This article will cover how to whitelist our simulated phishing email servers in your Exchange 2016.
The goal is to allow us to send simulated phishing emails to bypass your Microsoft Exchange Online Protection (EOP) mail filter. This setup will allow our simulated phishing emails as well as our training notifications to bypass this filter.
First, you'll want to set up an IP Allow List which includes our IP addresses. Next, you will set up a mail flow rule to allow incoming mail to bypass both the Clutter folder, as well as Microsoft's EOP spam filter. You must set up ALL of these rules to whitelist successfully.
Once your settings are in place, it may take some time for those settings to propagate. We recommend that you wait 1-2 hours and then set up a phishing campaign for yourself or a small group to test out your new whitelisting rules.
The instructions for setting up these rules are shown below. The instructions show screenshots for Microsoft 365, however, this whitelisting process only works for Exchange 2016. To whitelist in Microsoft 365, please navigate to our How to Use Advanced Delivery Policies in Microsoft 365 article and whitelist according to those instructions.
Step 1: Setting Up Your IP Allow List
Below are instructions on how to set up your IP allow list for Exchange 2016.
- Log into your mail server admin portal and click Admin.
- Click Exchange under Admin Centers in the left-hand menu.
- Click connection filter beneath protection.
Note: If you're using an on-prem Exchange 2016 mail server and you don't have the connection filter option, you can use the command line to add the allowed IP addresses instead. For more information, see Microsoft's Add-IPAllowListEntry documentation.
- Click the Pencil icon to edit the default connection filter policy.
- Click connection filtering. Then, under the IP Allow list, click the + sign to add an IP address.
- On the Add allowed IP address screen, add our IP addresses one at a time. For the most up-to-date list of our IP addresses, please see this article.
- Click OK, then Save. Next, you will want to set up a mail flow rule to allow our mail to bypass spam filtering and the Clutter folder.
Next, you will need to set up a mail flow rule to bypass clutter and spam filtering.
Step 2: Bypassing Clutter and Spam Filtering
To ensure our messages will bypass your Clutter folder as well as spam filtering within Microsoft's EOP, follow the steps below.
- From the Exchange admin center, select Mail Flow from the left-hand menu.
- Click the (+) button beneath Rules and then select Bypass Spam Filtering.
Exchange Admin Center:
- Give the rule a name, such as "Bypass Clutter & Spam Filtering by IP Address".
- Click the Apply this rule if... drop-down menu and select The Sender then IP address is in any of these ranges or exactly matches.
New Rule Screen:Note: If you don't see the settings you need, click More options on the New Rule screen to see all available settings.
- Enter all of our IP addresses, then click OK. For the most up-to-date list of our IP addresses, please see this article.
Specify Sender IP addresses:
- Click the Do the following drop-down and select Modify the message properties then set a message header.
Modifying the message properties:
- Click the *Enter text... button after "Set the message header" to set the message header. Enter the following: "X-MS-Exchange-Organization-BypassClutter". This field is case sensitive. Once entered, click OK.
- Click the *Enter text... button after "to the value" and enter "true". This field is case sensitive. Once entered, click OK and then add action.
- From the drop-down menu for Do the following... select Modify the message properties. Then, click Set the spam confidence level (SCL) to... and select Bypass Spam Filtering.
Bypass Spam Filtering
Note: For best practices, we recommend leaving the other options at their default settings.
- Click Save. An example of the completed rule is shown below.
Completed Mail Flow Rule
Your whitelisting is complete. To test out your whitelisting and make sure phishing security tests will reach your end users, you can set up a phishing campaign for a small test group that includes yourself. Once the simulated phishing email reaches your inbox, you'll know you've successfully whitelisted our servers in your system.