Scripts for Safelisting in Microsoft 365

This article provides two safelisting scripts for Microsoft 365 email clients.

This article provides two safelisting scripts for Microsoft 365 email clients. Learn more about PowerShell scripting in Exchange Online docs and Azure Active directory docs

  1. Safe Senders
  2. Add an IP and Domain Policy
  3. Add a URL Policy
  4. Edit a Rule
  5. Remove policy
  6. Mail Flow Rules (deprecated)

Safe Senders

Adding senders to a user's safe senders list will remove the "Some content of this message has been blocked..." banner and allow the mail client to automatically download images in emails from the sender. If images are downloaded, opens will be recorded when a user views the email.

if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement
$admin = Read-Host "Exchange admin email or UPN"
Connect-ExchangeOnline -UserPrincipalName $admin
$users = Get-User
$senders = 'example@example.com' #add safe senders here, in quotes and comma-separated
foreach($user in $users){
$out = 'Adding Trusted Senders to {0}' -f $user.UserPrincipalName
Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains @{Add=$senders}
}
Write-Output "Finished!"
NOTE: You will need to assign all senders you wish to add to user's safe senders list to the $senders variable, in quotes and comma-separated. For example $senders = 'example@asd.com', 'second@123.com' , ...

Add an IP and Domain Policy

Use the following script if you have not set up a phishing simulation policy.

if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
  Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement

$admin = Read-Host "Exchange admin email or UPN"
Connect-IPPSSession -UserPrincipalName $admin

#input phishing domains below, separated by commas and quoted (20 domain maximum). E.g. "$domains = 'example.com','example2.com','example3.com', ..."
$domains = ''

New-PhishSimOverridePolicy -Name PhishSimOverridePolicy
New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains $domains -SenderIpRanges 64.191.166.196

Add a URL Policy

Use the following script if you have not set up a phishing simulation policy.

if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}

#input phishing domain URLs below, separated by commas and quoted (20 domain maximum).
#The URLs must have a leading *. and trailing /* E.g. "$urls = '*.example.com/*','*.example2.com/*','*.example3.com/*', ..."
$urls = ''

Import-Module ExchangeOnlineManagement

$admin = Read-Host "Exchange admin email or UPN"
Connect-ExchangeOnline -UserPrincipalName $admin

Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries $urls -NoExpiration

Edit a Rule

Use the following script if your tenant has existing phishing simulation rules.

if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement

$admin = Read-Host "Exchange admin email or UPN"
Connect-IPPSSession -UserPrincipalName $admin

#input phishing domains below, separated by commas and quoted (20 domain maximum). E.g. "$domains = 'example.com','example2.com','example3.com', ..."
$domains = ''

$rule = Get-PhishSimOverrideRule
Set-PhishSimOverrideRule -Identity $rule.Name -RemoveSenderIpRanges $rule.SenderIpRanges -RemoveDomains $rule.Domains -AddDomains $domains -AddSenderIpRanges 64.191.166.196
Get-PhishSimOverrideRule

Remove policy

If you wish to remove a phishing simulation policy, use the script below.

if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement

$admin = Read-Host "Exchange admin email or UPN"
Connect-IPPSSession -UserPrincipalName $admin

Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy

Mail Flow Rules (deprecated)

Implement the four mail flow rules for bypassing by Junk, Spam and Clutter by IP and email Header 

if (-NOT (Get-Module -ListAvailable -Name ExchangeOnlineManagement)) {
Install-Module -Name ExchangeOnlineManagement
}
Import-Module ExchangeOnlineManagement
$UserPrincipalName = Read-Host "UserPrincipalName"
$HeaderValue = Read-Host "X-PHISHTEST Header Value (default PhishingBox)"
if ([string]::IsNullOrEmpty($HeaderValue)) {
$HeaderValue = "PhishingBox"
}
Connect-ExchangeOnline -UserPrincipalName $UserPrincipalName
New-TransportRule "Phishing Testing - Bypass Spam By IP" -SenderIpRanges "64.191.166.0/24" -SetHeaderName "X-MS-Exchange-Organization-BypassClutter" -SetHeaderValue "true" -SetSCL "-1"
New-TransportRule "Phishing Testing - Bypass Junk By IP" -SenderIpRanges "64.191.166.0/24" -SetHeaderName "X-Forefront-Antispam-Report" -SetHeaderValue "SFV:SKI;"
New-TransportRule "Phishing Testing - Bypass Spam By Header" -HeaderContainsMessageHeader "X-PHISHTEST" -HeaderContainsWords $HeaderValue -SetHeaderName "X-MS-Exchange-Organization-BypassClutter" -SetHeaderValue "true" -SetSCL "-1"
New-TransportRule "Phishing Testing - Bypass Junk By Header" -HeaderContainsMessageHeader "X-PHISHTEST" -HeaderContainsWords $HeaderValue -SetHeaderName "X-Forefront-Antispam-Report" -SetHeaderValue "SFV:SKI;"