Troubleshoot email allowlisting for Microsoft Defender

This information provides solutions to issues with email allowlisting for Microsoft Defender.

False-positive phishing simulation clicks or alerts

Possible cause: If you are using Microsoft 365 Defender for your Office 365 mail environment and experience false clicks, link processing rules in Defender for Office 365 are causing issues.

Note:

If you are not sure if you use Microsoft 365 Defender, see Microsoft Feature Matrix for more information.

Resolution: Set up additional mail flow rules that allow you to bypass safe links:

  1. In the Microsoft 365 Defender menu, click Policies & Rules > Threat policies.
  2. In the Policies section, find the Safe Links subsection.

    If you see text that indicates Safe Links is a premium-only feature or otherwise not available, you have the Microsoft 365 Defender Office 365 Plan 1.

    Based on your Microsoft 365 Defender Office 365 plan, allowlist the MA IP addresses using one or both of these actions:

    Note:

    If you use both plans, configure your allowlist for both plans.

Allowlist the MA IP addresses for Microsoft Defender Office 365 Plan 1

  1. Open Microsoft Exchange or Office Admin Center.
  2. Click Mail Flow > Rules.
  3. Click + Add a rule > Create a new rule.
  4. In the Set rule conditions pane, configure these settings:
    • Name — Enter a name for this rule. For example, Bypass Arctic Wolf MA URL.
    • Apply this rule if — Select The Sender, and then select IP address is in any of these ranges or exactly matches in the list that appears. When the specify IP address ranges pane opens, enter the MA IP addresses, and then click Add.
      Note:

      If you are not able to add an IP address, complete these steps:

      1. In the Apply this rule if list, select A message header.
      2. In the new list that appears, select includes any of these words.
      3. In the message header field, enter the MA header value. This value can be found in the same area of the MDR Dashboard where the MA IP addresses are located.
    • Do the following — Complete these steps:
      1. Select Modify the message properties.
      2. Select set a message header in the list that appears.
      3. Click the first Enter text link.
      4. In the message header pane, enter X-MS-Exchange-Organization-SkipSafeLinksProcessing.
      5. Click Save.
      6. Click the second Enter text link.
      7. In the message header pane, enter 1.
      8. Click Save.
    • Except if — Keep this field empty.

    Your settings should look similar to this:

    Completed settings for bypassing the Arctic Wolf MA URL

  5. Click Next.
  6. Keep the default rule settings.
  7. Click Next.
  8. Click Finish.
  9. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:
  10. In the MA Portal menu, click Administration Dashboard.
  11. Click the User Information tab.
  12. In the Search field, enter the name of an MA administrator, and then press Enter.
  13. Find the user in the list, and then click Assign Session.
  14. On the Assign Session page, in the Search field, enter Phishing simulation.
  15. In the list of search results, select a phishing simulation to use for testing, and then click Assign.
    Tip:

    For this test, Arctic Wolf recommends assigning the Customer Complaint or Commonwealth Games Viewing Parties phishing simulation.

  16. Make sure the test MA phishing simulation email is in your inbox. If the email is:
    • In your inbox — Your settings are correct. Continue with the next procedure.
      Tip:

      In the Phishing Simulation section, if the Secure Culture Dashboard percentage is 0%, you can also use this to verify that there are no false positives.

    • Not in your inbox — Create a ticket in the Arctic Wolf Unified Portal for assistance.

Allowlist the MA IP addresses for Microsoft Defender Office 365 Plan 2

  1. Sign in to the Microsoft 365 Defender portal or to the Microsoft 365 Admin Center.
  2. Click Security Admin Center.
  3. Click Email & Collaboration > Policies & Rules > Threat Policies > Safe Links.
  4. Click + Create.
    Note:

    If you have an existing custom Safe Links policy, you can edit that instead. Select the policy, and then click Edit in each section to modify the settings as appropriate.

  5. In the Name field, enter a name for the policy. Arctic Wolf recommends an easily identifiable name. For example, AW MSA Safe Links Policy.
  6. Click Next.
  7. On the Users and domains page, enter the users, groups, and domains that you want the policy to apply to.
  8. Click Next.
  9. On the URL & click protection settings page, for On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default, select On.
  10. For the Do not rewrite the following URLs in email setting, click Manage <number> URLs, where <number> is the number of URLs that are not rewritten.
  11. In the Manage URLs to not rewrite menu, click + Add URLs.
  12. Click Simulation URLS to allow.
  13. In the Simulation URLs to allow field, complete these steps:
    1. Enter *.arcticwolf.com/* and *.arcticwolfawareness.com/*, and then press Enter.
    2. Based on the language that you want the phishing simulations to be sent in, enter one or more of these domain lists, and press Enter after each entry:
      Note:
      • The Simulation URLs to allow field must include the same domains entered in the Domains field to make sure that the simulations send.
      • You might see MA subdomains in your environment. To allowlist these subdomains, contact your Concierge Security® Team (CST).
      • English:
        • automated-mailsender.com/*
        • corporate-alert.com/*
        • helpdesk-itsupport.com/*
        • humanresources-mailer.com/*
        • internal-humanresources.com/*
        • internalcorporate-mailer.com/*
        • mail-donotreply.com/*
        • securityalert-corporate.com/*
      • Deutsch:
        • admin-hinweis.de/*
        • itsupport-mitarbeiter.de/*
        • mitarbeiter-helpdesk.de/*
        • unternehmenssicherheit-alarm.de/*
  14. Click Save.
  15. In the Click protection settings section:
    1. Make sure the Track user clicks checkbox is selected.
    2. Select the Let users click through to the original URL checkbox.
  16. Click Save.
  17. Keep the remaining default settings, and then click Next.
  18. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:
  19. In the MA Portal menu, click Administration Dashboard.
  20. Click the User Information tab.
  21. In the Search field, enter the name of an MA administrator, and then press Enter.
  22. Find the user in the list, and then click Assign Session.
  23. On the Assign Session page, in the Search field, enter Phishing simulation.
  24. In the list of search results, select a phishing simulation to use for testing, and then click Assign.
    Tip:

    For this test, Arctic Wolf recommends assigning the Customer Complaint or Commonwealth Games Viewing Parties phishing simulation.

  25. Make sure the test MA phishing simulation email is in your inbox. If the email is:
    • In your inbox — Your settings are correct. Continue with the next procedure.
      Tip:

      In the Phishing Simulation section, if the Secure Culture Dashboard percentage is 0%, you can also use this to verify that there are no false positives.

    • Not in your inbox — Create a ticket in the Arctic Wolf Unified Portal for assistance.

    See Microsoft's documentation Safe Links in Microsoft Defender for Office 365 for more information on setting up Safe Links policies.