The following guide will provide you with step-by-step instructions on how to allow PhishDeck’s simulated phishing emails by IP address in your Office 365 / On-premise Exchange Server.

Why do I need to allow PhishDeck’s IP?

While PhishDeck emulates a real phishing attack, it is ensured that this is conducted with traceability and governance in mind. To such an extent, unlike real attackers using illegal botnets or other illicit methods of sending large volumes of phishing emails, all of PhishDeck’s phishing simulation emails originate from a single IP. This is done not only to be easy to allow (some mail filters only allow IP allow listing), but it’s also to ensure that it’s quick and easy to distinguish phishing simulation emails from real ones in the event of an investigation.


Naturally, IPs which only send phishing simulation emails are bound to be blocked, and to such an extent, we strongly suggest explicitly allowing PhishDeck’s IP addresses to avoid issues with your phishing simulation Campaigns – this process only needs to be set-up once.

Allowing PhishDeck’s IP in Office 365 / On-premise Exchange

Heads up – If you do have any other spam or email filtering system/s in front of Office 365 / On-premise Exchange, you should also allow PhishDeck’s IP addresses there too. For more information about how to do this, see how to allow my phishing simulation emails using a mail header.


This guide has three required steps and two depending on your setup.


A. Allowing the PhishDeck email servers


  1. O365 — login to O365 and navigate to Admin > Admin Centers > Exchange


On-premise Exchange
— login to Exchange AdminCenter and navigate to the Dashboard


  1. Under the protection section click connection filter


  1. Edit the default policy by clicking on the pencil icon

  2. Click on connection filtering then on the ‘+ sign on the IP Allow List

    Here you can enter our IP addresses. Find the latest list of our IP addresses in this article.

    Finally, click Save



    Note: If you are having trouble configuring the connection filter on Exchange 2013, please review the following Microsoft documentation.

B. Adding Mail Flow Rules

  1. Add a rule to bypass spam filtering for Spam Confidence Level


    1. In the Exchange admin center, select mail flow and click on the ‘+ sign and then select Create a new rule…



Give a name to the rule, such as “Spam Allow list for PhishDeck” and then click More options...


    1. Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches



Here you can enter our IP addresses.
Find the latest list of our IP addresses in this article.



Once you’ve entered the IP address, click OK


    1. Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set the spam confidence level (SCL)


In the Specify SCL dialog box, select Bypass spam filtering.



Then click
OK. 

  1. Add a rule to bypass Clutter sorting


‘Clutter’ is an email sorting feature, which analyzes a user’s email habits and based on the past behaviour, it determines messages which a user is likely to ignore - deeming them as low-priority.


To ensure that PhishDeck’s simulation emails are not sent to the Clutter folder, you must bypass the Clutter evaluation.

    1. On the same mail flow rule, click Add Action, select Modify the message properties… and then set a message header




    1. Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]

X-MS-Exchange-Organization-BypassClutter


Then click OK.

Click on ‘to the value Enter text...’ and add the following [case sensitive]


true




Then click OK.


This mail flow rule is now completed. Click Save.

  1. Add a Mail Flow rule to bypass Focused Inbox


Focused Inbox is a feature similar to Clutter where it automatically analyzes incoming emails and places the most important in the ‘Focused’ tab, while the rest is under ‘Others’.


To ensure that PhishDeck’s simulation emails are delivered to the user’s ‘Focused’ inbox, you must bypass their evaluation.


    1. A new mail flow rule is required, so click on the ‘+’ sign and then Create new rule…

      Give a name to the rule, such as “Focused Inbox Allow list for PhishDeck” and then click More options….


    1. Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches


Here you can enter our IP addresses.
Find the latest list of our IP addresses in this article.

Once you’ve entered the IP address, click OK

    1. Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header

Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]

X-MS-Exchange-Organization-BypassFocusedInbox


Then click OK.

Click on ‘to the value Enter text...’ and add the following [case sensitive]


true


Then click OK.


In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.



This mail flow rule is now completed. Click Save.

  1. Office365 Only - Add a Mail Flow rule to skip Junk Filter


This Mail Flow rule is required by all O365 mail services that have
EOP (Exchange Online Protection) or ATP (Advanced Threat Protection) enabled.


    1. A new mail flow rule is required, so click on the ‘+’ sign and then Create new rule…

      Give a name to the rule, such as “Skip Junk Filter for PhishDeck” and then click More options….


    1. Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches


Here you can enter our IP addresses.
Find the latest list of our IP addresses in this article.

Once you’ve entered the IP address, click OK

    1. Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header

Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]

X-Forefront-Antispam-Report


Then click OK.

Click on ‘to the value Enter text...’ and add the following [case sensitive]


SFV:SKI


Then click OK.

In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.


This mail flow rule is now completed. Click Save.


  1. Office365 Only + ATP - Bypass link and attachment scanning


Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time.


E5 Subscriptions have ATP automatically available.


    1. Firstly we need to add a new rule to bypass ATP Link processing.

      A new mail flow rule is required, so click on the ‘
      +’ sign and then Create new rule…

      Give a name to the rule, such as “Bypass ATP Links for PhishDeck” and then click More options….


    1. Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches


Here you can enter our IP addresses.
Find the latest list of our IP addresses in this article.

Once you’ve entered the IP address, click OK

    1. Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header

Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]

X-MS-Exchange-Organization-SkipSafeLinksProcessing


Then click OK.

Click on ‘to the value Enter text...’ and add the following [case sensitive]


1


Then click OK.

In the Properties of this rule set the Priority to follow the existing rules for PhishDeck.


This mail flow rule is now completed. Click Save.


    1. Next we need another mail flow rule to bypass ATP Attachment processing.

      A new mail flow rule is required, so click on the ‘
      +’ sign and then Create new rule…

      Give a name to the rule, such as “Bypass ATP Attachments for PhishDeck” and then click More options….


    1. Start by adding a condition...in the Apply this rule if… dropdown, select The sender… and then IP address is in any of these ranges or exactly matches


Here you can enter our IP addresses.
Find the latest list of our IP addresses in this article.

Once you’ve entered the IP address, click OK

    1. Next, add the following action...in the Do the following… dropdown, select Modify the message properties... and then set a message header

Next, click on ‘Set a message header Enter text...’ and add the following [case sensitive]

X-MS-Exchange-Organization-SkipSafeAttachmentProcessing


Then click OK.

Click on ‘to the value Enter text...’ and add the following [case sensitive]


1


Then click OK.

In the Properties of this rule set the Priority to follow the existing rules for PhishDeck. 

This mail flow rule is now completed. Click Save.