Security Awareness Safelisting in Microsoft 365

Situation – Company uses Microsoft 365 and Proofpoint Essentials Security Awareness
Phishing emails and notifications are not passing through their mail servers or are being quarantined.

Version – Proofpoint Essentials Security Awareness
Platform – Microsoft 365, formerly Office 365.

Summary – Depending on your mail flow:

  • Safelist the mailer IP addresses
  • Create a Transport Rule
  • Set up a Connector
  • Insert Headers for Microsoft ATP

Question

How do I safelist Proofpoint Essentials Security Awareness within Microsoft 365?

Answer

It depends on your mail flow.

When the mail leaves our platform where does it first go? Your email administrator should be able to answer this question if you are unsure. We can query your MX (Mail eXchange) records to see the first ‘hop’. After that we have no visibility into your environment so your email administrator will be key to getting things safelisted correctly.

If your mail flow looks like this, you can follow the steps below as they are written, using the IP Address instructions.

phishing sim office365

If your mail flow has multiple hops, you won’t be able to safelist at the mail transport layer by IP address, but we provide some solutions down below.

Note: PPS is used as an example here. This is true for Spambrella, as well as any other mail gateway you might use.

Security Awareness Safelisting in Microsoft 365

Follow the steps below to Safelist in Microsoft 365.

Create A Transport Rule

You should create a transport rule that sets the SCL (Spam Confidence Level) of the emails sent from Phishing Simulation to -1. This bypasses spam protection.

  1. Log in to the Microsoft 365 Admin portal
  2. Select the Admin Center icon and then select Exchange from the menu to access the Exchange Admin Center (EAC)
  3. Click mail flow and then rules, then click the + icon to Create a new rule
  4. Enter a name for the new rule
  5. Choose More options . . . This must be done to continue setting up the Rule.
  6. Select the appropriate option below – IP Address or Message Header

For IP Address

  1. From the drop-down menu, *Apply this rule if …, select The sender…, then select IP Address is in any of these ranges or exactly matches
  2. Enter Proofpoint Security Awareness Training’s IP addresses into the dialog box. Click the + icon to add multiple IPs.

Note: The IPs for your server can be found in our Safelisting Guide (EU). and Safelisting Guide (US)

  1. Click OK
  2. From the drop-down menu, *Do the following:, select Modify the message properties…, then select set the spam confidence level (SCL)
  3. Select Bypass spam filtering and click OK. This sets the SCL to -1 Bypass Spam Filtering
  4. All other settings can be left with the default setting
  5. Click Save at the lower right of the rule

For Message Header

You would follow the same steps as above, except instead of an IP you would do:

  1. From the drop-down menu, *Apply this rule if …, select A message header matches…
  2.  If you are using PPS – follow the steps in this guide to inject a header and use that header information here:  Safelisting in Proofpoint Protection Services
  3. If you are using another secure mail gateway you could follow a similar approach if you are able to inject a header.
  4. If you cannot inject a header:
Option 1
  • Phishing Simulation has 2 default headers that can be used (but this is not advised)

Option 2

Leverage the Received header:

US
from mailer1.threatsim.com (mailer1.threatsim.com [107.23.16.222])
from mailer2.threatsim.com (mailer2.threatsim.com [54.173.83.138])EU
mailer1.eu.threatsim.com(mailer1.eu.threatsim.com [52.17.45.98])
mailer2.eu.threatsim.com(mailer2.eu.threatsim.com [52.16.190.81])AP
mailer1.ap.threatsim.com (mailer1.ap.threatsim.com [13.55.65.8])
mailer2.ap.threatsim.com (mailer2.ap.threatsim.com [13.55.54.143])

Security Awareness Safelisting in Microsoft 365

Option 3

  • Leverage the SPF header –  You would want to create a rule that checks If X-FEAS-SPF contains threatsim.com and the SPF signature is valid. This would be the most secure of the three options.

This is an example of what those headers might look like:

X-FEAS-SPF: spf-result=pass, ip=54.173.83.138, helo=mailer1.threatsim.com, mailFrom=info@techsupport-corp.com
X-FEAS-DKIM: Valid

Tip: If you are using option #2 or #3 the best thing to do is to take an email you received (either in your inbox or Exchange Quarantine) and copy and paste the headers & values from there. The syntax might be slightly different in each environment. The header and values is case sensitive and must be exact. For these reasons copy and paste is encouraged.

Setting Up A Connector 

Please note a connector has always been encouraged. In recent months we have seen an increase in email deferment at Microsoft 365 perimeter. If you are not getting message or there is a significant delay you will need to install a connector.

  1. Login to the Microsoft 365 Admin portal
  2. Select the Admin Center icon and then select Exchange from the menu to access the Exchange Admin Center (EAC)
  3. Click mail flow and then Connectors, then click the +  icon to create a new rule
  4. Select your Mail Flow Scenario and set the From to Partner Organization and To to Office 365 then click Next
  5. Select the Name of the Connector and a write an optional description. You will then want to make sure the box underneath What do you want to do after connector is saved? is checked and click Next
  6. Choose how Proofpoint Essentials Security Awareness should be identified. You will want to Use the sender’s IP address, then click Next
  7. Enter our IP addresses into the dialog box. Click the + icon to add multiple IPs. Click Next when done.
  8. Check the box – Reject email messages if they aren’t sent over TLS, Click Next when done
  9. Click Save

Microsoft ATP (Advanced Threat Protection)

ATP provides limited abilities for safe listing or creating exceptions directly for Attachments or Safe Links. Mail Flow Rules can be set up to insert Headers into the received emails that allow the system to bypass the ATP functions for those messages. This can be configured based on the sending IP addresses so that only those emails received from Proofpoint are subject to this behavior.

Follow the steps in these articles to insert these headers:

For Drive by or Data Entry campaigns —  Bypass Microsoft ATP Link Processing

For Attachment-based campaigns – Bypass Microsoft ATP Attachment Processing

This will allow those emails to pass to the end users, without being subjected to the scanning that is creating false positive results.

After creating or modifying Exchange rules, allow up to 12 hours for the configuration to propagate.

Note: Office 365/O365 was rebranded as Microsoft 365

Further reading:

Phishing Drive-By Campaign CSV Header Definitions – PSAT

Phishing Raw Campaign Data CSV – PSAT (Measure)