipalName
Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains @{Add=$senders}
}
Write-Output "Finished!"
For example:
$senders = "bp-service-support.com","bp-securityawareness.com","online-account.info",
"myonlinesecuritysupport.com","service-noreply.info","banking-alerts.info","bullphish.com",
"verifyaccount.help","suspected-fraud.info"
How to remove already added domains from the safe sender list?
To remove domains from the safe sender list, you need to execute the following command:
$users = Get-EXOMailbox $senders = "example@example.com" #add safe senders here,
in quotes and comma-separated foreach($user in $users){ $out = 'Removing Trusted Senders
from {0}' -f $user.UserPrincipalName Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains
@{Remove=$senders} } Write-Output "Finished!"
For example
$senders = "bp-service-support.com","bp-securityawareness.com","online-account.info",
"myonlinesecuritysupport.com","service-noreply.info",
"banking-alerts.info","bullphish.com","verifyaccount.help","suspected-fraud.info"
If a user runs this script by mistake, then listed in script domains will be removed from the Trusted Domains list. A spam filter will filter emails from removed domains. Or, in case of the wrong syntax script, nothing happened to the Trusted Domains list will throw an error.
Fix email delivery issues for error code "451 4.7.50Server is Busy" with the new SMTP server in Exchange Online.
1. Log In to https://admin.exchange.microsoft.com/#/
2. Go to Mail Flow » Connectors.
3. Click on the "Add a connector" button.
4. In the window, choose "Connection From" = "Partner organization," and click on the "Next" button.
5. Enter the name of the connector. For example: "BullPhish ID" and click on the "Next" button.
6. Choose "By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization," and add all BullPhish ID IP addresses. Then click on the Next button.
Note: Add the following BullPhish ID IP addresses: 168.245.13.192, 34.237.252.20, 54.211.230.155, 18.223.13.154, 3.18.16.105, 3.18.67.92,
3.17.244.221, 3.18.32.205
7. Choose "Reject email messages if they aren't sent over TLS." Click on the "Next" button.
8. Click on the "Create connector" button.
Preventing Microsoft Defender from rewriting BullPhish ID campaign links
To ensure the BullPhish ID links included in campaign emails are not rewritten, the sending domains must be safelisted. You need to create a rule in the Exchange admin center which prevents Microsoft from falsely indicating that a campaign link was clicked. Without such a rule, campaign results will not be accurate.
- Log into the Exchange admin center.
- In the navigation menu, select Mail flow > Rules.
- On the Rules page, click Add a rule.
- Select Create a new rule.
- On the Set rule conditions page, in the Name field, enter a name for the rule. For example, Bypass Safe Links for BullPhish ID.
- In the Apply this rule if list, select The sender.
- In the list box to the right, select IP address is in any of these ranges or exactly matches.
a. Open the document Reference Guide for Deliverability.
b. Go to the IP Addresses section in the guide and copy the first IP address (don't copy the IP address description).
c. In the specify IP address ranges field, paste the IP address.
d. Click Add.
e. Repeat steps 7b through 7d for each of the remaining IP addresses. - When finished, in the lower-left corner of the modal, click Save.
The IP addresses are listed in the Sender's IP address is in the range section. - In the Do the following section:
a. In the first list, select Modify the message properties.
b. In the list to the right, select set a message header.
c. In the sentence Set the message header...click the first Enter text.
d. Copy the following text: X-MSExchange-Organization-SkipSafeLinksProcessing
e. In the message header field, paste the text.
f. In the lower-left corner of the modal, click Save.
g. In the same sentence, after...to the value, click Enter text.
h. In the message header field, enter 1.
i. In the lower-left corner of the modal, click Save. - In the lower-left corner of the Set rule conditions page, click Next.
- On the Set rule settings page, leave the settings selected by default and click Next.
- On the Review and finish page, click Finish. It may take a moment for the rule to save.
- When the message Transport rule created successfully is displayed, at the bottom of the page, click Done.
- In the Rules table, for the rule you just added, click Disabled.
- In the modal, click the toggle to enable the rule.
It may take a moment for the rule status to update to Enabled. - To close the modal, in the upper-right corner, click the X. In the Rules table, the rule's Status is Enabled.
© Copyright All rights reserved. No part of this document may be reprinted or reproduced, or utilized in any form or by any electronic, mechanical, or other means, now known or hereinafter invented, including photocopying and recording or in any information storage or retrieval system without written permission from the publishers.