Training
Module
This module examines how to manage Safe Links in your tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
To keep your organization secure by default, Exchange Online Protection (EOP) doesn't allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:
Use the advanced delivery policy in EOP to prevent inbound messages in these specific scenarios from being filtered¹. The advanced delivery policy ensures that messages in these scenarios achieve the following results:
Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as Phishing simulation or SecOps mailbox system overrides. Admins can use these values to filter and analyze messages in the following experiences:
You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).
Email & collaboration permissions in the Microsoft Defender portal and Exchange Online permissions:
Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.
Important
* Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, verify that the SecOps mailbox tab is selected.
On the SecOps mailbox tab, select the Add button in the No SecOps mailboxes configured area of the page.
If there are already existing entries on the SecOps mailbox tab, select Edit (the Add button isn't available).
In the Add SecOps mailboxes flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing either of the following steps:
Click in the box, let the list of mailboxes resolve, and then select the mailbox.
Click in the box start typing an identifier for the mailbox (name, display name, alias, email address, account name, etc.), and select the mailbox (display name) from the results.
Repeat this step as many times as necessary. Distribution groups aren't allowed.
To remove an existing value, select remove next to the value.
When you're finished in the Add SecOps mailboxes flyout, select Add..
Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.
Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are now listed:
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, verify that the SecOps mailbox tab is selected.
On the SecOps mailbox tab, select Edit.
In Edit SecOps mailboxes flyout that opens, add or remove mailboxes as described in Step 3 in the Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy section.
To remove all mailboxes, select remove next to each value until there are no more mailboxes selected.
When you're finished in the Edit SecOps mailboxes flyout, select Save.
Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.
Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty.
To configure a third-party phishing simulation, you need to provide the following information:
5321.MailFrom
address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message or a DKIM domain as specified by the phishing simulation vendor.There must be a match on at least one Domain and one Sending IP, but no association between values is maintained.
If your MX record doesn't point to Microsoft 365, the IP address in the Authentication-results
header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure Enhanced Filtering for Connectors so the correct IP address is detected.
Note
Enhanced Filtering for Connectors doesn't work for third-party phishing simulations in email routing scenarios that involve mail coming to Exchange online twice (for example, internet email routed to Microsoft 365, then to an on-premises environment or third-party security service, and then back to Microsoft 365). EOP can't identify the true IP address of the message source. Don't try to work around this limitation by adding the IP addresses of the on-premises or third-party sending infrastructure to the third-party phishing simulation. Doing so effectively bypasses spam filtering for any internet sender who impersonates the domain that's specified in the third-party phishing simulation. Routing scenarios where the MX record points to a third party service and then mail is routed to Exchange Online are supported if Enhanced Filtering for Connectors is configured.
Currently, the advanced delivery policy for third-party phishing simulations doesn't support simulations within the same organization (DIR:INT
), especially when email is routed through an Exchange Server gateway before Microsoft 365 in Hybrid mail flow. To work around this issue, you have the following options:
If you're using the Built-in protection preset security policy or your custom Safe Links policies have the setting Do not rewrite URLs, do checks via SafeLinks API only enabled, time of click protection doesn't treat phishing simulation links in email as threats in Outlook on the web, Outlook for iOS and Android, Outlook for Windows v16.0.15317.10000 or later, and Outlook for Mac v16.74 (23061100) or later. If you're using older versions of Outlook, consider disabling the Do not rewrite URLs, do checks via SafeLinks API only setting in custom Safe Links policies.
Adding phishing simulation URLs to the Do not rewrite the following URLs in email section in Safe Links policies might result in unwanted alerts for URL clicks. Phishing simulation URLs in email messages are automatically allowed both during mail flow and at time of click.
Currently, the advanced delivery policy for SecOps mailboxes doesn't support intra-organizational messages (DIR:INT
), and these messages will be quarantined. As a workaround, you can use an separate anti-spam policy for SecOps mailboxes that doesn't quarantine intra-organizational messages. We don't recommend disabling intra-org protection for all mailboxes.
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, select the Phishing simulation tab.
On the Phishing simulation tab, select the Add button in the No third party phishing simulations configured area of the page.
If there are already existing entries on the Phishing simulation tab, select Edit (the Add button isn't available).
In the Add third party phishing simulations flyout that opens, configure the following settings:
Domain: Expand this setting and enter at least one email address domain by clicking in the box, entering a value (for example, contoso.com), and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 50 entries. Use one of the following values:
5321.MailFrom
address (also known as the MAIL FROM address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message.Sending IP: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:
Simulation URLs to allow: This setting isn't required for links in email phishing simulations. Use this setting to optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.
Add URL entries by expanding this setting, clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. You can add up to 30 entries. For the URL syntax, see URL syntax for the Tenant Allow/Block List.
To remove an existing domain, IP, or URL value, select remove next to the value.
Consider the following example:
Authentication-Results: spf=pass (sender IP is 172.17.17.7)
smtp.mailfrom=contoso.com; dkim=pass (signature was verified)
header.d=contoso-simulation.com; dmarc=pass action=none header.from=contoso-simulation.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=contoso-simulation.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=UErATeHehIIPIXPeUAfZWiKo0w2cSsOhb9XM9ulqTX0=;
smtp.mailfrom
) is contoso.com.header.d
) is contoso-simulation.com.From the example, you can use one of the following combinations to configure a third-party phishing simulation:
Domain: contoso.com
Sending IP: 172.17.17.7
Domain: contoso-simulation.com
Sending IP: 172.17.17.7
When you're finished in the Add third party phishing simulations flyout, select Add.
Review the information in the Changes to phishing simulation override saved flyout, and then select Close.
Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are now listed:
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.
On the Advanced delivery page, select the Phishing simulation tab.
On the Phishing simulation tab, select Edit.
In the Edit third-party phishing simulation flyout that opens, add or remove entries for Domain, Sending IP, and Simulation URLs as described in Step 3 in the Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy section.
To remove all entries, select remove next to each value until there are no more domains, IPs, or URLs selected.
When you're finished in the Edit third-party phishing simulation flyout, select Save.
Review the information in the Changes to phishing simulation override saved flyout, and then select Close.
Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are displayed. If you removed all entries, the list is empty.
In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios where you might need to bypass filtering for messages:
Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), secure by default isn't available. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online. If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.
False positives under review: You might want to temporarily allow good messages that are incorrectly identified as bad (false positives) that you reported via admin submissions, but the messages are still being analyzed by Microsoft. As with all overrides, we highly recommended that these allowances are temporary.
In PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are:
This behavior has the following results:
Configuring a SecOps mailbox in the advanced delivery policy in PowerShell is a two-step process:
In Exchange Online PowerShell, use the following syntax:
New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>
Regardless of the Name value you specify, the policy name is SecOpsOverridePolicy, so you might as well use that value.
This example creates the SecOps mailbox policy.
New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo secops@contoso.com
For detailed syntax and parameter information, see New-SecOpsOverridePolicy.
In Exchange Online PowerShell, run the following command:
New-ExoSecOpsOverrideRule -Name SecOpsOverrideRule -Policy SecOpsOverridePolicy
Regardless of the Name value you specify, the rule name will be _Exe:SecOpsOverrid:<GUID\>
[sic] where <GUID> is a unique GUID value (for example, 312c23cf-0377-4162-b93d-6548a9977efb9).
For detailed syntax and parameter information, see New-ExoSecOpsOverrideRule.
In Exchange Online PowerShell, this example returns detailed information about the one and only SecOps mailbox policy.
Get-SecOpsOverridePolicy
For detailed syntax and parameter information, see Get-SecOpsOverridePolicy.
In Exchange Online PowerShell, this example returns detailed information about SecOps override rules.
Get-ExoSecOpsOverrideRule
Although the previous command should return only one rule, a rule that's pending deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
Get-ExoSecOpsOverrideRule | Format-Table Name,Mode
After you identify the invalid rules, you can remove them by using the Remove-ExoSecOpsOverrideRule cmdlet as described later in this article.
For detailed syntax and parameter information, see Get-ExoSecOpsOverrideRule.
In Exchange Online PowerShell, use the following syntax:
Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy [-AddSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>] [-RemoveSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>]
This example adds secops2@contoso.com
to the SecOps override policy.
Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy -AddSentTo secops2@contoso.com
Note
If an associated, valid SecOps override rule exists, the email addresses in the rule is also updated.
For detailed syntax and parameter information, see Set-SecOpsOverridePolicy.
The Set-ExoSecOpsOverrideRule cmdlet doesn't modify the email addresses in the SecOps override rule. To modify the email addresses in the SecOps override rule, use the Set-SecOpsOverridePolicy cmdlet.
For detailed syntax and parameter information, see Set-ExoSecOpsOverrideRule.
In Exchange Online PowerShell, this example removes the SecOps Mailbox policy and the corresponding rule.
Remove-SecOpsOverridePolicy -Identity SecOpsOverridePolicy
For detailed syntax and parameter information, see Remove-SecOpsOverridePolicy.
In Exchange Online PowerShell, use the following commands:
Remove any SecOps override rules:
Get-ExoSecOpsOverrideRule | Remove-ExoSecOpsOverrideRule
Remove the specified SecOps override rule:
Remove-ExoSecOpsOverrideRule -Identity "_Exe:SecOpsOverrid:312c23cf-0377-4162-b93d-6548a9977efb"
For detailed syntax and parameter information, see Remove-ExoSecOpsOverrideRule.
In PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are:
Note
As previously described, identifying URLs isn't required for links in email-based phishing simulations. You can optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.
This behavior has the following results:
Configuring a third-party phishing simulation in PowerShell is a multi-step process:
In Exchange Online PowerShell, this example creates the phishing simulation override policy.
New-PhishSimOverridePolicy -Name PhishSimOverridePolicy
Regardless of the Name value you specify, the policy name is PhishSimOverridePolicy, so you might as well use that value.
For detailed syntax and parameter information, see New-PhishSimOverridePolicy.
In Exchange Online PowerShell, use the following syntax:
New-ExoPhishSimOverrideRule -Name <ArbitraryTextValue> -Policy PhishSimOverridePolicy -Domains <Domain1>,<Domain2>,...<Domain10> -SenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntry10>
Regardless of the Name value you specify, the rule name will be _Exe:PhishSimOverr:<GUID\>
[sic] where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).
A valid IP address entry is one of the following values:
This example creates the phishing simulation override rule with the specified settings.
New-ExoPhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains fabrikam.com,wingtiptoys.com -SenderIpRanges 192.168.1.55
For detailed syntax and parameter information, see New-ExoPhishSimOverrideRule.
In Exchange Online PowerShell, use the following syntax:
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URL10>" <[-NoExpiration] | [-ExpirationDate <DateTime>]>
For details about the URL syntax, see URL syntax for the Tenant Allow/Block List
This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration.
New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries *.fabrikam.com -NoExpiration
For detailed syntax and parameter information, see New-TenantAllowBlockListItems.
In Exchange Online PowerShell, this example returns detailed information about the one and only phishing simulation override policy.
Get-PhishSimOverridePolicy
For detailed syntax and parameter information, see Get-PhishSimOverridePolicy.
In Exchange Online PowerShell), this example returns detailed information about phishing simulation override rules.
Get-ExoPhishSimOverrideRule
Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.
This example identifies the valid rule (one) and any invalid rules.
Get-ExoPhishSimOverrideRule | Format-Table Name,Mode
After you identify the invalid rules, you can remove them by using the Remove-ExoPhishSimOverrideRule cmdlet as described later in this article.
For detailed syntax and parameter information, see Get-ExoPhishSimOverrideRule.
In Exchange Online PowerShell, run the following command:
Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery
For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.
In Exchange Online PowerShell, use the following syntax:
Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]
This example disables the phishing simulation override policy.
Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false
For detailed syntax and parameter information, see Set-PhishSimOverridePolicy.
In Exchange Online PowerShell, use the following syntax:
Get-ExoPhishSimOverrideRule| Set-ExoPhishSimOverrideRule [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]
or
Set-ExoPhishSimOverrideRule -Identity <PhishSimOverrideRuleIdentity> [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]
Use the Get-ExoPhishSimOverrideRule cmdlet to find the <PhishSimOverrideRuleIdentity> values. The name of the rule uses the following syntax: _Exe:PhishSimOverr:<GUID\>
[sic] where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).
This example modifies the (presumably only) phishing simulation override rule with the following settings:
These changes don't affect existing entries in the rule.
Get-ExoPhishSimOverrideRule| Set-ExoPhishSimOverrideRule| Set-ExoPhishSimOverrideRule -AddSenderDomainIs blueyonderairlines.com -RemoveSenderIpRanges 192.168.1.55
For detailed syntax and parameter information, see Set-ExoPhishSimOverrideRule.
You can't modify the URL values directly. You can remove existing URL entries and add new URL entries as described in this article.
In Exchange Online PowerShell, to modify other properties of an allowed phishing simulation URL entry (for example, the expiration date or comments), use the following syntax:
Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] | [-ExpirationDate <DateTime>]> [-Notes <String>]
You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
This example modified the expiration date of the specified entry.
Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021
For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.
In Exchange Online PowerShell, this example removes the phishing simulation override policy and the corresponding rule.
Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy
For detailed syntax and parameter information, see Remove-PhishSimOverridePolicy.
In Exchange Online PowerShell, use the following commands:
Remove any phishing simulation override rules:
Get-ExoPhishSimOverrideRule | Remove-ExoPhishSimOverrideRule
Remove the specified phishing simulation override rule:
Remove-ExoSPhishSimOverrideRule -Identity "_Exe:PhishSimOverr:6fed4b63-3563-495d-a481-b24a311f8329"
For detailed syntax and parameter information, see Remove-ExoPhishSimOverrideRule.
In Exchange Online PowerShell, use the following syntax:
Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity> -ListType URL -ListSubType AdvancedDelivery
You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).
This example modified the expiration date of the specified entry.
Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021
For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.
Training
Module
This module examines how to manage Safe Links in your tenant by creating and configuring policies and using transport rules to disable a policy from taking effect in certain scenarios. MS-102