Add the MA IP addresses to Microsoft 365 allowlists

You can use Microsoft 365® to allowlist the Arctic Wolf Managed Security Awareness® (MA) program IP addresses and headers, and any applicable third-party IP addresses that are used during spam filtering. For example, a static IP address or a range of IP addresses that are assigned to you by your third-party provider.

Note:

If you use on-premise Microsoft Exchange, or encounter issues with Microsoft 365 allowlist configuration, configure Microsoft Exchange to integrate with Managed Security Awareness® (MA). See Add the MA IP addresses to Microsoft Exchange allowlists for more information.

  • Access to the Microsoft 365 portal with administrator permissions to create and modify policies and rules.

    For more information, see What do you need to know before you begin? .

  • Complete Add MA to email gateway and spam filtering.
  • Obtain the Managed Security Awareness® (MA) IP addresses to allowlist.

    To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.

  • If applicable, obtain the static IP address or range of IP addresses from your third-party email gateway provider. For example, Mimecast or Proofpoint.
Complete Configure browsers to autoplay MA sessions

Allowlist the MA IP addresses in Microsoft 365

In Microsoft 365, you can use mail flow rules to allow emails from trusted senders using a message header or a trusted IP address.

  1. Sign in to the Microsoft 365 Defender portal.
  2. In the Email & Collaboration section, click Policies & rules > Threat policies.
  3. In the Policies section, click Anti-spam.
  4. In the Name column, click Connection filter policy.
  5. Click Edit connection filter policy.
  6. In the Always allow messages from the following IP addresses or address range field, enter the Managed Security Awareness® (MA) IP addresses.
  7. Select the Turn on safe list checkbox.
  8. Click Save.
  9. Optional: Contact security@arcticwolf.com or submit a ticket in the Arctic Wolf Portal to verify that the configuration is correct.

See Create safe sender lists in EOP for more information.

Bypass clutter and spam filtering in Microsoft 365

  1. Sign in to your Exchange admin center.
  2. Click Mail flow > Rules.
  3. Select Add a rule + > Create a new rule.

    The Rule Creation wizard opens.

  4. In the Name field, enter a name. For example, Bypass clutter and spam filtering by IP address.
  5. In the Apply this rule if menu, select The sender and IP address is any of these ranges or exactly matches.

    The specify IP address ranges window opens.

  6. Enter the Arctic Wolf Managed Security Awareness® (MA) IP addresses, and then click Add.
  7. Click Save.

    You are redirected to the Rule Creation wizard.

  8. In the Do the following menu, select Modify the message properties and set a message header.
  9. Click Enter text to set the message header, and then enter X-ArcticWolf.
    Tip:

    This field is case-sensitive.

  10. Click OK.
  11. Following to the value, click Enter text to set the value, and then enter Arctic Wolf.
  12. Click OK.
  13. In the Do the following menu section, click +.
  14. For the And setting, select Modify the message properties and Set the spam confidence level (SCL).

    The specify SCL window opens.

  15. Select Bypass spam filtering, and then click Save.

    You are returned to the Rule Creation wizard.

  16. Click Next.
  17. In Set rule setting, click Next.
  18. In Review and finish, click Finish.
    Tip: Ensure that the rule is enabled by moving the toggle to the on position.
  19. Optional: Contact security@arcticwolf.com or submit a ticket in the Arctic Wolf Portal to verify that the configuration is correct.

Configure the advanced delivery policy in Microsoft 365

Microsoft 365 filters out high confidence phishing attempts, even if an allowlist or filtering bypass has been configured. To make sure Managed Security Awareness® (MA) phishing simulation emails are not filtered as high confidence phishing attempts, use the advanced delivery policy in Microsoft 365 Defender. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes for more information.

  1. Sign in to the Microsoft 365 Defender portal.
  2. Open the Advanced delivery page.
  3. Click the Phishing simulation tab. If there are:
    • Configured phishing simulations — Click Edit.
    • No configured phishing simulations — Click Add.
  4. In the Add Third Party Phishing Simulations menu, click Domain.
  5. In the Domain field, enter arcticwolfawareness.com and arcticwolf.com, and then press Enter.
  6. In the Domain field, based on the language that you want the phishing simulations to be sent in, enter one of these lists of domains, and press Enter after each entry:
    Note:

    You might see MA subdomains in your environment. To allowlist these subdomains, contact your Concierge Security® Team (CST).

    • English:
      • automated-mailsender.com
      • corporate-alert.com
      • helpdesk-itsupport.com
      • humanresources-mailer.com
      • internal-humanresources.com
      • internalcorporate-mailer.com
      • mail-donotreply.com
      • securityalert-corporate.com
    • Deutsch:
      • admin-hinweis.de
      • itsupport-mitarbeiter.de
      • mitarbeiter-helpdesk.de
      • unternehmenssicherheit-alarm.de
  7. Click Sending IP to expand the field.
  8. Enter the MA IP addresses and any other required third-party IP addresses, and then press Enter.
  9. Click Simulation URLS to allow.
  10. In the Simulation URLs to allow field, complete these steps:
    1. Enter *.arcticwolf.com/* and *.arcticwolfawareness.com/*, and then press Enter.
    2. Based on the language that you want the phishing simulations to be sent in, enter one or more of these domain lists, and press Enter after each entry:
      Note:
      • The Simulation URLs to allow field must include the same domains entered in the Domains field to make sure that the simulations send.
      • You might see MA subdomains in your environment. To allowlist these subdomains, contact your Concierge Security® Team (CST).
      • English:
        • automated-mailsender.com/*
        • corporate-alert.com/*
        • helpdesk-itsupport.com/*
        • humanresources-mailer.com/*
        • internal-humanresources.com/*
        • internalcorporate-mailer.com/*
        • mail-donotreply.com/*
        • securityalert-corporate.com/*
      • Deutsch:
        • admin-hinweis.de/*
        • itsupport-mitarbeiter.de/*
        • mitarbeiter-helpdesk.de/*
        • unternehmenssicherheit-alarm.de/*
  11. If you are editing:
    • An existing phishing simulation — Click Save.
    • A new phishing simulation — Click Add.
  12. Click Close.
  13. Optional: Contact security@arcticwolf.com or submit a ticket in the Arctic Wolf Portal to verify that the configuration is correct.