Managed Security Awareness Initial Setup - Step 3
Updated Sep 15, 2023Add the MA IP address to Microsoft 365 allowlists
Using Microsoft 365®, allowlist the MA program IP address and headers, and any applicable third-party IP addresses that are used during spam filtering. This could be a static IP address or a range of IP addresses that are assigned to you by your third-party provider.
Before you begin
-
Complete Step 2: Add MA to email gateway and spam filtering allowlists.
-
Get the MA IP address to allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Security Awareness Training.
-
If applicable, obtain the static IP address or range of IP addresses from your third-party email gateway provider. For example, Mimecast or Proofpoint.
-
Make sure you have the required user permissions to create and modify policies and rules in Microsoft 365 Defender.
See What do you need to know before you begin? for more information.
Steps
Note: If you use on-premise Microsoft Exchange, or encounter issues with Microsoft 365 allowlist configuration, configure Microsoft Exchange to integrate with MA. See Add the MA IP address to Microsoft Exchange allowlists for more information.
- Allowlist the MA IP address in Microsoft 365.
- Bypass clutter and spam filtering in Microsoft 365.
- Configure the advanced delivery policy in Microsoft 365.
Step 1: Allowlist the MA IP address in Microsoft 365
In Microsoft 365, you can use mail flow rules to allow emails from trusted senders using a message header or a trusted IP address.
-
Sign in to Microsoft 365 Defender.
-
Under Email & Collaboration, click Policies & rules > Threat policies.
-
In the Policies section, click Anti-spam.
-
In the Name column, click Connection filter policy.
-
Click Edit connection filter policy.
-
Under Always allow messages from the following IP addresses or address range field, enter the MA IP address.
-
Select the Turn on safe list checkbox.
-
Click Save.
-
Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:
- In the MA Portal menu, click Administration Dashboard.
- Click the User Information tab.
- Click Send Test Email.
Note: To preview the test email, see Email templates. If your test email is not received, verify the steps above, and then send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.
See Send a test email for more information about test emails.
See Create safe sender lists in EOP for more information about these configuration settings.
Step 2: Bypass clutter and spam filtering in Microsoft 365
-
Sign in to your Microsoft Outlook administrative portal.
-
Under Apps, click Admin.
-
In the navigation pane, under Admin centers, click Exchange.
-
In the sidebar, click mail flow.
-
In the rules tab, click + to expand the menu, and then click Bypass spam filtering.
-
In the Name field, enter a name such as
Bypass clutter and spam filtering by IP address
. -
In the Apply this rule if menu, select The sender > IP address is any of these ranges or exactly matches.
-
Enter the MA IP address, and then click OK.
-
In the Do the following menu, click Modify the message properties > set a message header.
-
Click Enter text to set the message header, and then enter
X-ArcticWolf
.Tip: This field is case-sensitive.
-
Click OK.
-
After to the value, click Enter text to set the value, and then enter
Arctic Wolf
. -
Click OK.
-
Click add action.
-
In the Do the following menu, select Modify the message properties > Set the spam confidence level (SCL) to > Bypass spam filtering.
-
Click Save.
-
Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:
- In the MA Portal menu, click Administration Dashboard.
- Click the User Information tab.
- Click Send Test Email.
Note: To preview the test email, see Email templates. If your test email is not received, verify the steps above, and then send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.
See Send a test email for more information about test emails.
Step 3: Configure the advanced delivery policy in Microsoft 365
Microsoft 365 filters out high confidence phishing attempts, even if an allowlist or filtering bypass has been configured. To make sure MA phishing simulation emails are not filtered as high confidence phishing attempts, use the advanced delivery policy in Microsoft 365 Defender. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes for more information about the advanced delivery policy.
-
Sign in to the Microsoft 365 Defender portal to access the Advanced delivery page.
-
Click the Phishing simulation tab. If there are:
- Configured phishing simulations — Click Edit.
- No configured phishing simulations — Click Add.
-
In the Add Third Party Phishing Simulations pane, click Domain.
-
Enter the domains that are specific to the language the simulations will be sent in. Press Enter after each entry:
- Required for all:
arcticwolf.com
- English:
automated-mailsender.com
mail-donotreply.com
humanresources-mailer.com
internal-humanresources.com
helpdesk-itsupport.com
internalcorporate-mailer.com
securityalert-corporate.com
corporate-alert.com
- Deutsch:
mitarbeiter-helpdesk.de
unternehmenssicherheit-alarm.de
itsupport-mitarbeiter.de
admin-hinweis.de
- Required for all:
-
Click Sending IP to expand the field.
-
Enter the MA IP address and any other required third-party IP addresses, and then press Enter.
-
Click Simulation URLS to allow.
-
In the Simulation URLs to allow field, enter the domains below, specific to the language the simulations will be sent, and press the Enter key after each entry:
Note: The Simulation URLs to allow field must include the same domains entered in the Domains field to ensure that the simulations send.
- All languages:
*.arcticwolf.com/*
- English:
automated-mailsender.com/*
mail-donotreply.com/*
humanresources-mailer.com/*
internal-humanresources.com/*
helpdesk-itsupport.com/*
internalcorporate-mailer.com/*
securityalert-corporate.com/*
corporate-alert.com/*
- Deutsch:
mitarbeiter-helpdesk.de/*
unternehmenssicherheit-alarm.de/*
itsupport-mitarbeiter.de/*
admin-hinweis.de/*
- All languages:
-
If you are editing:
- An existing phishing simulation — Click Save.
- A new phishing simulation — Click Add.
-
Click Close.
-
Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:
-
In the MA Portal menu, click Administration Dashboard.
-
Click the User Information tab.
-
In the Search field, enter the name of an MA administrator, and then press Enter.
-
Locate the user in the list, and then click Assign Session.
-
On the Assign Session page, in the Search field, enter
Phishing simulation
. -
In the list of search results, select a phishing simulation to use for testing, and then click Assign.
Tip: Arctic Wolf recommends assigning the phishing simulation titled Friendsgiving Celebration or Commonwealth Games Viewing Parties for this test.
-
Check if the test MA phishing simulation email is in your inbox. If the email is:
- In your inbox — Your settings are correct. Continue with the next procedure.
Tip: You can also verify that the percentage in the Secure Culture Dashboard under Phishing Simulation is at 0%, indicating no false positives.
- Not in your inbox — Submit a ticket in the Arctic Wolf Portal for assistance.
- In your inbox — Your settings are correct. Continue with the next procedure.
-