Menu English (US) Čeština Dansk Deutsch Español (Latinoamérica) Español (España) Suomi Français (Canada) Français (France) हिंदी Magyar Bahasa Indonesia Italiano 日本語 한국어 Bahasa Melayu Nederlands Norsk Polski Português do Brasil Português (Portugal) Română Русский svenska ไทย Türkçe Українська Tiếng Việt 简体中文 繁體中文

How to Use Advanced Delivery Policies in Microsoft Defender for Office

Updated:

Created:

Using Advanced Delivery Policies in Microsoft Defender for Office

Note: According to Microsoft's Manage allows and blocks in the Tenant Allow/Block List documentation, you should not use the Tenant Allow/Block List to whitelist our simulated phishing emails. Instead, you should use the advanced delivery policies.

Microsoft’s secure by default feature may affect the way your organization whitelists KnowBe4. Due to this change, you can whitelist KnowBe4 using Microsoft’s advanced delivery policies feature instead.

Before the secure by default feature was released, the security overrides in your Microsoft 365 Admin Center may have helped you whitelist KnowBe4. However, since the secure by default feature was released, some of these overrides were disabled for security reasons. For a list of security overrides that were disabled, see Microsoft's Secure by default in Office 365 article.

In this article, you will learn how to whitelist KnowBe4 with the advanced delivery policy feature. If you prefer video tutorials, you can also watch our Whitelisting by Advanced Delivery Policies in Microsoft 365 video. For more information about Microsoft's secure by default feature, see Microsoft’s Secure by default in Office 365 article.

Note: If your messages are still not delivering after configuring your advanced delivery policy, we recommend setting up smart hosting. Without smart hosting, some filters cannot be disabled and may impact the delivery of Phishing Security Test (PST) emails. Smart hosting PST emails allows you to bypass these filters. For more information, see our Smart Hosting for Phishing Security Tests article.
Note: Some whitelisting functions may be limited to customers outside of the US which may cause issues when using the KMSAT console.

Jump to:

What Are Advanced Delivery Policies?
Whitelisting KnowBe4 Using Advanced Delivery Policies

 

What Are Advanced Delivery Policies?

In Microsoft Defender for Office (formerly Microsoft Defender for Microsoft 365), an advanced delivery policy is a policy that allows you to override several security configurations.

Note: Advanced delivery policies in Microsoft Defender for Office no longer prevent the scanning of macro-enabled attachments.

These security configurations are listed below:

  • Filtering in EOP or Microsoft Defender for Office
  • ZAP
  • Default system alerts
  • AIR/Clustering for Microsoft Defender

The ability to override these security configurations affects PSTs in the following ways:

  • Admin Submissions can determine that PSTs are not real threats, and alerts from AIR are not triggered.
  • Safe Links are not blocked.
  • Safe Attachments are not blocked.
  • Malware verdicts still cannot be bypassed.
  • Microsoft Report Phish Button causes false positives if an attachment is used.

Back to top

 

How to Whitelist KnowBe4 Using Advanced Delivery Policies

In this section, you'll learn how to whitelist KnowBe4 using advanced delivery policies.

Note: If your domain's mail exchanger (MX) record does not point to Microsoft 365 and emails are routed to another domain before your domain, you can't use the secure by default feature. For more information, see Microsoft’s Additional scenarios that require filtering bypass article.
To add advanced delivery policy protection, you'll need to enable the Enhanced Filter for Connectors setting. For more information on how to configure this setting, see Microsoft’s Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes article. You can still use mail flow rules to bypass Microsoft filtering for emails that have already been evaluated by third-party filtering.

Before you can whitelist KnowBe4 using advanced delivery policies, you'll need to have the appropriate permissions. To create, modify, or remove settings in an advanced delivery policy, you will need to be a member of the Security Administrator role group in the Microsoft Security & Compliance Center and the Organization Management role group in Microsoft Exchange Online.

For read-only access to an advanced delivery policy, you will need to be a member of the Global Reader or Security Reader role groups. For more information about Microsoft permissions, see Microsoft’s Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online articles.

Note: For the best experience with advanced delivery policies, we also recommend that you add KnowBe4 to your domain's Sender Policy Framework (SPF) record. For more information, see our How to Add KnowBe4 to Your Sender Policy Framework (SPF) Record article.

To configure an advanced delivery policy for KnowBe4, follow the steps below:

Note: If you're using the free PST, contact our support team for a list of phishing domains.
  1. Log in to your KnowBe4 account.
  2. Click your email address in the top-right corner of the page and select Account Settings.
  3. From your Account Settings, navigate to Phishing > Phishing Settings.
  4. Select the Enable DKIM Signature check box.
  5. Select Use KnowBe4's Signing Domain.
  6. Click the Save DKIM Settings button.
  7. In a new window, log in to your Microsoft 365 account.
  8. From the menu on the left side of the page, select Admin. You'll be taken to the Microsoft 365 Admin Center.
  9. From the Microsoft 365 Admin Center, click Security under Admin centers. Or, you can directly log in to your Microsoft 365 Defender portal
  10. Under the Email & Collaboration section, navigate to Policies & Rules > Threat policies > Advanced delivery.
  11. On the Advanced delivery page, select the Phishing Simulation tab.
  12. Click the Edit icon.
    Note: If you don't have any configured phishing simulations, click the Add icon.
  13. In the Edit third-party phishing simulation modal, adjust the following settings. You should use the settings for your specific region:
    1. Sending Domains for training.knowbe4.com: psm.knowbe4.com, ispservices.org
      Sending Domains for eu.knowbe4.com: psm.knowbe4.com, ispservices.co.uk
      Sending Domains for ca.knowbe4.com: psm.knowbe4.com, ispservices.net
      Sending Domains for uk.knowbe4.com: psm.knowbe4.com, online-login-portal.com
      Sending Domains for de.knowbe4.com: psm.knowbe4.com, mailserver-status.com
    2. Sending IP for training.knowbe4.com, ca.knowbe4.com, uk.knowbe4.com, and de.knowbe4.com: 147.160.167.0/26, 23.21.109.197, 23.21.109.212
      Sending IP for eu.knowbe4.com: 147.160.167.0/26, 52.49.201.246, 52.49.235.189, 23.21.109.197,  23.21.109.212
    3. Simulation URLs to allow: In a separate window, log in to your KMSAT console and navigate to Phishing > Domains. Enter up to 30 phish link root domains that you currently use or plan to use for PSTs using the recommended URL format syntax: *.example.com/*
      Note: If you don't have access to the Domains subtab, contact our support team for a list of phish link domains.
      Note: We suggest that you hide any domains in your KMSAT console that you are not using in your advanced delivery policy. For more information about phish link domains, see our How to Manage Phish Link Domains article. 
  14. To spoof your domain or to use spoofing in the delivery of PSTs, you will need to add the spoof intelligence policy from our How to Use Spoof Intelligence Allow/Block List for Microsoft 365 article.
Note: If you see warnings with Safe Links, please review the URL syntax format outlined in Microsoft’s Manage allows and blocks in the Tenant Allow/Block List article.

If you need further assistance with this feature, contact our support team.

Note: To ensure that you have whitelisted correctly, see our How to Verify You Have Whitelisted KnowBe4 Correctly article.

 

Back to top

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.

Related articles