Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

To keep your organization secure by default, Exchange Online Protection (EOP) doesn't allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:

• Third-party phishing simulations: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization.
• Security operations (SecOps) mailboxes: Dedicated mailboxes that are used by security teams to collect and analyze unfiltered messages (both good and bad).

You use the advanced delivery policy in Microsoft 365 to prevent inbound messages in these specific scenarios from being filtered¹. The advanced delivery policy ensures that messages in these scenarios achieve the following results:

• Filters in EOP and Defender for Office 365 take no action on these messages.¹
• Zero-hour Purge (ZAP) for spam and phishing take no action on these messages².
• Default system alerts aren't triggered for these scenarios.
• AIR and clustering in Defender for Office 365 ignores these messages.
• Specifically for third-party phishing simulations:
  • Admin submissions generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR aren't triggered. The admin submissions experience shows these messages as a simulated threat.
  • When a user reports a phishing simulation message using the built-in Report button in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins, the system doesn't generate an alert, investigation, or incident. The links or files aren't detonated, but the message appears on the User reported tab of the Submissions page.
  • Safe Links in Defender for Office 365 doesn't block or detonate the specified URLs in these messages at time of click. URLs are still wrapped, but they aren't blocked.
  • Safe Attachments in Defender for Office 365 doesn't detonate attachments in these messages.

¹ You can't bypass malware filtering.

² You can bypass ZAP for malware by creating an anti-malware policy for the SecOps mailbox where ZAP for malware is turned off. For instructions, see Configure anti-malware policies in EOP.

Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as Phishing simulation or SecOps mailbox system overrides. Admins can filter and analyze on these system overrides in the following experiences:

• Threat Explorer/Real-time detections in Defender for Office 365 plan 2: Admin can filter on System override source and select either Phishing simulation or SecOps Mailbox.
• The Email entity Page in Threat Explorer/Real-time detections: Admin can view a message that was allowed by organization policy by either SecOps mailbox or Phishing simulation under Tenant override in the Override(s) section.
• The Threat protection status report: Admin can filter by view data by System override in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select chart breakdown by delivery location in the chart breakdown by reason dropdown list.
• Advanced hunting in Microsoft Defender for Endpoint: Phishing simulation and SecOps mailbox system overrides are options within OrgLevelPolicy in EmailEvents.
• Campaign Views: Admin can filter on System override source and select either Phishing simulation or SecOps Mailbox.

What do you need to know before you begin?

• You open the Microsoft 365 Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, open https://security.microsoft.com/advanceddelivery.

• To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

• You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Microsoft 365 Defender role based access control (RBAC): configuration/security (manage) or configuration/security (read). Currently, this option requires membership in the Microsoft 365 Defender Preview program.
  • Email & collaboration RBAC in the Microsoft 365 Defender portal and Exchange Online RBAC:
    • Create, modify, or remove configured settings in the advanced delivery policy: Membership in the Security Administrator role groups in Email & collaboration RBAC and membership in the Organization Management role group in Exchange Online RBAC.
    • Read-only access to the advanced delivery policy: Membership in the Global Reader or Security Reader role groups in Email & collaboration RBAC.
      • View-Only Organization Management in Exchange Online RBAC.
  • Azure AD RBAC: Membership in the Global Administrator, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

   On the Advanced delivery page, verify that the SecOps mailbox tab is selected.

2. On the SecOps mailbox tab, select the Add button in the No SecOps mailboxes configured area of the page.

   If there are already existing entries on the SecOps mailbox tab, select Edit (the Add button isn't available).

3. In the Add SecOps mailboxes flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing either of the following steps:

   • Click in the box, let the list of mailboxes resolve, and then select the mailbox.

   • Click in the box start typing an identifier for the mailbox (name, display name, alias, email address, account name, etc.), and select the mailbox (display name) from the results.

     Repeat this step as many times as necessary. Distribution groups aren't allowed.

     To remove an existing value, select remove next to the value.

4. When you're finished in the Add SecOps mailboxes flyout, select Add..

5. Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.

Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are now listed:

• The Display name column contains display name of the mailboxes.
• The Email column contains the email address for each entry.
• To change the list of entries from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.

Use the Microsoft 365 Defender portal to modify or remove SecOps mailboxes in the advanced delivery policy

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

   On the Advanced delivery page, verify that the SecOps mailbox tab is selected.

2. On the SecOps mailbox tab, select Edit.

3. In Edit SecOps mailboxes flyout that opens, add or remove mailboxes as described in Step 3 in the Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy section.

   To remove all mailboxes, select remove next to each value until there are no more mailboxes selected.

4. When you're finished in the Edit SecOps mailboxes flyout, select Save.

5. Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.

Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty.

Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy

Note

To configure a third-party phishing simulation, you need to provide the following information:

• At least one Domain.
• At least one Sending IP.
• For non-email phishing simulations (for example, Microsoft Teams messages, Word documents, or Excel spreadsheets), you can optionally identify the Simulation URLs to allow that shouldn't be treated as real threats at time of click: the URLs aren't blocked or detonated, and no URL click alerts or resulting incidents are generated. The URLs are wrapped at time of click, but they aren't blocked.

There must be a match on at least one Domain and one Sending IP, but no association between values is maintained.

If your MX record doesn't point to Microsoft 365, the IP address in the Authentication-results header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure Enhanced Filtering for Connectors so the correct IP address is detected.

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

   On the Advanced delivery page, select the Phishing simulation tab.

2. On the Phishing simulation tab, select the Add button in the No third party phishing simulations configured area of the page.

   If there are already existing entries on the Phishing simulation tab, select Edit (the Add button isn't available).

3. In the Add third party phishing simulations flyout that opens, configure the following settings:

   • Domain: Expand this setting and enter at least one email address domain by clicking in the box, entering a value (for example, contoso.com), and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 20 entries.

     Note

     Use the domain in the 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message or a DKIM domain as specified by the phishing simulation vendor.

   • Sending IP: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:

     • Single IP: For example, 192.168.1.1.
     • IP range: For example, 192.168.0.1-192.168.0.254.
     • CIDR IP: For example, 192.168.0.1/25.

   • Simulation URLs to allow: This setting isn't required for links in email phishing simulations. Use this setting to optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.

     Add URL entries by expanding this setting, clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. You can add up to 30 entries. For the URL syntax, see URL syntax for the Tenant Allow/Block List.

   To remove an existing domain, IP, or URL value, select remove next to the value.

4. When you're finished in the Add third party phishing simulations flyout, select Add.

5. Review the information in the Changes to phishing simulation override saved flyout, and then select Close.

Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are now listed:

• The Value column contains the domain, IP address or URL entry.
• The Type column contains the value Sending IP, Domain, or Allowed simulation URL for each entry.
• The Date column shows when the entry was created.
• To change the list of entries from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.

Use the Microsoft 365 Defender portal to modify or remove third-party phishing simulations in the advanced delivery policy

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

   On the Advanced delivery page, select the Phishing simulation tab.

2. On the Phishing simulation tab, select Edit.

3. In the Edit third-party phishing simulation flyout that opens, add or remove entries for Domain, Sending IP, and Simulation URLs as described in Step 3 in the Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy section.

   To remove all entries, select remove next to each value until there are no more domains, IPs, or URLs selected.

4. When you're finished in the Edit third-party phishing simulation flyout, select Save.

5. Review the information in the Changes to phishing simulation override saved flyout, and then select Close.

Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are displayed. If you removed all entries, the list is empty.

Additional scenarios that require filtering bypass

In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios where you might need to bypass filtering for messages:

• Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), secure by default isn't available. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online. If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.

• False positives under review: You might want to temporarily allow good messages that are incorrectly identified as bad (false positives) that you reported via admin submissions, but the messages are still being analyzed by Microsoft. As with all overrides, we highly recommended that these allowances are temporary.

PowerShell procedures for SecOps mailboxes in the advanced delivery policy

In PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are:

• The SecOps override policy: Controlled by the *-SecOpsOverridePolicy cmdlets.
• The SecOps override rule: Controlled by the *-SecOpsOverrideRule cmdlets.

This behavior has the following results:

• You create the policy first, then you create the rule that identifies the policy that the rule applies to.
• When you remove a policy from PowerShell, the corresponding rule is also removed.
• When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.

Use PowerShell to configure SecOps mailboxes

Configuring a SecOps mailbox in the advanced delivery policy in PowerShell is a two-step process:

1. Create the SecOps override policy.
2. Create the SecOps override rule that specifies the policy that the rule applies to.

Step 1: Use PowerShell to create the SecOps override policy

In Exchange Online PowerShell, use the following syntax:

New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>

Regardless of the Name value you specify, the policy name is SecOpsOverridePolicy, so you might as well use that value.

This example creates the SecOps mailbox policy.

New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo secops@contoso.com

For detailed syntax and parameter information, see New-SecOpsOverridePolicy.

Step 2: Use PowerShell to create the SecOps override rule

In Exchange Online PowerShell, run the following command:

New-SecOpsOverrideRule -Name SecOpsOverrideRule -Policy SecOpsOverridePolicy

Regardless of the Name value you specify, the rule name is SecOpsOverrideRule<GUID> where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).

For detailed syntax and parameter information, see New-SecOpsOverrideRule.

Use PowerShell to view the SecOps override policy

In Exchange Online PowerShell, this example returns detailed information about the one and only SecOps mailbox policy.

Get-SecOpsOverridePolicy

For detailed syntax and parameter information, see Get-SecOpsOverridePolicy.

Use PowerShell to view SecOps override rules

In Exchange Online PowerShell, this example returns detailed information about SecOps override rules.

Get-SecOpsOverrideRule

Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.

This example identifies the valid rule (one) and any invalid rules.

Get-SecOpsOverrideRule | Format-Table Name,Mode

After you identify the invalid rules, you can remove them by using the Remove-SecOpsOverrideRule cmdlet as described later in this article.

For detailed syntax and parameter information, see Get-SecOpsOverrideRule.

Use PowerShell to modify the SecOps override policy

In Exchange Online PowerShell, use the following syntax:

Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy [-AddSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>] [-RemoveSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>]

This example adds secops2@contoso.com to the SecOps override policy.

Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy -AddSentTo secops2@contoso.com

Note

If an associated, valid SecOps override rule exists, the email addresses in the rule is also updated.

For detailed syntax and parameter information, see Set-SecOpsOverridePolicy.

Use PowerShell to modify a SecOps override rule

The Set-SecOpsOverrideRule cmdlet doesn't modify the email addresses in the SecOps override rule. To modify the email addresses in the SecOps override rule, use the Set-SecOpsOverridePolicy cmdlet.

For detailed syntax and parameter information, see Set-SecOpsOverrideRule.

Use PowerShell to remove the SecOps override policy

In Exchange Online PowerShell, this example removes the SecOps Mailbox policy and the corresponding rule.

Remove-SecOpsOverridePolicy -Identity SecOpsOverridePolicy

For detailed syntax and parameter information, see Remove-SecOpsOverridePolicy.

Use PowerShell to remove SecOps override rules

In Exchange Online PowerShell, use the following syntax:

Remove-SecOpsOverrideRule -Identity <RuleIdentity>

This example removes the specified SecOps override rule.

Remove-SecOpsOverrideRule -Identity SecOpsOverrideRule6fed4b63-3563-495d-a481-b24a311f8329

For detailed syntax and parameter information, see Remove-SecOpsOverrideRule.

PowerShell procedures for third-party phishing simulations in the advanced delivery policy

In PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are:

• The phishing simulation override policy: Controlled by the *-PhishSimOverridePolicy cmdlets.
• The phishing simulation override rule: Controlled by the *-PhishSimOverrideRule cmdlets.
• The allowed (unblocked) phishing simulation URLs: Controlled by the *-TenantAllowBlockListItems cmdlets.

Note

As previously described, identifying URLs isn't required for links in email-based phishing simulations. You can optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.

This behavior has the following results:

• You create the policy first, then you create the rule that identifies the policy that the rule applies to.
• You modify the settings in the policy and the rule separately.
• When you remove a policy from PowerShell, the corresponding rule is also removed.
• When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.

Use PowerShell to configure third-party phishing simulations

Configuring a third-party phishing simulation in PowerShell is a multi-step process:

1. Create the phishing simulation override policy.
2. Create the phishing simulation override rule that specifies:
   • The policy that the rule applies to.
   • The source IP address of the phishing simulation messages.
3. Optionally, identity the phishing simulation URLs in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.

Step 1: Use PowerShell to create the phishing simulation override policy

In Security & Compliance PowerShell, this example creates the phishing simulation override policy.

New-PhishSimOverridePolicy -Name PhishSimOverridePolicy

Regardless of the Name value you specify, the policy name is PhishSimOverridePolicy, so you might as well use that value.

For detailed syntax and parameter information, see New-PhishSimOverridePolicy.

Step 2: Use PowerShell to create the phishing simulation override rule

In Security & Compliance PowerShell, use the following syntax:

New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains <Domain1>,<Domain2>,...<Domain10> -SenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntry10>

Regardless of the Name value you specify, the rule name is PhishSimOverrideRule<GUID> where <GUID> is a unique GUID value (for example, a0eae53e-d755-4a42-9320-b9c6b55c5011).

A valid IP address entry is one of the following values:

• Single IP: For example, 192.168.1.1.
• IP range: For example, 192.168.0.1-192.168.0.254.
• CIDR IP: For example, 192.168.0.1/25.

This example creates the phishing simulation override rule with the specified settings.

New-PhishSimOverrideRule -Name PhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains fabrikam.com,wingtiptoys.com -SenderIpRanges 192.168.1.55

For detailed syntax and parameter information, see New-PhishSimOverrideRule.

Step 3: (Optional) Use PowerShell to identify the phishing simulation URLs to allow

In Exchange Online PowerShell, use the following syntax:

New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URL10>" <[-NoExpiration] | [-ExpirationDate <DateTime>]>

For details about the URL syntax, see URL syntax for the Tenant Allow/Block List

This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration.

New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries *.fabrikam.com -NoExpiration

For detailed syntax and parameter information, see New-TenantAllowBlockListItems.

Use PowerShell to view the phishing simulation override policy

In Security & Compliance PowerShell, this example returns detailed information about the one and only phishing simulation override policy.

Get-PhishSimOverridePolicy

For detailed syntax and parameter information, see Get-PhishSimOverridePolicy.

Use PowerShell to view phishing simulation override rules

In Security & Compliance PowerShell, this example returns detailed information about phishing simulation override rules.

Get-PhishSimOverrideRule

Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.

This example identifies the valid rule (one) and any invalid rules.

Get-PhishSimOverrideRule | Format-Table Name,Mode

After you identify the invalid rules, you can remove them by using the Remove-PhishSimOverrideRule cmdlet as described later in this article.

For detailed syntax and parameter information, see Get-PhishSimOverrideRule.

Use PowerShell to view the allowed phishing simulation URL entries

In Exchange Online PowerShell, run the following command:

Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery

For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.

Use PowerShell to modify the phishing simulation override policy

In Security & Compliance PowerShell, use the following syntax:

Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]

This example disables the phishing simulation override policy.

Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false

For detailed syntax and parameter information, see Set-PhishSimOverridePolicy.

Use PowerShell to modify phishing simulation override rules

In Security & Compliance PowerShell, use the following syntax:

Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011 [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]

This example modifies the specified phishing simulation override rule with the following settings:

• Add the domain entry blueyonderairlines.com.
• Remove the IP address entry 192.168.1.55.

These changes don't affect existing entries.

Set-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011 -AddSenderDomainIs blueyonderairlines.com -RemoveSenderIpRanges 192.168.1.55

For detailed syntax and parameter information, see Set-PhishSimOverrideRule.

Use PowerShell to modify the allowed phishing simulation URL entries

You can't modify the URL values directly. You can remove existing URL entries and add new URL entries as described in this article.

In Exchange Online PowerShell, to modify other properties of an allowed phishing simulation URL entry (for example, the expiration date or comments), use the following syntax:

Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] | [-ExpirationDate <DateTime>]> [-Notes <String>]

You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).

This example modified the expiration date of the specified entry.

Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.

Use PowerShell to remove a phishing simulation override policy

In Security & Compliance PowerShell, this example removes the phishing simulation override policy and the corresponding rule.

Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy

For detailed syntax and parameter information, see Remove-PhishSimOverridePolicy.

Use PowerShell to remove phishing simulation override rules

In Security & Compliance PowerShell, use the following syntax:

Remove-PhishSimOverrideRule -Identity <RuleIdentity>

This example removes the specified phishing simulation override rule.

Remove-PhishSimOverrideRule -Identity PhishSimOverrideRulea0eae53e-d755-4a42-9320-b9c6b55c5011

For detailed syntax and parameter information, see Remove-PhishSimOverrideRule.

Use PowerShell to remove the allowed phishing simulation URL entries

In Exchange Online PowerShell, use the following syntax:

Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity>> -ListType URL -ListSubType AdvancedDelivery

You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).

This example modified the expiration date of the specified entry.

Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.