Microsoft

Share

Is this article helpful?

Last updated:

Bypass Safe Link and Safe Attachments in Microsoft Defender for Office 365

Note:If you use Microsoft 365, Microsoft requires that you use advanced delivery policies to ensure email delivery. If advanced delivery policies are in use in your environment, adding these rules will interfere with KnowBe4's phishing security tests (PSTs) being identified as a third-party phishing simulations. For more information, see our Advanced Delivery Policies in Microsoft Defender for Office 365 article.

If you are using Microsoft Defender for Office in your mail environment and have experienced false clicks or false attachment opens, it is because Defender for Office has link processing and attachment processing rules that are causing this. You can set up additional mail flow rules that allow you to bypass safe links and attachments processing for phishing test emails from KnowBe4's IP addresses. However, if you have a mail filter in front of your mail server, we recommend you whitelist in Microsoft Defender for Office by email header instead.

You only need to create rules for your organization's needs. For example, if you whitelist by header, follow the Safe Link Bypass Rule by Header and Safe Attachments Bypass Rule by Header sections. We recommend that you allow an hour for the rules to circulate to all of your users. To test out your rule, set up a phishing campaign for a small test group that includes yourself prior to starting a phishing campaign. 

Note:Whitelisting the URL overwrite in safe links isn't supported for phishing simulations. For more information, see Microsoft's safe links policies article.

Safe Link Bypass Rule

To set up a mail flow rule to bypass Safe link processing:

  1. Create a new mail flow rule in your Microsoft 365 Exchange admin center.
  2. Give the rule a name such as "Bypass Safe Links".
  3. Click More options....
  4. From the Apply this rule if…. drop-down menu, select The senders then select IP address is in any of these ranges or exactly matches. 
  5. Enter our IP address. For the most up-to-date list of our IP addresses, please see this article.
  6. From the Do the following… drop-down menu, select Modify the message properties... and then set a message header.
  7. Click the first *Enter text... link and set the message header to "X-MS-Exchange-Organization-SkipSafeLinksProcessing".
  8. Click the second *Enter text... link and set the value to "1".
  9. Click Save.

Safe Attachments Bypass Rule

Below are the steps to set up a mail flow rule to bypass Safe Attachments Processing:

  1. Create a new mail flow rule in your Microsoft 365 Exchange admin center.
  2. Give the rule a name such as Bypass Safe Attachments.
  3. Click more options.
  4. From the Apply this rule if… drop-down, select The senders then select IP address is in any of these ranges or exactly matches. 
  5. Enter our IP addresses. Please see this article for the most up-to-date list of our IP addresses.
  6. From the Do the following… drop-down, select Modify the message properties... and then set a message header.
  7. Click the first *Enter text... link and set the message header to "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing". 
  8. Click the second *Enter text... link and set the value to "1". 
  9. Click Save. 

Safe Link Bypass Rule by Header

To set up a mail flow rule to bypass Safe Link processing by header:

  1. Create a new mail flow rule in your Microsoft 365 Exchange admin center.
  2. Give the rule a name such as "Bypass Safe Links".
  3. Click More options....
  4. From the Apply this rule if… drop-down menu,  select A message header... then selects includes any of these words.
  5. On the right side of that rule, you will see *Enter text... and *Enter words...
  6. Click *Enter text... to open the specify header name window. In this window, type the header name. For more information on what to enter for your header name, see the note below.
    Note:By default, the header for KnowBe4 mail is X-PHISHTEST. We recommend that you change the default header to a custom header or header token for enhanced security. You can change the header settings for your account from the Account Settings page. For more information, see our How to Edit Your Account Settings article.
  7. Click *Enter words … and type in KnowBe4 and click the + sign.
  8. From the Do the following… drop-down menu, select Modify the message properties... and then set a message header.
  9. Click the first *Enter text... link and set the message header to "X-MS-Exchange-Organization-SkipSafeLinksProcessing". 
  10. Click the second *Enter text... link and set the value to "1". 
  11. Click Save.

Safe Attachments Bypass Rule by Header

Below are the steps to set up a mail flow rule to bypass Safe Attachments Processing by header:

  1. Create a new mail flow rule in your Microsoft 365 Exchange admin center.
  2. Give the rule a name such as "Bypass Safe Attachments by Header".
  3. Click more options.
  4. From the Apply this rule if… drop-down menu,  select A message header... then selects includes any of these words.
  5. On the right side of that rule, you will see *Enter text... and *Enter words...
  6. Click *Enter text... to open the specify header name window. In this window, type the header name. For more information on what to enter for your header name, see the note below.
    Note:By default, the header for KnowBe4 mail is X-PHISHTEST. We recommend that you change the default header to a custom header or header token for enhanced security. You can change the header settings for your account from the Account Settings page. For more information, see our How to Edit Your Account Settings article.
  7. Click *Enter words … and type in keyword that should be found in the header. By default, the keyword would be "KnowBe4". Click the + sign.
  8. From the Do the following… drop-down, select Modify the message properties... and then set a message header.
  9. Click the first *Enter text... link and set the message header to "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing". 
  10. Click the second *Enter text... link and set the value to "1". 
  11. Click Save. 

Still need assistance? Submit a support ticket and we can help!

Was this article helpful?

15 out of 16 found this helpful

Can't find what you're looking for?

Contact Support