Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes

Applies to

To keep your organization secure by default, Exchange Online Protection (EOP) does not allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:

  • Third-party phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization.
  • Security operations (SecOps) mailboxes: Dedicated mailboxes that are used by security teams to collect and analyze unfiltered messages (both good and bad).

You use the advanced delivery policy in Microsoft 365 to prevent these messages in these specific scenarios from being filtered.* The advanced delivery policy ensures that messages in these scenarios achieve the following results:

* You can't bypass malware filtering or ZAP for malware.

Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences will show these messages as due to either a Phishing simulation system override or a SecOps mailbox system override. Admins can filter and analyze on these system overrides in the following experiences:

What do you need to know before you begin?

  • You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, open https://security.microsoft.com/advanceddelivery.

  • To connect to Security & Compliance Center PowerShell, see Connect to Security & Compliance Center PowerShell.

  • You need to be assigned permissions before you can do the procedures in this article:

    • To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.
    • For read-only access to the advanced delivery policy, you need to be a member of the Global Reader or Security Reader role groups.

    For more information, see Permissions in the Microsoft 365 Defender portal and Permissions in Exchange Online.

    Note

    Adding users to the corresponding Azure Active Directory role gives users the required permissions in the Microsoft 365 Defender portal and permissions for other features in Microsoft 365. For more information, see About admin roles.

Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy

  1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section.

  2. On the Advanced delivery page, verify that the SecOps mailbox tab is selected, and then do one of the following steps:

    • Click Edit icon. Edit.
    • If there are no configured phishing simulations, click Add.
  3. On the Edit SecOps mailboxes flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing one of the following steps:

    • Click in the box, let the list of mailboxes resolve, and then select the mailbox.

    • Click in the box start typing an identifier for the mailbox (name, display name, alias, email address, account name, etc.), and select the mailbox (display name) from the results.

      Repeat this step as many times as necessary. Distribution groups are not allowed.

      To remove an existing value, click remove Remove icon. next to the value.

  4. When you're finished, click Save.

The SecOps mailbox entries that you configured are displayed on the SecOps mailbox tab. To make changes, click Edit icon. Edit on the tab.

Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy

  1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section.

  2. On the Advanced delivery page, select the Phishing simulation tab, and then do one of the following steps:

    • Click Edit icon. Edit.
    • If there are no configured phishing simulations, click Add.
  3. On the Edit third-party phishing simulation flyout that opens, configure the following settings:

    • Sending domain: Expand this setting and enter at least one email address domain (for example, contoso.com) by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries.

      Note

      Use the domain from the 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message.

    • Sending IP: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:

      • Single IP: For example, 192.168.1.1.
      • IP range: For example, 192.168.0.1-192.168.0.254.
      • CIDR IP: For example, 192.168.0.1/25.
    • Simulation URLs to allow: Expand this setting and optionally enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated by clicking in the box, entering a value, and then pressing Enter or selecting the value that's displayed below the box. You can add up to 10 entries. For the URL syntax format, see URL syntax for the Tenant Allow/Block List.

    To remove an existing value, click remove Remove icon. next to the value.

    Note

    You must specify at least one Sending domain and at least one Sending IP to configure a third-party phishing simulation in Advanced Delivery. You may optionally include Simulation URLs to allow to ensure URLs present in simulation messages are not blocked. You may specify up to 10 entries for each field. There must be a match on at least one Sending domain and one Sending IP but no association between values is maintained.

  4. When you're finished, do one of the following steps:

    • First time: Click Add, and then click Close.
    • Edit existing: Click Save and then click Close.

The third-party phishing simulation entries that you configured are displayed on the Phishing simulation tab. To make changes, click Edit icon. Edit on the tab.

Additional scenarios that require filtering bypass

In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios that might require you bypass filtering:

  • Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), secure by default is not available. If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online. If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.

  • False positives under review: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via admin submissions to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, we highly recommended that these allowances are temporary.

Security & Compliance Center PowerShell procedures for SecOps mailboxes in the advanced delivery policy

In Security & Compliance Center PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are:

  • The SecOps override policy: Controlled by the *-SecOpsOverridePolicy cmdlets.
  • The SecOps override rule: Controlled by the *-SecOpsOverrideRule cmdlets.

This behavior has the following results:

  • You create the policy first, then you create the rule that identifies the policy that the rule applies to.
  • When you remove a policy from PowerShell, the corresponding rule is also removed.
  • When you remove a rule from PowerShell, the corresponding policy is not removed. You need to remove the corresponding policy manually.

Use PowerShell to configure SecOps mailboxes

Configuring a SecOps mailbox in the advanced delivery policy in PowerShell is a two-step process:

  1. Create the SecOps override policy.
  2. Create the SecOps override rule that specifies the policy that the rule applies to.

Step 1: Use PowerShell to create the SecOps override policy

To create the SecOps override policy, use the following syntax:

New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>

Note

Regardless of the Name value you specify, the policy name will be SecOpsOverridePolicy, so you might as well use that value.

This example creates the SecOps mailbox policy.

New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo secops@contoso.com

For detailed syntax and parameter information, see New-SecOpsOverridePolicy.

Step 2: Use PowerShell to create the SecOps override rule

This example creates the SecOps mailbox rule with the specified settings.

New-SecOpsOverrideRule -Name SecOpsOverrideRule -Policy SecOpsOverridePolicy

Note

Regardless of the Name value you specify, the rule name will be SecOpsOverrideRule<GUID> where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).

For detailed syntax and parameter information, see New-SecOpsOverrideRule.

Use PowerShell to view the SecOps override policy

This example returns detailed information about the one and only SecOps mailbox policy.

Get-SecOpsOverridePolicy

For detailed syntax and parameter information, see Get-SecOpsOverridePolicy.

Use PowerShell to view SecOps override rules

This example returns detailed information about SecOps override rules.

Get-SecOpsOverrideRule

Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.

This example identifies the valid rule (one) and any invalid rules.

Get-SecOpsOverrideRule | Format-Table Name,Mode

After you identify the invalid rules, you can remove them by using the Remove-SecOpsOverrideRule cmdlet as described later in this article.

For detailed syntax and parameter information, see Get-SecOpsOverrideRule.

Use PowerShell to modify the SecOps override policy

To modify the SecOps override policy, use the following syntax:

Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy [-AddSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>] [-RemoveSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>]

This example adds secops2@contoso.com to the SecOps override policy.

Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy -AddSentTo secops2@contoso.com

Note

If an associated, valid SecOps override rule exists, the email addresses in the rule will also be updated.

For detailed syntax and parameter information, see Set-SecOpsOverridePolicy.

Use PowerShell to modify a SecOps override rule

The Set-SecOpsOverrideRule cmdlet does not modify the email addresses in the SecOps override rule. To modify the email addresses in the SecOps override rule, use the Set-SecOpsOverridePolicy cmdlet.

For detailed syntax and parameter information, see Set-SecOpsOverrideRule.

Use PowerShell to remove the SecOps override policy

This example removes the SecOps Mailbox policy and the corresponding rule.

Remove-SecOpsOverridePolicy -Identity SecOpsOverridePolicy

For detailed syntax and parameter information, see Remove-SecOpsOverridePolicy.

Use PowerShell to remove SecOps override rules

To remove a SecOps override rule, use the following syntax:

Remove-SecOpsOverrideRule -Identity <RuleIdentity>

This example removes the specified SecOps override rule.

Remove-SecOpsOverrideRule -Identity SecOpsOverrideRule6fed4b63-3563-495d-a481-b24a311f8329

For detailed syntax and parameter information, see Remove-SecOpsOverrideRule.

Security & Compliance Center PowerShell procedures for third-party phishing simulations in the advanced delivery policy

In Security & Compliance Center PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are:

  • The phishing simulation override policy: Controlled by the *-PhishSimOverridePolicy cmdlets.
  • The phishing simulation override rule: Controlled by the *-PhishSimOverrideRule cmdlets.
  • The allowed (unblocked) phishing simulation URLs: Controlled by the *-TenantAllowBlockListItems cmdlets.

This behavior has the following results:

  • You create the policy first, then you create the rule that identifies the policy that the rule applies to.
  • You modify the settings in the policy and the rule separately.
  • When you remove a policy from PowerShell, the corresponding rule is also removed.
  • When you remove a rule from PowerShell, the corresponding policy is not removed. You need to remove the corresponding policy manually.

Use PowerShell to configure third-party phishing simulations

Configuring a third-party phishing simulation in PowerShell is a multi-step process:

  1. Create the phishing simulation override policy.
  2. Create the phishing simulation override rule that specifies:
    • The policy that the rule applies to.
    • The source IP address of the phishing simulation messages.
  3. Optionally, identity the phishing simulation URLs that should be allowed (that is, not blocked or scanned).

Step 1: Use PowerShell to create the phishing simulation override policy

This example creates the phishing simulation override policy.

New-PhishSimOverridePolicy -Name PhishSimOverridePolicy

Note: Regardless of the Name value you specify, the policy name will be PhishSimOverridePolicy, so you might as well use that value.

For detailed syntax and parameter information, see New-PhishSimOverridePolicy.

Step 2: Use PowerShell to create the phishing simulation override rule

Use the following syntax:

New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -SenderDomainIs <Domain1>,<Domain2>,...<DomainN> -SenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>

Regardless of the Name value you specify, the rule name will be PhishSimOverrideRule<GUID> where <GUID> is a unique GUID value (for example, a0eae53e-d755-4a42-9320-b9c6b55c5011).

A valid IP address entry is one of the following values:

  • Single IP: For example, 192.168.1.1.
  • IP range: For example, 192.168.0.1-192.168.0.254.
  • CIDR IP: For example, 192.168.0.1/25.

This example creates the phishing simulation override rule with the specified settings.

New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -SenderDomainIs fabrikam.com,wingtiptoys.com -SenderIpRanges 192.168.1.55

For detailed syntax and parameter information, see New-PhishSimOverrideRule.

Step 3: (Optional) Use PowerShell to identify the phishing simulation URLs to allow

Use the following syntax:

New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URLN>" <[-NoExpiration] | [-ExpirationDate <DateTime>]>

For details about the URL syntax, see URL syntax for the Tenant Allow/Block List.

This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration.

New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries *.fabrikam.com -NoExpiration

For detailed syntax and parameter information, see New-TenantAllowBlockListItems.

Use PowerShell to view the phishing simulation override policy

This example returns detailed information about the one and only phishing simulation override policy.

Get-PhishSimOverridePolicy

For detailed syntax and parameter information, see Get-PhishSimOverridePolicy.

Use PowerShell to view phishing simulation override rules

This example returns detailed information about phishing simulation override rules.

Get-PhishSimOverrideRule

Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.

This example identifies the valid rule (one) and any invalid rules.

Get-PhishSimOverrideRule | Format-Table Name,Mode

After you identify the invalid rules, you can remove them by using the Remove-PhishSimOverrideRule cmdlet as described later in this article.

For detailed syntax and parameter information, see Get-PhishSimOverrideRule.

Use PowerShell to view the allowed phishing simulation URL entries

To view the allowed phishing simulation URLs, run the following command:

Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery

For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.

Use PowerShell to modify the phishing simulation override policy

To modify the phishing simulation override policy, use the following syntax:

Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]

This example disables the phishing simulation override policy.

Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false

For detailed syntax and parameter information, see Set-PhishSimOverridePolicy.

Use PowerShell to modify phishing simulation override rules

To modify the phishing simulation override rule, use the following syntax:

Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011 [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]

This example modifies the specified phishing simulation override rule with the following settings:

  • Add the domain entry blueyonderairlines.com.
  • Remove the IP address entry 192.168.1.55.

Note that these changes don't affect existing entries.

Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011 -AddSenderDomainIs blueyonderairlines.com -RemoveSenderIpRanges 192.168.1.55

For detailed syntax and parameter information, see Set-PhishSimOverrideRule.

Use PowerShell to modify the allowed phishing simulation URL entries

You can't modify the URL values directly. You can remove existing URL entries and add new URL entries as described in this article.

To modify other properties of an allowed phishing simulation URL entry (for example, the expiration date or comments), use the following syntax:

Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] | [-ExpirationDate <DateTime>]> [-Notes <String>]

You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).

This example modified the expiration date of the specified entry.

Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery –Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.

Use PowerShell to remove a phishing simulation override policy

This example removes the phishing simulation override policy and the corresponding rule.

Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy

For detailed syntax and parameter information, see Remove-PhishSimOverridePolicy.

Use PowerShell to remove phishing simulation override rules

To remove a phishing simulation override rule, use the following syntax:

Remove-PhishSimOverrideRule -Identity <RuleIdentity>

This example removes the specified phishing simulation override rule.

Remove-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011

For detailed syntax and parameter information, see Remove-PhishSimOverrideRule.

Use PowerShell to remove the allowed phishing simulation URL entries

To remove an existing phishing simulation URL entry, use the following syntax:

Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery

You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).

This example modified the expiration date of the specified entry.

Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery –Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.