Using Advanced Delivery Policies in Microsoft Defender for Office 365
Microsoft’s secure by default feature may affect the way your organization whitelists KnowBe4. Due to this change, you can whitelist KnowBe4 using Microsoft’s advanced delivery policies feature instead.
Before the secure by default feature was released, the security overrides in your Microsoft 365 Admin Center may have helped you whitelist KnowBe4. However, since the secure by default feature was released, some of these overrides were disabled for security reasons. For a list of security overrides that were disabled, see Microsoft's Secure by default in Office 365 article.
In this article, you will learn how to whitelist KnowBe4 with the advanced delivery policy feature. If you prefer video tutorials, you can also watch our Whitelisting by Advanced Delivery Policies in Microsoft 365 video. For more information about Microsoft's secure by default feature, see Microsoft’s Secure by default in Office 365 article.
What Are Advanced Delivery Policies?
In Microsoft Defender for Office 365 (formerly Microsoft Defender for Microsoft 365), an advanced delivery policy is a policy that allows you to override several security configurations.
These security configurations are listed below:
- Filtering in EOP or Microsoft Defender for Office 365
- Default system alerts
- AIR/Clustering for Microsoft Defender
The ability to override these security configurations affects PSTs in the following ways:
- Admin Submissions can determine that PSTs are not real threats, and alerts from AIR are not triggered.
- Safe Links are not blocked.
- Safe Attachments are not blocked.
- Malware verdicts still cannot be bypassed.
- Microsoft Report Phish Button causes false positives if an attachment is used.
How to Whitelist KnowBe4 Using Advanced Delivery Policies
In this section, you'll learn how to whitelist KnowBe4 using advanced delivery policies.
To add advanced delivery policy protection, you'll need to enable the Enhanced Filter for Connectors setting. For more information on how to configure this setting, see Microsoft’s Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes article. You can still use mail flow rules to bypass Microsoft filtering for emails that have already been evaluated by third-party filtering.
Before you can whitelist KnowBe4 using advanced delivery policies, you'll need to have the appropriate permissions. To create, modify, or remove settings in an advanced delivery policy, you will need to be a member of the Security Administrator role group in the Microsoft Security & Compliance Center and the Organization Management role group in Microsoft Exchange Online.
For read-only access to an advanced delivery policy, you will need to be a member of the Global Reader or Security Reader role groups. For more information about Microsoft permissions, see Microsoft’s Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online articles.
To configure an advanced delivery policy for KnowBe4, follow the steps below:
- Log in to your KnowBe4 account.
- Click your email address in the top-right corner of the page and select Account Settings.
- From your Account Settings, navigate to Phishing > Phishing Settings.
- Select the Enable DKIM Signature check box.
- Select Use KnowBe4's Signing Domain.
- Click the Save DKIM Settings button.
- In a new window, log in to your Microsoft 365 account.
- From the menu on the left side of the page, select Admin. You'll be taken to the Microsoft 365 Admin Center.
- From the Microsoft 365 Admin Center, click Security under Admin centers. Or, you can directly log in to your Microsoft 365 Defender portal.
- Under the Email & Collaboration section, navigate to Policies & Rules > Threat policies > Advanced delivery.
- On the Advanced delivery page, select the Phishing Simulation tab.
- Click the Edit icon.
Note: If you don't have any configured phishing simulations, click the Add icon.
- In the Edit third-party phishing simulation modal, adjust the following settings. You should use the settings for your specific region:
Sending Domains for training.knowbe4.com: psm.knowbe4.com, ispservices.org
Sending Domains for eu.knowbe4.com: psm.knowbe4.com, ispservices.co.uk
Sending Domains for ca.knowbe4.com: psm.knowbe4.com, ispservices.net
Sending Domains for uk.knowbe4.com: psm.knowbe4.com, online-login-portal.com
Sending Domains for de.knowbe4.com: psm.knowbe4.com, mailserver-status.com
Sending IP for training.knowbe4.com, ca.knowbe4.com, uk.knowbe4.com, and de.knowbe4.com: 126.96.36.199/26, 188.8.131.52, 184.108.40.206
Sending IP for eu.knowbe4.com: 220.127.116.11/26, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52
Simulation URLs to allow: In a separate window, log in to your KMSAT console and navigate to Phishing > Domains. Enter up to 30 phish link root domains that you currently use or plan to use for PSTs using the recommended URL format syntax: *.example.com/*
Note: If you don't have access to the Domains subtab, contact our support team for a list of phish link domains.Note: We suggest that you hide any domains in your KMSAT console that you are not using in your advanced delivery policy. For more information about phish link domains, see our How to Manage Phish Link Domains article.
- Sending Domains for training.knowbe4.com: psm.knowbe4.com, ispservices.org
- To spoof your domain or to use spoofing in the delivery of PSTs, you will need to add the spoof intelligence policy from our How to Use Spoof Intelligence Allow/Block List for Microsoft 365 article.
If you need further assistance with this feature, contact our support team.