Using Tenant Allow/Block List for Office 365
The improved spoof intelligence policy, now included in the Tenant Allow/Block List, looks at an email’s From address to determine if spoof intelligence should be applied. This new feature improves whitelisting phishing security tests and prevents certain errors, such as the “We could not verify the identity of the sender” error, from occurring. The information in this article was gathered from Microsoft’s Use the Security & Compliance Center to create allow or block spoofed sender entries in the Tenant Allow/Block List article.
There are three main methods of whitelisting a sender within the spoof intelligence policy. These methods include full infrastructure wild-carding, domain-specific whitelisting, or a sender-specific allow. The levels of focus for whitelisting spoofed templates are determined and set by the admin or organization.
We recommend that you use the full infrastructure wild-carding method as this is the easiest method to whitelist all emails from KnowBe4.
For more details on the syntax for the Tenant Allow/Block List for spoof intelligence, see Microsoft’s Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List article. For examples of how to use our spoofed senders and infrastructure, see the sections below.
Jump to:
Accessing the Spoofing Tab
Spoofing Any Domain (Recommended)
Spoofing a Customer or Specific Domain
Spoofing a Specific Sender Address
Frequently Asked Questions (FAQ)
Accessing the Spoofing Tab
In order to use the spoof intelligence feature, you will need to access the Spoofing tab in Microsoft Defender. Follow the steps below to access the Spoofing tab.
- Log in to your Microsoft 365 account and select Admin from the menu on the left.
- From the Microsoft 365 Admin Center, click Security under Admin centers. Alternatively, log in to your Microsoft 365 Defender portal.
- In the Microsoft 365 Defender menu, click Policies & rules under Email & collaboration.
- Select Threat policies.
- Click on Tenant Allow/Block Lists.
- Click on the Spoofing tab.
- Click Add.
Spoofing Any Domain (Recommended)
You can allow any domain spoofing from our mail server through either a PTR record or IP address. Enabling domain spoofing allows any email sent from our mail server to bypass the spoof intelligence policies that would otherwise be imposed on inbound mail flow.
You can use the examples provided below and in the following sections to whitelist different types of emails for your organization, including emails from KnowBe4.
Note: Make sure to set up both an internal and an external spoof. Creating both spoofs will prevent errors from occurring.
If you choose to spoof by IP address, you will need to adjust the range of 147.160.167.0/26 due to range constraints via Microsoft. For this reason, we encourage spoofing by PTR record.
By PTR Record for training.knowbe4.com:
- *, psm.knowbe4.com
- *, ispservices.org
By PTR Record for eu.knowbe4.com:
- *, psm.knowbe4.com
- *, ispservices.co.uk
By PTR Record for ca.knowbe4.com:
- *, psm.knowbe4.com
- *, ispservices.net
By IP for US and CA Instance:
- *, 23.21.109.212
- *, 23.21.109.197
- *, 147.160.167.0/26
By IP for EU Instance:
- *, 147.160.167.0/26
- *, 52.49.201.246
- *, 52.49.235.189
- *, 23.21.109.197
- *, 23.21.109.212
Spoofing a Customer or Specific Domain
By PTR Record for training.knowbe4.com: example.com, psm.knowbe4.com, ispservices.org
By PTR Record for eu.knowbe4.com: example.com, psm.knowbe4.com, ispservices.co.uk
By PTR Record for ca.knowbe4.com: example.com, psm.knowbe4.com, ispservices.net
By IP for US and CA Instance:
- example.com, 23.21.109.212
- example.com, 23.21.109.197
- example.com, 147.160.167.0/26
By IP for EU Instance:
- example.com, 147.160.167.0/26
- example.com, 52.49.201.246
- example.com, 52.49.235.189
- example.com, 23.21.109.197
- example.com, 23.21.109.212
Spoofing a Specific Sender Address
By PTR Record for training.knowbe4.com: fakeuser@example.com, psm.knowbe4.com, ispservices.org
By PTR Record for eu.knowbe4.com: fakeuser@example.com, psm.knowbe4.com, ispservices.co.uk
By PTR Record for ca.knowbe4.com: fakeuser@example.com, psm.knowbe4.com, ispservices.net
By IP for US and CA Instance:
- it@example.com, 23.21.109.212
- it@example.com, 23.21.109.197
- it@example.com, 147.160.167.0/26
By IP for EU Instance:
- it@example.com, 147.160.167.0/26
- it@example.com, 52.49.201.246
- it@example.com, 52.49.235.189
- it@example.com, 23.21.109.197
- it@example.com, 23.21.109.212
Frequently Asked Questions (FAQ)
What is a PTR record?
A PTR (or pointer) record is the domain that is found in a reverse DNS lookup of the source email server's IP address.
Does spoof intelligence affect Direct Message Injection (DMI)?
DMI-delivered campaigns should not apply this policy. The DMI application is allowed to impersonate users within the tenant per the roles assigned. However, if a DMI message is still showing an “Unverified Sender” warning after being sent, this method may be a viable alternative to whitelist those senders from receiving the warning message.
What is spoof intelligence in Microsoft Defender?
For more information on spoof intelligence in Microsoft Defender, see Microsoft’s Spoof intelligence insight - Office 365 article.
For further assistance with this feature, please contact our support team.
Comments
0 comments
Article is closed for comments.