Recently I have had a few conversations about the new Microsoft 365 Defender capabilities for allowing and blocking mail. To keep your organization safe, you may know that Microsoft does not allow lists or filtering bypass for any mail message identified as either malware or high confidence phishing. An example of where this becomes a problem is if you use an external service for simulated phishing attacks within the organization. The external party sends controlled phishing emails to the organizations from a specific IP address and specific domains. Yet, they are still blocked by Exchange online even with rules to allow them.
I hear you now saying to yourself, “that a good thing, right?” Well, the answer is “YES” to identifying the phishing messages but a “NO” to blocking it so you can’t test the users. The good news, though, is that within Microsoft 365, you have the capabilities to control this.
You can “Allow” or “Block” using the Microsoft 365 Defender portal. The “Allow” and “Block” lists validate each incoming email as well as when a user clicks an email. You can create the following types of overrides:
- URLs to allow or block
- Files to allow or block
- Sender emails or domains to allow or block
- Spoofed senders to allow or block
To configure this, you will need access to the Microsoft 365 Defender portal, the ability to connect to Security and Compliance with PowerShell if you choose that route, and be assigned the correct role. To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the “Security Administrator” role group or the “Organization Management” role group in “Exchange Online.”
You must be a member of the “Global Reader” or “Security Reader” role groups for read-only access to the advanced delivery policy.
Configuring the Third-Party Phishing Simulation Settings
Navigate to the Microsoft 365 Defender portal at https://security.microsoft.com.
Click within the section “Email & Collaboration” and then choose “Policies & Rules.”
Click “Threat policies.”
Within the “Rules” section, click on “Advanced delivery.”
Change to the “Phishing simulation” tab.
If you have configured phishing simulations already, then you can edit them.
If you are creating a new phishing simulation, click the “Add.”
Within the “Add Third Party Phishing Simulations” fly-out, you can expand each section and add either “Domains,” “IP addresses,” or “Simulation URLs.”
To determine what to add, you need to understand the format and what is supported. The main options are:
- No wildcards
- Left wildcard
- Right wildcard at the top of the path
- Left tilde
- Right wildcard suffix
- Left wildcard subdomain and right wildcard suffix
- Left and right tilde
Each of these options provides support for matching domains and URLs based on what you need. To ensure the process works as expected, you need to add the root domains and the URLs that are part of the phishing email. For example, if you are using “givemeyourpassword.com,” you add the domain, and then add the URL that needs allowing, which could be “https://givemeyourpassword.com/clickme/passwordgetter.html.”
Of course, you do not simply paste the URL; you can use specific operators to assist in the identification process.
Let’s say, for example, you are receiving the phishing simulation emails from the IP address: 64.23.45.12, and the email addresses use these domains, and the URLs match these domains:
- givemeyourpassword.com
- xyz.givemeyourpassword.com
- abc.xyz.givemeyourpassword.com
- xyz.updateyourdetails.com
- confirmenrollment.com
As you can see, these are a mix of root domains and sub-domains. Your first thought would be to add the domains as is. You would add these values:
- givemeyourpassword.com
- updateyourdetails.com
- confirmenrollment.com
This configuration will ‘Allow” and “Block” using the root domain level only, not the sub-domain level. Even though you add the root domains, you may find it will still not allow the mail though due to the high-confidence blocking of the URLs within the email body.
- PASS: givemeyourpassword.com
- FAIL: http://www.givemeyourpassword.com
- PASS: updateyourdetails.com
- FAIL: abc.updateyourdetails.com
- FAIL: xyz.givemeyourpassword.com
- FAIL: abc.updateyourdetails.com
- PASS: confirmenrollment.com
- FAIL: abcconfirmenrollment.com
- FAIL: www.confirmenrollment.com
- FAIL: confirmenrollment.com/abc
- FAIL: http://www.confirmenrollment.com/abc
So if adding the domains as-is does not work, our following approach is to use the wildcard option. You would add these values:
- *.givemeyourpassword.com
- *.updateyourdetails.com
- *.confirmenrollment.com
This configuration will ‘Allow” and “Block” using only sub-domains, not the root.
- FAIL: givemeyourpassword.com
- PASS: http://www.givemeyourpassword.com
- FAIL: updateyourdetails.com
- PASS: abc.updateyourdetails.com
- PASS: xyz.givemeyourpassword.com
- PASS: abc.updateyourdetails.com
- FAIL: confirmenrollment.com
- FAIL: abcconfirmenrollment.com
- PASS: www.confirmenrollment.com
- FAIL: confirmenrollment.com/abc
- PASS: http://www.confirmenrollment.com/abc
Though the wildcard approach works, it may not meet your requirements. In this case, you can use the “tilde” approach instead. You can use the exact domains as before:
- givemeyourpassword.com
- xyz.givemeyourpassword.com
- abc.xyz.givemeyourpassword.com
- xyz.updateyourdetails.com
- confirmenrollment.com
For the values to add to the phishing configuration, you can use the following:
- ~givemeyourpassword.com
- ~updateyourdetails.com
- ~.confirmenrollment.com
This configuration will ‘Allow” and “Block” using the root and sub-domains.
- PASS: givemeyourpassword.com
- PASS: http://www.givemeyourpassword.com
- PASS: updateyourdetails.com
- PASS: abc.updateyourdetails.com
- PASS: xyz.givemeyourpassword.com
- PASS: abc.updateyourdetails.com
- PASS: confirmenrollment.com
- FAIL: abcconfirmenrollment.com
- PASS: www.confirmenrollment.com
- FAIL: confirmenrollment.com/abc
- FAIL: http://www.confirmenrollment.com/abc
Though the single “tilde” approach works, it may not meet your requirements. In this case, you can use the “double tilde” approach instead. You can use the exact domains as before:
- givemeyourpassword.com
- xyz.givemeyourpassword.com
- abc.xyz.givemeyourpassword.com
- xyz.updateyourdetails.com
- confirmenrollment.com
For the values to add to the phishing configuration, you can use the following:
- ~givemeyourpassword.com~
- ~updateyourdetails.com~
- ~confirmenrollment.com~
This configuration will ‘Allow” and “Block” using the root and sub-domains.
- PASS: givemeyourpassword.com
- PASS: http://www.givemeyourpassword.com
- PASS: updateyourdetails.com
- PASS: abc.updateyourdetails.com
- PASS: xyz.givemeyourpassword.com
- PASS: abc.updateyourdetails.com
- PASS: confirmenrollment.com
- FAIL: abcconfirmenrollment.com
- PASS: www.confirmenrollment.com
- PASS: confirmenrollment.com/abc
- PASS: http://www.confirmenrollment.com/abc
The advantage you have is to mix and match the operators for the domains and URLs you add. For example, you could add something like this:
- *.givemeyourpassword.com*
- givemeyourpassword.com/abc/*
- ~.updateyourdetails.com~
- updateyourdetails.com/*
- ~.confirmenrollment.com
- *.confirmenrollment.com/*
These options provide great granularity, especially when you combine them with IP filtering. You create a mix of values within the filtering to create a key-value pair match based on domain and IP addresses.
Configuring the Third-Party Phishing Simulation Settings Using PowerShell
If you want to use PowerShell to create the exact configuration, you could use something like this:
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline
$domains = "givemeyourpassword.com", `
"updateyourdetails.com", `
"confirmenrollment.com"
$senderips = "64.23.45.12", `
"64.23.44.12", `
"64.23.43.12"
$urls = "*.givemeyourpassword.com/*", `
"givemeyourpassword.com/abc/*", `
"~updateyourdetails.com~", `
"updateyourdetails.com/*", `
"~confirmenrollment.com", `
"*.confirmenrollment.com/*"
New-PhishSimOverrideRule `
-Name "SimulationOverrideRule" `
-Policy "PhishSimOverridePolicy" `
-Domains $domains `
-SenderIpRanges $senderips
New-TenantAllowBlockListItems `
-Allow `
-ListType Url `
-ListSubType AdvancedDelivery `
-Entries $urls
For the rules to work as expected, you will need to test, and it will most likely be a “trial and error” experience. However, it will work as expected once you get the correct configuration and no longer have your phishing simulation emails blocked.
For more details, check out the Microsoft documentation: