How to whitelist simulated phishing in office 365

Created by Abderrahim Ibnou el kadi, Modified on Wed, 15 Nov, 2023 at 9:44 AM by Abderrahim Ibnou el kadi

 Synopsis:


Sending phishing campaigns from Proofpoint SA platform end up in office 365 quarantine under the cause “High Confidence Phish” and users never receive them.

 

Cause:

Since we can’t disable any of Office 365 scanning features, especially when some customers ONLY use the SA portion of Proofpoint, then all incoming messages will go through thorough verification before they are handed to the user’s mailbox. The fact that these messages are also phishing simulations doesn’t help, therefore they are block.


Solution:


The fix for this issue is definitely on office 365 side and we need to whitelist simulated phishing by doing the following:

  1. Login to https://security.microsoft.com  with your administrator account
  2. On the left menu click on «Policies & rules»
  3. Then click on “Threat policies



4. Scroll and click on “Advanced Delivery


 

5. Once in the Advanced delivery then click on Phishing simulation

 

 

 

6. Then click on the Add button

7. When you click on the Add button a window will slide from the right of your screen, then you need to add your allowed domains <Allowed domains list US or EU> for your phishing campaigns and the IP address it is using to send from



8. Once you Add these domains and Ips and close the window, each of these Ips and domains will be displayed as a separate rule in the phishing simulation window.


 

9. Now you can resend your phishing campaigns and noticed that they are no longer getting blocked.