This article details the setup of third-party phishing simulations specific to Hook Security, Inc in the advanced delivery policy.
This article details the setup of third-party phishing simulations specific to Hook Security, Inc in the advanced delivery policy. For more information about advanced delivery policy, see Microsoft article: Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.
NOTE: The following documentation only applies to Office 365 accounts leveraging at least one of the following—Exchange Online Protection; Microsoft Defender for Office 365 plan 1 and plan 2; Microsoft 365 Defender. If your organization does not use any of the products listed, refer to articles— Safelisting by Email Header in Exchange 2013, 2016, or Office 365, Safelisting by IP Address in Exchange 2013, 2016, or Office 365
NOTE: We advise EU clients to also setup a connector — please refer to our Creating a Connector in Microsoft 365 article
Microsoft 365 Defender portal
- In the Microsoft 365 Defender portal (security.microsoft.com) navigate to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
- On the Advanced delivery page, select the Phishing simulation tab, then do one of the following:
- Click
Edit. - If there are no configured phishing simulations, click Add.
- Click
- On the Edit third-party phishing simulation flyout that opens, configure the following setting:
- Sending Domain: Expand this setting and enter any domains you plan to test with then press Enter or select the value that is displayed below the box. Domains that are assigned to your templates can be found on the Manage Templates page.
NOTE: You may add up to 20 entries. To change a domain on a template go to Manage Templates and use the multi-select boxes to choose the template(s) and then click "Change Domain".
- Sending IP: Expand this setting and enter 64.191.166.196 (US) or 64.238.34.10 (EU) then press Enter or select the value that is displayed below the box.
- Please note, we also recommend the following IPs to be safelisted as well: 198.61.254.6
54.80.160.189
64.191.166.198
54.88.246.212
54.240.70.101
54.240.70.102
- Please note, we also recommend the following IPs to be safelisted as well: 198.61.254.6
- Simulation URLs to allow: If Safe Links is re-writing URLs in your phishing emails, you’ll need to add your phishing domains to this list. Jump to the Safe Links section for more details.
- Sending Domain: Expand this setting and enter any domains you plan to test with then press Enter or select the value that is displayed below the box. Domains that are assigned to your templates can be found on the Manage Templates page.
-
When you're finished, do one of the following steps:
- First time: Click Add, and then click Close.
- Edit existing: Click Save and then click Close.
The third-party phishing simulation entries that you configured are displayed on the Phishing simulation tab. To make changes, click Edit on the tab.
Troubleshooting
If after configuring the safelisting rules in Microsoft Defender as shown in this article, the emails are still being delivered to junk or spam, you may need to safelist by email header, as shown in Safelisting by Email Header in Exchange 2013, 2016, or Office 365. If you use a third-party firewall, such as Proofpoint or Mimecast, the IP address from which the phishing emails come may be rewritten, causing the phishing emails to appear to originate from a different IP address than the one you safelisted.
Safe Links
If Microsoft Safe Links is re-writing URLs in your phishing simulation emails, please complete the following steps:
- In the Microsoft 365 Defender portal (security.microsoft.com) navigate to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
- On the Advanced delivery page, select the Phishing simulation tab, then click Edit.
- On the Edit third-party phishing simulation flyout that opens, configure the following setting:
- Simulation URLs to allow:
- Enter each domain you plan to test with in this format:
example.com/*
- Enter each domain you plan to test with in this format:
- Simulation URLs to allow:
- Click "Save" and then click "Close".
NOTE: If you're seeing the "This website is classified as malicious." warning when opening a link in a phishing/training email, please complete the safe listing steps detailed in our Safelisting for Microsoft Safe Links article.
PowerShell
Use the scripts below to add or edit phishing simulation Advanced Delivery policies.
The ExchangeOnlineManagement module is required. Installing PowerShell modules require administrator privileges. If you do not have administrator privileges, consider adding the -Scope CurrentUser parameter to the Install-Module cmdlet.
Add a IP and Domain Policy
Use the following script if you have not set up a phishing simulation policy.
if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement
$admin = Read-Host "Exchange admin email or UPN"
Connect-IPPSSession -UserPrincipalName $admin
#input phishing domains below, separated by commas and quoted (20 domain maximum). E.g. "$domains = 'example.com','example2.com','example3.com', ..."
$domains = ''
New-PhishSimOverridePolicy -Name PhishSimOverridePolicy
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains $domains -SenderIpRanges 64.191.166.196
Add a URL Policy
Use the following script if you have not set up a phishing simulation policy.
if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
#input phishing domain URLs below, separated by commas and quoted (20 domain maximum).
#The URLs must have a leading *. and trailing /* E.g. "$urls = '*.example.com/*','*.example2.com/*','*.example3.com/*', ..."
$urls = ''
Import-Module ExchangeOnlineManagement
$admin = Read-Host "Exchange admin email or UPN"
Connect-ExchangeOnline -UserPrincipalName $admin
Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries $urls -NoExpiration
Edit a Rule
Use the following script if your tenant has existing phishing simulation rules.
if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement
$admin = Read-Host "Exchange admin email or UPN"
Connect-IPPSSession -UserPrincipalName $admin
#input phishing domains below, separated by commas and quoted (20 domain maximum). E.g. "$domains = 'example.com','example2.com','example3.com', ..."
$domains = ''
$rule = Get-PhishSimOverrideRule
Set-PhishSimOverrideRule -Identity $rule.Name -RemoveSenderIpRanges $rule.SenderIpRanges -RemoveDomains $rule.Domains -AddDomains $domains -AddSenderIpRanges 64.191.166.196
Get-PhishSimOverrideRule
Remove a Policy
If you wish to remove a phishing simulation policy, use the script below.
if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement
$admin = Read-Host "Exchange admin email or UPN"
Connect-IPPSSession -UserPrincipalName $admin
Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy
For more helpful cmdlets and scripts, please see the Microsoft documentation.