Using Advanced Delivery Policies in Microsoft 365
Note: If you currently have Overwrite Return-path Address with Reply-to-Address enabled in your Reply-to Phishing settings or Overwrite Fixed Return-path Address with Sender Address enabled in your Phishing Emails Headers settings, Advanced Delivery will not function properly. Please disable these features before moving forward with this guide.
Microsoft’s new secure by default feature may affect current whitelisting rules that your organization has in place. Due to this change, you can use Microsoft’s new Advanced Delivery Policies feature to whitelist KnowBe4. In this article, you will learn how to whitelist KnowBe4 with the new advanced delivery policy feature. For more information about the secure by default feature, see Microsoft’s Secure by default in Office 365 article.
In your Microsoft 365 admin center, there were overrides in place that assisted with whitelisting KnowBe4 emails. With the secure by default feature release, some of these overrides have been disabled for security reasons.
The disabled overrides are listed below:
- Allowed sender lists or allowed domain lists (anti-spam policies)
- Outlook Safe Senders
- IP Allow List (connection filtering)
What are Advanced Delivery Policies?
In Microsoft 365, an advanced delivery policy is a policy that can override several security configurations.
The affected security configurations are listed below:
- Filtering in EOP/MS Defender for O365
- Default system alerts
- AIR/Clustering for Defender
The ability to override these security configurations affects phishing security tests in the following ways:
- Admin Submissions can determine that phishing security tests are not real threats, and alerts from AIR are not triggered.
- Safe Links are not blocked.
- Safe Attachments are not blocked.
- Malware verdicts still cannot be bypassed.
- MS Report Phish Button causes false positives if an attachment is used.
Whitelisting KnowBe4 Using Advanced Delivery Policies
This section outlines the requirements and steps for whitelisting KnowBe4 emails using advanced delivery policies.
To create, modify, or remove settings in an advanced delivery policy, you need to be a member of these role groups:
- Security Administrator role group in the Microsoft Security & Compliance Center
- Organization Management role group in Microsoft Exchange Online
For read-only access to an advanced delivery policy, you need to be a member of the Global Reader or Security Reader role groups.
Note: If your domain's MX record does not point to Microsoft Office 365 and emails are routed to another domain before your domain, you cannot use the secure by default feature. For more information, see Microsoft’s Additional scenarios that require filtering bypass article.
To add advanced delivery policy protection, you will need to enable the Enhanced Filter for Connectors setting. For more information on how to configure this setting, see Microsoft’s Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes article. You can still use mail flow rules to bypass Microsoft filtering for emails that have already been evaluated by third-party filtering.
Note: For the best experience with Advanced Delivery, we also suggest adding KnowBe4 to your domain's SPF record. See our Adding KnowBe4 to Your Sender Policy Framework (SPF) Record article for more info.
To configure an advanced delivery policy for KnowBe4, follow the steps below.
- Log in to your Microsoft 365 account and select Admin from the menu on the left.
- From the Microsoft 365 Admin Center, click Security under Admin centers. Alternatively, log in to your Microsoft 365 Defender portal.
- Under Email & Collaboration, navigate to Policies & Rules > Threat policies > Advanced delivery.
- On the Advanced delivery page, select the Phishing Simulation tab.
- Click the Edit icon.
If there are no configured phishing simulations, click Add.
- In the Edit third-party phishing simulation modal, adjust the following settings:
- Sending Domain: psm.knowbe4.com
- Sending IP for us.knowbe4.com and ca.knowbe4.com: 184.108.40.206/26, 220.127.116.11, 18.104.22.168
Sending IP for eu.knowbe4.com: 22.214.171.124/26, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
Simulation URLs to allow: Navigate to the Domains tab under Phishing and enter the root domain of any Phish Links that are being used in a phishing security test. The advanced delivery policy only allows 10 entries in this listing. We suggest hiding any domains in your KnowBe4 console that are not being used by your advanced delivery policy.
Please use the recommended URL syntax format provided here: *.example.com/*
If you see warnings with Safelinks, please review the URL syntax format outlined in Microsoft’s Manage your allows and blocks in the Tenant Allow/Block List - Office 365 article. You can find the root domain of our Phish Links in the Phishing > Domains area of the KMSAT console. See our Phishing Domain Management article for more details.
- If you would like to spoof your domain or use spoofing in the delivery of phishing security tests, you may need to add the Spoofing Intelligence policy from our How to Use Spoof Intelligence Allow/Block List for Microsoft Defender in Office 365 article.
For further assistance with this feature, please contact our support team and they would be happy to help.