Thread Info
  • Replies 14 replies
  • Subscribers 10 subscribers
  • Views 32278 views
  • Users 0 members are here
Options
Suggested

IP/Domain Whitelist in Microsoft 365

Santosh Barnwal

Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.

To ensure successful delivery of Phish Threat emails and completion of Phish Threat campaigns, follow these steps to make necessary changes in Microsoft's Advanced delivery settings.

In Microsoft 365 admin center, go to ‘Security’

 

Then, under ‘Policies and Rules’, go to ‘Threat Policies’

 

Click on ‘Advanced delivery’ and then ‘Phishing simulation’

Under Phishing simulation, make the following additions:

Added notes (31-Aug-2022):
Based on the latest tests, we have seen that in some cases with Mailflow configurations, Microsoft still blocks some of the phish simulations emails. To mitigate this, the Sophos IP ranges for the respective regions must be added under Advanced Delivery in M365 admin centre (screenshot above).
The link below has the list of Sophos IP ranges for different regions. You should add only the range specific to your respective regions.


Removed KB
[edited by: emmosophos at 12:22 AM (GMT -8) on 28 Jan 2023]
  • in reply to Jason Bristow

    How did you go about adding all of the domains for whitelisting? You can only add up to 20 domains and you must have at least one. Do all of the domains need to be on the list as well as the IP's?

    cloud.sophos.com/.../domains

    docs.microsoft.com/.../configure-advanced-delivery

  • in reply to Jason Bristow

    You don't need to add all the domains. MSFT limits it to 20 domains. In my discussions with Microsoft they recommend using DKIM domain which is the amazonses.com domain along with the IP's listed and URL's should provide adequate coverage. I will say nothing is for certain with M365 as there have been cases where we see some blocked and some not. 

  • I have completed what is suggested here, however, Defender for Safe Links is still blocking the URL for awstrack.me. Has anyone else had this issue and found a fix? I have also logged a support case with Microsoft.

  • The attached script should help in setting your M365 exclusions for Phish Threat IP's / domains.

    PhishThreat_M365_Exclusions.zip

  • in reply to Phill Wade

    Did u get this fixed ? I cannot get Safe Links not to block the urls.

  • Just to be fair. We had a meeting today with Sophos and follows all the steps.

    They told us, that this settings described above does not work and are not needed.

    We used the Script from "Aaron Jacobs" who they said is a Sophos Employee to configure our tentant.

    OWA still blocks the Safe Links and we and they had now idea.

    For now we are still on hold and wait until monday if there is some exchange online magic that will happen :)

  • in reply to Michael Schneider

    Hi Michael,

    Yep, am a Sophos employee but should clarify this is not a Sophos script. I was an MSP/partner before joining Sophos, and we made this script up after a lot of issues getting Phish Threat going around Safe Links, and what I will call "well configured" M365/Defender/Exchange Online Protection policies. As far as I am aware, the script is still be using today successfully by my old MSP.

    I assume you looked over the script and modified it to suit, but you will note it's making some transport rules, it has an array of domains to be excluded for Safe Links, and it creates a Safe Links Policy. 

    It also adds some AntiPhish domain exclusions, and some AntiPhish email address policies.

    Finally, it adds the domains in the Hosted Content Filter Policy.

    I troubleshooted this for a long time, and it was not until we did all of these things that Microsoft would actually leave the emails alone, based on how we had configured M365. In case it helps, they were largely based around the recommendations from https://www.itpromentor.com/

    I'd suggest looking over the script, making sure the IP addresses in there and domains match whatever PhishThreat is telling you to exclude today, look for errors when you ran the script, and double check that what the script is setting, actually did get applied (and doesn't conflict with anything else you already have configured).

    Let me know how you get on and I can check in to see if this script is still working as planned for my old MSP.

    All the best,

  • in reply to Michael Schneider

    Sorry for not replying to you sooner - yes, we eventually got this working. In the Microsoft Security Centre > Email & Collaboration > Policies & Rules > Threat Policies > Advanced Delivery > Phishing Simulation - we had to enter the "Simulation URL's to allow" in the following format:

    www.linkedn.co/*
    www.shipping-updates.com/*

    It does not work without the /* at the end, which was the suggestion from our Microsoft Support case. It does mean that we need to go in and check/add the URL each time, depending on the campaign, as we can only add up to 20 simulation URL's.

  • in reply to Michael Schneider

    Hi Michael,

    I think I have the same issues like you, Did you find a fix together with Sophos till now?

    I tried everything in Office365 from normal transport rules with SPAM filtering set to -1 to a whole new phishing campaign policy but even the test e-mails are still marked as spam.  I entered every IP address for my region which they marked on their website as well (besides the two 54er ones which are marked in the Phish Threat campaign in Sophos Central) but till now I was unable to fix that. 

Unfiltered HTML