Microsoft

Spoof Intelligence Allow/Block List for Microsoft 365

The improved spoof intelligence policy, now included in the Tenant Allow/Block List, looks at an email’s From address to determine if spoof intelligence should be applied. This new feature improves whitelisting phishing security tests and prevents certain errors, such as the “We could not verify the identity of the sender” error, from occurring. The information in this article was gathered from Microsoft’s Manage your allows and blocks in the Tenant Allow/Block List article.

There are three main methods of whitelisting a sender within the spoof intelligence policy. These methods include full infrastructure wild-carding, domain-specific whitelisting, or a sender-specific allow. The levels of focus for whitelisting spoofed templates are determined and set by the admin or organization.

We recommend that you use the full infrastructure wild-carding method as this is the easiest method to whitelist all emails from KnowBe4.

For more details on the syntax for the Tenant Allow/Block List for spoof intelligence, see Microsoft’s Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List article.

Accessing the Spoofed Senders Tab

In order to use the spoof intelligence feature, you will need to access the Spoofed senders tab in Microsoft Defender. Follow the steps below to access the Spoofed senders tab.

  1. Log in to your Microsoft 365 account and select Admin from the navigation pane. Alternatively, log in to your Microsoft 365 Defender portal.
  2. From the Microsoft 365 Admin Center, select the All admin centers tab under Admin centers.
  3. On the All admin centers page, click Security.
  4. In the Microsoft 365 Defender navigation pane, click the Policies & rules tab under Email collaboration.
  5. Select Threat policies.
  6. Click Tenant Allow/Block Lists.
  7. Click on the Spoofed senders tab.
  8. Click Add.

Spoofing Any Domain (Recommended)

You can allow any domain spoofing from our mail server through either a PTR record. Enabling domain spoofing allows any email sent from our mail server to bypass the spoof intelligence policies that would otherwise be imposed on inbound mail flow.

You can use the examples provided below and in the following sections to whitelist different types of emails for your organization, including emails from KnowBe4.

Note: Make sure to set up both an internal and an external spoof. Creating both spoofs will prevent errors from occurring.

By PTR Record for training.knowbe4.com:

  • *, psm.knowbe4.com
  • *, ispservices.org

By PTR Record for eu.knowbe4.com:

  • *, psm.knowbe4.com
  • *, ispservices.co.uk

By PTR Record for ca.knowbe4.com:

  • *, psm.knowbe4.com
  • *, ispservices.net

By PTR Record for de.knowbe4.com

  • *, psm.knowbe4.com
  • *, mailserver-status.com

By PTR Record for uk.knowbe4.com:

  • *, psm.knowbe4.com
  • *, online-login-portal.com

Spoofing a Customer or Specific Domain

By PTR Record for training.knowbe4.com: example.com, psm.knowbe4.com, ispservices.orgBy PTR Record for eu.knowbe4.com: example.com, psm.knowbe4.com, ispservices.co.ukBy PTR Record for ca.knowbe4.com, de.knowbe4.com, and uk.knowbe4.com: example.com, psm.knowbe4.com, ispservices.net

Spoofing a Specific Sender Address

By PTR Record for training.knowbe4.com: fakeuser@example.com, psm.knowbe4.com, ispservices.orgBy PTR Record for eu.knowbe4.com: fakeuser@example.com, psm.knowbe4.com, ispservices.co.ukBy PTR Record for ca.knowbe4.com, de.knowbe4.com, and uk.knowbe4.com: fakeuser@example.com, psm.knowbe4.com, ispservices.net

Frequently Asked Questions (FAQ)

What is a PTR record?

A PTR (or pointer) record is the domain that is found in a reverse DNS lookup of the source email server's IP address.

Does spoof intelligence affect Direct Message Injection (DMI)?

DMI-delivered campaigns should not apply this policy. The DMI application is allowed to impersonate users within the tenant per the roles assigned. However, if a DMI message is still showing an “Unverified Sender” warning after being sent, this method may be a viable alternative to whitelist those senders from receiving the warning message.

What is spoof intelligence in Microsoft Defender?

For more information on spoof intelligence in Microsoft Defender, see Microsoft’s Spoof intelligence insight in EOP article.

For further assistance with this feature, contact our support team.

Tip: To ensure that you have whitelisted correctly, see our How to Verify You Have Whitelisted KnowBe4 Correctly article.

Can't find what you're looking for?

Contact Support
circle-arrow-up