Using Advanced Delivery Policies in Microsoft Defender for Office 365
Microsoft’s secure by default feature may affect the way your organization whitelists KnowBe4. Due to this change, you can whitelist KnowBe4 using Microsoft’s advanced delivery policies feature instead.
Before the secure by default feature was released, the security overrides in your Microsoft 365 Admin Center may have helped you whitelist KnowBe4. However, since the secure by default feature was released, some of these overrides were disabled for security reasons. For a list of security overrides that were disabled, see Microsoft's Secure by default in Office 365 article.
In this article, you will learn how to whitelist KnowBe4 with the advanced delivery policy feature. If you prefer video tutorials, you can also watch our Whitelisting by Advanced Delivery Policies in Microsoft 365 video. For more information about Microsoft's secure by default feature, see Microsoft’s Secure by default in Office 365 article.
Jump to:
What Are Advanced Delivery Policies?
Whitelisting KnowBe4 Using Advanced Delivery Policies
What Are Advanced Delivery Policies?
In Microsoft Defender for Office 365 (formerly Microsoft Defender for Microsoft 365), an advanced delivery policy is a policy that allows you to override several security configurations.
Note: Advanced delivery policies in Microsoft Defender for Office 365 no longer prevent the scanning of macro-enabled attachments.
These security configurations are listed below:
- Filtering in EOP or Microsoft Defender for Office 365
- ZAP
- Default system alerts
- AIR/Clustering for Microsoft Defender
The ability to override these security configurations affects phishing security tests (PSTs) in the following ways:
- Admin Submissions can determine that phishing security tests are not real threats, and alerts from AIR are not triggered.
- Safe Links are not blocked.
- Safe Attachments are not blocked.
- Malware verdicts still cannot be bypassed.
- Microsoft Report Phish Button causes false positives if an attachment is used.
How to Whitelist KnowBe4 Using Advanced Delivery Policies
In this section, you'll learn how to whitelist KnowBe4 using advanced delivery policies.
Note: If your domain's mail exchanger (MX) record does not point to Microsoft 365 and emails are routed to another domain before your domain, you can't use the secure by default feature. For more information, see Microsoft’s Additional scenarios that require filtering bypass article.
To add advanced delivery policy protection, you'll need to enable the Enhanced Filter for Connectors setting. For more information on how to configure this setting, see Microsoft’s Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes article. You can still use mail flow rules to bypass Microsoft filtering for emails that have already been evaluated by third-party filtering.
Before you can whitelist KnowBe4 using advanced delivery policies, you'll need to have the appropriate permissions. To create, modify, or remove settings in an advanced delivery policy, you will need to be a member of the Security Administrator role group in the Microsoft Security & Compliance Center and the Organization Management role group in Microsoft Exchange Online.
For read-only access to an advanced delivery policy, you will need to be a member of the Global Reader or Security Reader role groups. For more information about Microsoft permissions, see Microsoft’s Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online articles.
To configure an advanced delivery policy for KnowBe4, follow the steps below:
- Log in to your KnowBe4 account.
- Click your email address in the top-right corner of the page and select Account Settings.
- From your Account Settings, navigate to Phishing > Phishing Settings.
- Select the Enable DKIM Signature check box.
- Select Use KnowBe4's Signing Domain.
- Click the Save DKIM Settings button.
- In a new window, log in to your Microsoft 365 account.
- From the menu on the left side of the page, select Admin. You'll be taken to the Microsft 365 Admin Center.
- From the Microsoft 365 Admin Center, click Security under Admin centers. Or, you can directly log in to your Microsoft 365 Defender portal.
- Under the Email & Collaboration section, navigate to Policies & Rules > Threat policies > Advanced delivery.
- On the Advanced delivery page, select the Phishing Simulation tab.
- Click the Edit icon.
Note: If you don't have any configured phishing simulations, click the Add icon. - In the Edit third-party phishing simulation modal, adjust the following settings. You should use the settings for your specific region:
- Sending Domains for training.knowbe4.com: psm.knowbe4.com, ispservices.org
Sending Domains for eu.knowbe4.com: psm.knowbe4.com, ispservices.co.uk
Sending Domains for ca.knowbe4.com: psm.knowbe4.com, ispservices.net
Sending Domains for uk.knowbe4.com: psm.knowbe4.com, online-login-portal.com
Sending Domains for de.knowbe4.com: psm.knowbe4.com, mailserver-status.com - Sending IP for training.knowbe4.com, ca.knowbe4.com, uk.knowbe4.com, and de.knowbe4.com: 147.160.167.0/26, 23.21.109.197, 23.21.109.212
Sending IP for eu.knowbe4.com: 147.160.167.0/26, 52.49.201.246, 52.49.235.189, 23.21.109.197, 23.21.109.212 -
Simulation URLs to allow: In a separate window, log in to your KnowBe4 account and navigate to Phishing > Domains. Then, update this setting by entering the phish link domains that you are using for phishing security tests. Please use the recommended URL syntax format provided here: ~example.com/*
Note: If you don't have access to this subtab, contact our support team for a list of phish link domains.For more information about finding the root domain and hiding domains, see our How to Manage Phish Link Domains article.
Note: We suggest that you hide any domains in your KnowBe4 account that you are not using in your advanced delivery policy.If you see warnings with Safelinks, please review the URL syntax format outlined in Microsoft’s Allow or block URLs using the Tenant Allow/Block List article.
The screenshot below uses the information provided above for training.knowbe4.com. Make sure to use the correct sending domains or IP addresses for your region.
- Sending Domains for training.knowbe4.com: psm.knowbe4.com, ispservices.org
- To spoof your domain or to use spoofing in the delivery of phishing security tests, you will need to add the spoof intelligence policy from our How to Use Spoof Intelligence Allow/Block List for Microsoft Defender for Office 365 article.
Note: If you see warnings with Safe Links, please review the URL syntax format outlined in Microsoft’s Manage your allows and blocks in the Tenant Allow/Block List article.
If you need further assistance with this feature, contact our support team.
Comments
0 comments
Article is closed for comments.