7,920 questions
The Sec Dept can create a policy in Defender to exclude phishing awareness programs:
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide
Automatic check of links in emails
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 28.999999999999996%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Репин Дмитрий Геннадьевич
1
Reputation point
Hello everyone.
Found some issue related to Exchange O365.
Upon receipt of the letter, the links in the letter are checked by something from the O365 cloud (the ip-addresses of those who have passed through them from the MSFT range)
If you do not open the letter, or even close any email clients, "something" will still check the link in the incoming letter.
Is this "something" perhaps a defender? Tell me where you can see and check?
The problem is that the company uses a phishing awareness system. And from time to time, the information security department sends letters with links by clicking on which information security officers will understand that the user did not recognize the phishing letter and still clicked on the link.
But since "something" follows the links first (I repeat, even with a closed letter and even an email client), it is impossible to carry out such work at the moment, because the following links will be about 100% :)
Exchange Exchange Server Management
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Joyce Shen - MSFT 16,701 Reputation points2021-11-12T05:51:43.41+00:00 Have you tried creating the policy below like Andy suggested? Any progress about this issue?
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Sign in to comment
3 answers
Sort by: Most helpful
-
Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator2021-11-11T12:17:23.72+00:00 -
Benard Mwanza 1,006 Reputation points2021-11-12T09:30:57.457+00:00 Can you mention the phishing system that your org is using?
If its defender for office365 anti-phishing policies, you can exclude the sec department from the policies, just edit the policies if you have more than one, as mentioned by @Andy David - MVP
Microsoft defender for office365 uses safe links policies to scan links shared in emails messages or documents, if you have one set then exclude the sec department.
Office 365 comes with Default connection filtering policy, that checks IP that are allowed or disallowed to connect to your exchange online. This policy has a Microsoft
safe lista dynamic allow list (IP Ranges )managed by Microsoft themselves, if that feature is enabled, then IPs that Microsoft regards as unsafe can same thing.You can take a look on all security reports centric to emails or other workloads, you need first to login to your tenant.
https://security.microsoft.com/securityreports -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 37%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Kato Mihai 1 Reputation point2022-10-19T10:15:06.947+00:00 Bypassing Safe Link and Safe Attachments in Office 365
This worked for us! We had the same issue while testing our phishing campaigns from a 3rd party external sender.- Go to Exchange Online -> Mail flow > Rules.
- Create a new rule from scratch, Add and then select Create a new rule.
- In the New rule dialog box, name the rule, and then select the conditions and actions for this rule:
- In Apply this rule if…, select the condition you want from the list of available conditions.
- Some conditions require you to specify values. For example, if you select The sender is… condition, you must specify a sender address. If you are adding a word or phrase, note that trailing spaces are not allowed.
- If the condition you want is not listed, or if you need to add exceptions, select More options. Additional conditions and exceptions will be listed.
- If you do not want to specify a condition and want this rule to apply to every message in your organization, select [Apply to all messages] condition.
- In Do the following…,
- Select Modify the message properties, then choose Set the message header to this value (If the condition is not listed, select More options. Additional conditions will be listed.)
- In the first enter text field enter X-MS-Exchange-Organization-SkipSafeLinksProcessing
- In the second enter text field enter 1
This article tells you how to bypass those automatic checks by setting headers in your Exchange Online mail flow rule
https://www.pei.com/bypass-safe-link-attachments-office-365/best regards,
Mihai