Add the MA IP address to Microsoft 365 allowlists

Using Microsoft 365®, allowlist the MA program IP address and headers, and any applicable third-party IP addresses that are used during spam filtering. This could be a static IP address or a range of IP addresses that are assigned to you by your third-party provider.

Before you begin

• Complete Step 2: Add MA to email gateway and spam filtering allowlists.

• Get the MA IP address to allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Security Awareness Training.

• If applicable, obtain the static IP address or range of IP addresses from your third-party email gateway provider. For example, Mimecast or Proofpoint.

• Make sure you have the required user permissions to create and modify policies and rules in Microsoft 365 Defender.

  See What do you need to know before you begin? for more information.

Steps

1. Allowlist the MA IP address in Microsoft 365.
2. Bypass clutter and spam filtering in Microsoft 365.
3. Configure the advanced delivery policy in Microsoft 365.

Step 1: Allowlist the MA IP address in Microsoft 365

In Microsoft 365, you can use mail flow rules to allow emails from trusted senders using a message header or a trusted IP address.

1. Sign in to Microsoft 365 Defender.

2. Under Email & Collaboration, click Policies & rules > Threat policies.

3. In the Policies section, click Anti-spam.

4. In the Name column, click Connection filter policy.

5. Click Edit connection filter policy.

6. Under Always allow messages from the following IP addresses or address range field, enter the MA IP address.

7. Select the Turn on safe list checkbox.

8. Click Save.

9. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

   1. In the MA Portal menu, click Administration Dashboard.
   2. Click the User Information tab.
   3. Click Send Test Email.

      Note: To preview the test email, see Email templates. If your test email is not received, verify the steps above, and then send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

   See Send a test email for more information about test emails.

See Create safe sender lists in EOP for more information about these configuration settings.

Step 2: Bypass clutter and spam filtering in Microsoft 365

1. Sign in to your Microsoft Outlook administrative portal.

2. Under Apps, click Admin.

3. In the navigation pane, under Admin centers, click Exchange.

4. In the sidebar, click mail flow.

5. In the rules tab, click + to expand the menu, and then click Bypass spam filtering.

6. In the Name field, enter a name such as Bypass clutter and spam filtering by IP address .

7. In the Apply this rule if menu, select The sender > IP address is any of these ranges or exactly matches.

8. Enter the MA IP address, and then click OK.

9. In the Do the following menu, click Modify the message properties > set a message header.

10. Click Enter text to set the message header, and then enter X-ArcticWolf.

    Tip: This field is case-sensitive.

11. Click OK.

12. After to the value, click Enter text to set the value, and then enter Arctic Wolf.

13. Click OK.

14. Click add action.

15. In the Do the following menu, select Modify the message properties > Set the spam confidence level (SCL) to > Bypass spam filtering.

16. Click Save.

17. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

    1. In the MA Portal menu, click Administration Dashboard.
    2. Click the User Information tab.
    3. Click Send Test Email.

       Note: To preview the test email, see Email templates. If your test email is not received, verify the steps above, and then send another test email. If you continue to experience issues with receiving test emails, contact Arctic Wolf for assistance.

    See Send a test email for more information about test emails.

Step 3: Configure the advanced delivery policy in Microsoft 365

Microsoft 365 filters out high confidence phishing attempts, even if an allowlist or filtering bypass has been configured. To make sure MA phishing simulation emails are not filtered as high confidence phishing attempts, use the advanced delivery policy in Microsoft 365 Defender. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes for more information about the advanced delivery policy.

1. Sign in to the Microsoft 365 Defender portal to access the Advanced delivery page.

2. Click the Phishing simulation tab. If there are:

   • Configured phishing simulations — Click Edit.
   • No configured phishing simulations — Click Add.

3. In the Add Third Party Phishing Simulations pane, click Domain.

4. Enter the domains that are specific to the language the simulations will be sent in. Press Enter after each entry:

   • Required for all:
     • arcticwolf.com
   • English:
     • automated-mailsender.com
     • mail-donotreply.com
     • humanresources-mailer.com
     • internal-humanresources.com
     • helpdesk-itsupport.com
     • internalcorporate-mailer.com
     • securityalert-corporate.com
     • corporate-alert.com
   • Deutsch:
     • mitarbeiter-helpdesk.de
     • unternehmenssicherheit-alarm.de
     • itsupport-mitarbeiter.de
     • admin-hinweis.de

5. Click Sending IP to expand the field.

6. Enter the MA IP address and any other required third-party IP addresses, and then press Enter.

7. Click Simulation URLS to allow.

8. In the Simulation URLs to allow field, enter the domains below, specific to the language the simulations will be sent, and press the Enter key after each entry:

   Note: The Simulation URLs to allow field must include the same domains entered in the Domains field to ensure that the simulations send.

   • All languages:
     • *.arcticwolf.com/*
   • English:
     • automated-mailsender.com/*
     • mail-donotreply.com/*
     • humanresources-mailer.com/*
     • internal-humanresources.com/*
     • helpdesk-itsupport.com/*
     • internalcorporate-mailer.com/*
     • securityalert-corporate.com/*
     • corporate-alert.com/*
   • Deutsch:
     • mitarbeiter-helpdesk.de/*
     • unternehmenssicherheit-alarm.de/*
     • itsupport-mitarbeiter.de/*
     • admin-hinweis.de/*

9. If you are editing:

   • An existing phishing simulation — Click Save.
   • A new phishing simulation — Click Add.

10. Click Close.

11. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

    1. In the MA Portal menu, click Administration Dashboard.

    2. Click the User Information tab.

    3. In the Search field, enter the name of an MA administrator, and then press Enter.

    4. Locate the user in the list, and then click Assign Session.

    5. On the Assign Session page, in the Search field, enter Phishing simulation.

    6. In the list of search results, select a phishing simulation to use for testing, and then click Assign.

       Tip: Arctic Wolf recommends assigning the phishing simulation titled Friendsgiving Celebration or Commonwealth Games Viewing Parties for this test.

    7. Check if the test MA phishing simulation email is in your inbox. If the email is:

       • In your inbox — Your settings are correct. Continue with the next procedure.

         Tip: You can also verify that the percentage in the Secure Culture Dashboard under Phishing Simulation is at 0%, indicating no false positives.

       • Not in your inbox — Submit a ticket in the Arctic Wolf Portal for assistance.

Next steps

• Complete Step 4: Configure browsers to autoplay MA sessions.