The following guide will provide you with step-by-step instructions on how to allow PhishDeck’s simulated phishing emails by IP address in your Office 365 / On-premise Exchange Server.
Why do I need to allow PhishDeck’s IP?
While PhishDeck emulates a real phishing attack, it is ensured that this is conducted with traceability and governance in mind. To such an extent, unlike real attackers using illegal botnets or other illicit methods of sending large volumes of phishing emails, all of PhishDeck’s phishing simulation emails originate from a single IP. This is done not only to be easy to allow (some mail filters only allow IP allow listing), but it’s also to ensure that it’s quick and easy to distinguish phishing simulation emails from real ones in the event of an investigation.
Naturally, IPs which only send phishing simulation emails are bound to be blocked, and to such an extent, we strongly suggest explicitly allowing PhishDeck’s IP addresses to avoid issues with your phishing simulation Campaigns – this process only needs to be set-up once.
Allowing PhishDeck’s IP in Office 365 / On-premise Exchange
This guide has three required steps and two depending on your setup.
A. Allowing the PhishDeck email servers
O365 — login to O365 and navigate to Admin > Admin Centers > Exchange
On-premise Exchange — login to Exchange AdminCenter and navigate to the Dashboard
Under the protection section click connection filter
Edit the default policy by clicking on the pencil icon
Click on connection filtering then on the ‘+’ sign on the IP Allow List
Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.
Finally, click Save
Note: If you are having trouble configuring the connection filter on Exchange 2013, please review the following Microsoft documentation.
B. Adding Mail Flow Rules
Add a rule to bypass spam filtering for Spam Confidence Level
In the Exchange admin center, select mail flow and click on the ‘+’ sign and then select Create a new rule…
Give a name to the rule, such as “Spam Allow list for PhishDeck” and then click More options...
Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches
Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.
Once you’ve entered the IP address, click OK
Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set the spam confidence level (SCL)
In the Specify SCL dialog box, select Bypass spam filtering.
Then click OK.
Add a rule to bypass Clutter sorting
‘Clutter’ is an email sorting feature, which analyzes a user’s email habits and based on the past behaviour, it determines messages which a user is likely to ignore - deeming them as low-priority.
To ensure that PhishDeck’s simulation emails are not sent to the Clutter folder, you must bypass the Clutter evaluation.
On the same mail flow rule, click Add Action, select Modify the message properties… and then set a message header
Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]
Then click OK.
Click on ‘to the value Enter text...’ and add the following [case sensitive]
Then click OK.
This mail flow rule is now completed. Click Save.
Add a Mail Flow rule to bypass Focused Inbox
Focused Inbox is a feature similar to Clutter where it automatically analyzes incoming emails and places the most important in the ‘Focused’ tab, while the rest is under ‘Others’.
To ensure that PhishDeck’s simulation emails are delivered to the user’s ‘Focused’ inbox, you must bypass their evaluation.
A new mail flow rule is required, so click on the ‘+’ sign and then Create new rule…
Give a name to the rule, such as “Focused Inbox Allow list for PhishDeck” and then click More options….
Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches
Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.
Once you’ve entered the IP address, click OK
Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header
Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]
Then click OK.
Click on ‘to the value Enter text...’ and add the following [case sensitive]
Then click OK.
In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.
This mail flow rule is now completed. Click Save.
Office365 Only - Add a Mail Flow rule to skip Junk Filter
This Mail Flow rule is required by all O365 mail services that have EOP (Exchange Online Protection) or ATP (Advanced Threat Protection) enabled.
A new mail flow rule is required, so click on the ‘+’ sign and then Create new rule…
Give a name to the rule, such as “Skip Junk Filter for PhishDeck” and then click More options….
Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches
Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.
Once you’ve entered the IP address, click OK
Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header
Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]
Then click OK.
Click on ‘to the value Enter text...’ and add the following [case sensitive]
Then click OK.
In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.
This mail flow rule is now completed. Click Save.
Office365 Only + ATP - Bypass link and attachment scanning
Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time.
E5 Subscriptions have ATP automatically available.
Firstly we need to add a new rule to bypass ATP Link processing.
A new mail flow rule is required, so click on the ‘+’ sign and then Create new rule…
Give a name to the rule, such as “Bypass ATP Links for PhishDeck” and then click More options….
Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches
Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.
Once you’ve entered the IP address, click OK
Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header
Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]
Then click OK.
Click on ‘to the value Enter text...’ and add the following [case sensitive]
Then click OK.
In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.
This mail flow rule is now completed. Click Save.
Next we need another mail flow rule to bypass ATP Attachment processing.
A new mail flow rule is required, so click on the ‘+’ sign and then Create new rule…
Give a name to the rule, such as “Bypass ATP Attachments for PhishDeck” and then click More options….
Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches
Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.
Once you’ve entered the IP address, click OK
Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header
Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]
Then click OK.
Click on ‘to the value Enter text...’ and add the following [case sensitive]
Then click OK.
In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.
This mail flow rule is now completed. Click Save.