Cybersecurity Training
      Back to home
      1. INFO CENTER
      2. Cybersecurity Training

      How to whitelist in Microsoft Defender Advanced Delivery Policy

      This article details the setup of third-party phishing simulations specific to training, in the advanced delivery policy.

      For more information about advanced delivery policy, see Microsoft article:

      Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.

      Microsoft 365 Defender portal

      1. In the Microsoft 365 Defender portal (security.microsoft.com) navigate to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
      2. On the Advanced delivery page, select the Phishing simulation tab, then do one of the following:
        • Click Edit icon Edit.
        • If there are no configured phishing simulations, click Add.
      3. On the Edit third-party phishing simulation flyout that opens, configure the following setting:
        • Sending Domain: Expand this setting and enter any domains you plan to test with then press Enter or select the value that is displayed below the box. 
          • Note: You may add up to 20 entries. To change a domain on a template go to Manage Templates and use the multi-select boxes to choose the template(s) and then click "Change Domain". 
        • Sending IP: Expand this setting and enter 64.191.166.196 (US) or 64.238.34.10 (EU) then press Enter or select the value that is displayed below the box.
        • Simulation URLs to allow: If you are using the URL Redirect feature you will want to add the domains here. For example yourredirect.com 

      4. When you're finished, do one of the following steps:

        • First time: Click Add, and then click Close.
        • Edit existing: Click Save and then click Close.

      The third-party phishing simulation entries that you configured are displayed on the Phishing simulation tab. To make changes, click Edit icon Edit on the tab.

       

      Troubleshooting

      If, after configuring the safelisting rules in Microsoft Defender as shown in this article, the emails are still being delivered to junk or spam, you may need to safelist by email header, as shown in this article. If you use a third-party firewall, such as Proofpoint or Mimecast, the IP address from which the phishing emails come may be rewritten, causing the phishing emails to appear to originate from a different IP address than the one you safelisted.