Managed Security Awareness (MA)

You can use Google Workspace® to allowlist the Arctic Wolf Managed Security Awareness® (MA) program IP addresses and headers, and any applicable third-party IP addresses that are used during spam filtering. For example, a static IP address or a range of IP addresses that are assigned to you by your third-party provider.

Add the MA IP addresses to Google Workspace allowlists

Access to the Google Admin console with administrator permissions
Complete Add MA to email gateway and spam filtering.
Obtain the MA IP addresses to allowlist.
To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
If applicable, obtain the static IP addresses or range of IP addresses from your third-party provider.

Complete Configure browsers to autoplay MA sessions

Allowlist the MA IP addresses in Google Workspace

Sign in to the Google Admin console.
In the menu, click Apps > Google Workspace > Gmail.
Click Spam, phishing and malware.
In the navigation menu, select the domain for your organization.
On the Spam, phishing and malware tab, do one of these actions:
- Scroll to the Email allowlist setting.
- In the search field, enter Email allowlist.
In the Email Allow List field, enter the MA IP addresses.
Click Save.

Note:
It can take up to 24 hours for your changes to take effect.

Add a custom spam filter for MA Phishing Simulation emails

In the Google Admin console menu, click Apps > Google Workspace > Gmail.
Click Spam, Phishing and Malware.
In the Spam section, click Add a rule.

The Add setting window opens.
In the Required: enter a short description that will appear within the setting's summary field, enter a description for the rule.
In the Options to bypass filters and warning banners section, complete these steps:
1. Select the Bypass spam filters for internal senders checkbox.
2. Select the Bypass spam filters and hide warnings from senders or domains in the selected lists checkbox.
3. Click Create or edit list to add one or more allowed MA Phishing Simulation domains.
  
  The Manage address lists window opens.
Click Add address list.
In the Name field, enter Arctic Wolf MA Phishing Domains.
Click Bulk add addresses.

The Bulk add addresses window opens.
Based on your preferred language, copy one of these phishing domain lists:
Note:
You might see MA subdomains in your environment. To allowlist these subdomains, contact your Arctic Wolf CST.
- English
  SHELL
  arcticwolf.com, arcticwolfawareness.com, automated-mailsender.com, corporate-alert.com, helpdesk-itsupport.com, humanresources-mailer.com, internal-humanresources.com, internalcorporate-mailer.com, itsupport-corporate.com, mail-donotreply.com, securityalert-corporate.com
  arcticwolf.com, arcticwolfawareness.com, automated-mailsender.com, corporate-alert.com, helpdesk-itsupport.com, humanresources-mailer.com, internal-humanresources.com, internalcorporate-mailer.com, itsupport-corporate.com, mail-donotreply.com, securityalert-corporate.com
- Deutsch
  SHELL
  arcticwolf.com, arcticwolfawareness.com, admin-hinweis.de, itsupport-mitarbeiter.de, mitarbeiter-helpdesk.de, unternehmenssicherheit-alarm.de
  arcticwolf.com, arcticwolfawareness.com, admin-hinweis.de, itsupport-mitarbeiter.de, mitarbeiter-helpdesk.de, unternehmenssicherheit-alarm.de
In the Enter comma or space delimited email addresses or domain names field, paste the phishing domain list.
Click Add, and then click Save.

Note:
It can take up to 24 hours for your changes to take effect.
Optional: Contact security@arcticwolf.com or submit a ticket in the Arctic Wolf Unified Portal to verify that the configuration is correct.

Add MA IP addresses as inbound gateways

Navigate to Apps > Google Workspace > Gmail > Spam, Phishing and Malware > Inbound Gateway Regex Bypass.
Click Inbound Gateway.
Select Enable.
In the Gateway IPs section, click Add, then add the MA IP addresses.

Note: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
Select Require TLS for connections from the email gateways listed above.
Leave the other checkboxes deselected.

Note: If the inbound gateway is already used for other purposes, the MA IP addresses can be added to your existing policy.
Click Save.
Optional: If you do not have a third-party email gateway and want to configure message tagging:
1. Select Message is considered spam if the following header regexp matches.
2. In the Regexp field, enter a random regular expression string that is unlikely to match the header content. For example, hkhe43432sdjs==3q4qksfksan3abwer.
3. Select Message is spam if regexp matches.
4. Select Disable Gmail spam evaluation on mail from this gateway; only use header value.

Configure content compliance bypass in Google Workspace

In the menu, click Apps > Google Workspace > Gmail.
Click Compliance.
In the Content compliance section, click one of these options:
- Configure — If you have not configured any content compliance settings.
- Add another rule — If you have already configured content compliance settings.
The Add setting window opens.
Enter a short description for the rule, such as Arctic Wolf Managed Security Awareness Header Rule.
Select the Inbound checkbox.
Select If ANY of the following match the message from the expressions list.
If you use a third-party email gateway, create a filter using the header:

Note: For more information about gateways, see Add MA to email gateway and spam filtering.
1. In the Expressions section, click Add.
2. In the list, select Advanced content match.
3. In the Location list, select Full headers.
4. In the Match type list, select Contains text.
5. For Content, enter the Arctic Wolf header X-ArcticWolf.
6. Click Save.
If you do not use third-party email gateways, create a filter using the source IP addresses:
1. In the Expressions section, click Add.
2. In the list, select Metadata match.
3. In the Attribute list, select Source IP.
4. In the Match type list, select Source IP is within the following range.
5. In the Source IP is within the following range field, enter one of the MA IP addresses.
  
  Note: To see the IP addresses that you must allowlist, sign in to the Arctic Wolf Unified Portal, click Resources > Allowlist Requirements, and then view the IP addresses in the section for your product.
6. Click Save.
7. Repeat these steps and add the remaining IP addresses.
In the If the above expressions match section:
1. In Spam, select Bypass spam filter for this message.
2. In Encryption (onward delivery only), select Require secure transport (TLS).
Click Save.

Note:
It can take up to 24 hours for your changes to take effect.
Optional: Contact security@arcticwolf.com or submit a ticket in the Arctic Wolf Unified Portal to verify that the configuration is correct.