Managed Security Awareness Initial Setup - Step 3

Updated Jan 19, 2024

Add the MA IP address to Microsoft 365 allowlists

You can use Microsoft 365® to allowlist the MA program IP address and headers, and any applicable third-party IP addresses that are used during spam filtering. For example, a static IP address or a range of IP addresses that are assigned to you by your third-party provider.

Requirements

Before you begin

Steps

Note: If you use on-premise Microsoft Exchange, or encounter issues with Microsoft 365 allowlist configuration, configure Microsoft Exchange to integrate with MA. See Add the MA IP address to Microsoft Exchange allowlists for more information.

  1. Allowlist the MA IP address in Microsoft 365.
  2. Bypass clutter and spam filtering in Microsoft 365.
  3. Configure the advanced delivery policy in Microsoft 365.

Step 1: Allowlist the MA IP address in Microsoft 365

In Microsoft 365, you can use mail flow rules to allow emails from trusted senders using a message header or a trusted IP address.

  1. Sign in to the Microsoft 365 Defender portal.

  2. In the Email & Collaboration section, click Policies & rules > Threat policies.

  3. In the Policies section, click Anti-spam.

  4. In the Name column, click Connection filter policy.

  5. Click Edit connection filter policy.

  6. In the Always allow messages from the following IP addresses or address range field, enter the MA IP address.

  7. Select the Turn on safe list checkbox.

  8. Click Save.

  9. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

    1. In the MA Portal menu, click Administration Dashboard.
    2. Click the User Information tab.
    3. Click Send Test Email.

      Note: To preview the test email, see Email templates. If your test email is not received, verify the steps above, and then send another test email. If you continue to experience issues with receiving test emails, contact your Concierge Security® Team (CST) at security@arcticwolf.com for assistance.

    See Send a test email for more information.

See Create safe sender lists in EOP for more information.

Step 2: Bypass clutter and spam filtering in Microsoft 365

  1. Sign in to your Exchange admin center.

  2. Click Mail flow > Rules.

  3. Select Add a rule + > Create a new rule.

    The Rule Creation wizard opens.

  4. In the Name field, enter a name. For example, Bypass clutter and spam filtering by IP address.

  5. In the Apply this rule if menu, select The sender and IP address is any of these ranges or exactly matches.

    The specify IP address ranges window opens.

  6. Enter the MA IP address, and then click Add.

  7. Click Save.

    You are redirected to the Rule Creation wizard.

  8. In the Do the following menu, select Modify the message properties and set a message header.

  9. Click Enter text to set the message header, and then enter X-ArcticWolf.

    Tip: This field is case-sensitive.

  10. Click OK.

  11. Following to the value, click Enter text to set the value, and then enter Arctic Wolf.

  12. Click OK.

  13. In the Do the following menu section, click +.

  14. For the And setting, select Modify the message properties and Set the spam confidence level (SCL).

    The specify SCL window opens.

  15. Select Bypass spam filtering, and then click Save.

    You are returned to the Rule Creation wizard.

  16. Click Next.

  17. In Set rule setting, click Next.

  18. In Review and finish, click Finish.

  19. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

    Note: If you are using Microsoft Defender for Office 365 for your mail environment, you may experience false clicks, to prevent this, complete the steps in False-positive phishing simulation clicks or alerts in Microsoft Defender Office 365 to link processing rules in Defender for Office 365.

    1. In the MA Portal menu, click Administration Dashboard.
    2. Click the User Information tab.
    3. Click Send Test Email.

      Note: To preview the test email, see Email templates. If your test email is not received, verify the steps above, and then send another test email. If you continue to experience issues with receiving test emails, contact your CST at security@arcticwolf.com for assistance.

Step 3: Configure the advanced delivery policy in Microsoft 365

Microsoft 365 filters out high confidence phishing attempts, even if an allowlist or filtering bypass has been configured. To make sure MA phishing simulation emails are not filtered as high confidence phishing attempts, use the advanced delivery policy in Microsoft 365 Defender. See Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes for more information.

  1. Sign in to the Microsoft 365 Defender portal.

  2. Open the Advanced delivery page.

  3. Click the Phishing simulation tab. If there are:

    • Configured phishing simulations — Click Edit.
    • No configured phishing simulations — Click Add.
  4. In the Add Third Party Phishing Simulations menu, click Domain.

  5. In the Domain field, enter arcticwolf.com, and then press Enter.

  6. In the Domain field, based on the language that you want the phishing simulations to be sent in, enter one of these lists of domains, and press Enter after each entry:

    • English:
      • automated-mailsender.com
      • mail-donotreply.com
      • humanresources-mailer.com
      • internal-humanresources.com
      • helpdesk-itsupport.com
      • internalcorporate-mailer.com
      • securityalert-corporate.com
      • corporate-alert.com
    • Deutsch:
      • mitarbeiter-helpdesk.de
      • unternehmenssicherheit-alarm.de
      • itsupport-mitarbeiter.de
      • admin-hinweis.de
  7. Click Sending IP to expand the field.

  8. Enter the MA IP address and any other required third-party IP addresses, and then press Enter.

  9. Click Simulation URLS to allow.

  10. In the Simulation URLs to allow field, complete these steps:

    1. Enter *.arcticwolf.com/*, and then press Enter.

    2. Based on the language that you want the phishing simulations to be sent in, enter one or more of these domain lists, and press Enter after each entry:

      Note: The Simulation URLs to allow field must include the same domains entered in the Domains field to make sure that the simulations send.

      • English:
        • automated-mailsender.com/*
        • mail-donotreply.com/*
        • humanresources-mailer.com/*
        • internal-humanresources.com/*
        • helpdesk-itsupport.com/*
        • internalcorporate-mailer.com/*
        • securityalert-corporate.com/*
        • corporate-alert.com/*
      • Deutsch:
        • mitarbeiter-helpdesk.de/*
        • unternehmenssicherheit-alarm.de/*
        • itsupport-mitarbeiter.de/*
        • admin-hinweis.de/*
  11. If you are editing:

    • An existing phishing simulation — Click Save.
    • A new phishing simulation — Click Add.
  12. Click Close.

  13. Make sure your settings work correctly. Send a test MA phishing simulation email to yourself or admins:

  14. In the MA Portal menu, click Administration Dashboard.

  15. Click the User Information tab.

  16. In the Search field, enter the name of an MA administrator, and then press Enter.

  17. Find the user in the list, and then click Assign Session.

  18. On the Assign Session page, in the Search field, enter Phishing simulation.

  19. In the list of search results, select a phishing simulation to use for testing, and then click Assign.

    Tip: For this test, Arctic Wolf recommends assigning the Customer Complaint or Commonwealth Games Viewing Parties phishing simulation.

  20. Make sure the test MA phishing simulation email is in your inbox. If the email is:

    • In your inbox — Your settings are correct. Continue with the next procedure.

      Tip: In the Phishing Simulation section, if the Secure Culture Dashboard percentage is 0%, you can also use this to verify that there are no false positives.

    • Not in your inbox — Create a ticket in the Arctic Wolf Unified Portal for assistance.

Next steps