WHITELISTING FAQ
How to allow the delivery of Simulated Phishing Emails
For the free phishing simulation to run properly, the admin must allow a certain IP address and DKIM signatures in their email environment. Otherwise, the user’s security systems or filters may intercept or interact with the simulated phishing emails.
If you later decide to use the full Security Awareness Service, the whitelisting process in Microsoft 365 will be performed automatically and our support team will provide you with full assistance.
To ensure the full use of the free phishing simulation, we have compiled the most important points on whitelisting below.
What IP address must be allowed?
Admins must allow the following IP address: 94.100.132.101
What DKIM Signatures must be allowed?
Admins must allow emails with DKIM signatures of sas.cloud-security.net in their email environment.
What do I have to consider if I use third-party email security?
Users of a third-party email filter must add the IP address 94.100.132.101 to the allow list of their email filter.
Users of Hornetsecurity email security services do not need to perform this action, as the IP is not blocked by default.
What do I need to consider when using Microsoft 365?
Admins must adjust several settings in Microsoft 365 so that simulated phishing emails can be delivered unmodified. The aim is to bypass different security mechanisms of Microsoft 365 Defender.
Microsoft 365 Defender first applies the anti-phishing mechanism to check whether incoming emails are phishing emails and quarantines them in that case. To prevent emails from the phishing simulation to be classified as actual phishing emails, customers with Microsoft 365 Defender must set up the advanced delivery for Microsoft 365 Defender.
After that, Microsoft 365 Defender applies the “Safe Links” mechanism to click on links in the emails, analyze them and rewrite them to prevent attacks from this source.
Finally, the “Safe Attachments” mechanism analyzes the attachments of incoming emails and quarantines emails that have been classified as unsafe. To prevent the “Safe Links” and “Safe Attachments” mechanisms from intervening in emails from the phishing simulation, customers must create two transport rules in the Exchange Admin Center.
In addition to the mentioned security mechanisms, Microsoft 365 Defender Plan 2 offers the possibility to define custom policies for handling threats. These policies are applied before the “Safe Links” mechanism and may themselves contain rules for handling links. As custom policies cannot be bypassed by the transport rules described above, customers must create an additional safe link policy or edit an existing policy so that links in emails from the phishing simulation will not be processed. If a user has other safe link policies, they must set the priority of the new policy to 0 so that this policy is applied first.
Please note: If you decide to use the full Security Awareness Service, this whitelisting process in M365 will be performed automatically.