Rediģēt

Kopīgot, izmantojot


Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

To keep your organization secure by default, Exchange Online Protection (EOP) doesn't allow safe lists or filtering bypass for messages that are identified as malware or high confidence phishing. But, there are specific scenarios that require the delivery of unfiltered messages. For example:

  • Third-party phishing simulations: Simulated attacks can help you identify and train vulnerable users before a real attack impacts your organization.
  • Security operations (SecOps) mailboxes: Dedicated mailboxes that are used by security teams to collect and analyze unfiltered messages (both good and bad).

Use the advanced delivery policy in EOP to prevent inbound messages in these specific scenarios from being filtered¹. The advanced delivery policy ensures that messages in these scenarios achieve the following results:

Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as Phishing simulation or SecOps mailbox system overrides. Admins can use these values to filter and analyze messages in the following experiences:

  • Threat Explorer (Explorer) or Real-time detections in Defender for Office 365: Admins can filter on System override source and select Phishing simulation or SecOps Mailbox.
  • The Email entity page: Admins can view a message that was allowed by organization policy by SecOps mailbox or Phishing simulation under Tenant override in the Override(s) section.
  • The Threat protection status report: Admin can filter by view data by System override in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select chart breakdown by delivery location in the chart breakdown by reason dropdown list.
  • Advanced hunting in Microsoft Defender for Endpoint: Phishing simulation and SecOps mailbox system overrides are options within OrgLevelPolicy in EmailEvents.
  • Campaign Views: Admin can filter on System override source and select either Phishing simulation or SecOps Mailbox.

What do you need to know before you begin?

  • You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

  • To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell.

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/Security settings/Core Security settings (manage) or Authorization and settings/Security settings/Core Security settings (read).

    • Email & collaboration permissions in the Microsoft Defender portal and Exchange Online permissions:

      • Create, modify, or remove configured settings in the advanced delivery policy: Membership in the Security Administrator role groups in Email & collaboration RBAC and membership in the Organization Management role group in Exchange Online RBAC.
      • Read-only access to the advanced delivery policy: Membership in the Global Reader or Security Reader role groups in Email & collaboration RBAC.
        • View-Only Organization Management in Exchange Online RBAC.
    • Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, Global Reader, or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

    On the Advanced delivery page, verify that the SecOps mailbox tab is selected.

  2. On the SecOps mailbox tab, select the Add button in the No SecOps mailboxes configured area of the page.

    If there are already existing entries on the SecOps mailbox tab, select Edit (the Add button isn't available).

  3. In the Add SecOps mailboxes flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing either of the following steps:

    • Click in the box, let the list of mailboxes resolve, and then select the mailbox.

    • Click in the box start typing an identifier for the mailbox (name, display name, alias, email address, account name, etc.), and select the mailbox (display name) from the results.

      Repeat this step as many times as necessary. Distribution groups aren't allowed.

      To remove an existing value, select remove next to the value.

  4. When you're finished in the Add SecOps mailboxes flyout, select Add..

  5. Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.

Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are now listed:

  • The Display name column contains display name of the mailboxes.
  • The Email column contains the email address for each entry.
  • To change the list of entries from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.

Use the Microsoft Defender portal to modify or remove SecOps mailboxes in the advanced delivery policy

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

    On the Advanced delivery page, verify that the SecOps mailbox tab is selected.

  2. On the SecOps mailbox tab, select Edit.

  3. In Edit SecOps mailboxes flyout that opens, add or remove mailboxes as described in Step 3 in the Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy section.

    To remove all mailboxes, select remove next to each value until there are no more mailboxes selected.

  4. When you're finished in the Edit SecOps mailboxes flyout, select Save.

  5. Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.

Back on the SecOps mailbox tab, the SecOps mailbox entries that you configured are displayed. If you removed all entries, the list is empty.

Use the Microsoft Defender portal to configure third-party phishing simulations in the advanced delivery policy

To configure a third-party phishing simulation, you need to provide the following information:

  • At least one Domain: The domain from the MAIL FROM address (also known as the 5321.MailFrom address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message or a DKIM domain as specified by the phishing simulation vendor.
  • At least one Sending IP.
  • For non-email phishing simulations (for example, Microsoft Teams messages, Word documents, or Excel spreadsheets), you can optionally identify the Simulation URLs to allow that shouldn't be treated as real threats at time of click: the URLs aren't blocked or detonated, and no URL click alerts or resulting incidents are generated. The URLs are wrapped at time of click, but they aren't blocked.

There must be a match on at least one Domain and one Sending IP, but no association between values is maintained.

If your MX record doesn't point to Microsoft 365, the IP address in the Authentication-results header must match the IP address in the advanced delivery policy. If the IP addresses don't match, you might need to configure Enhanced Filtering for Connectors so the correct IP address is detected.

Note

Enhanced Filtering for Connectors doesn't work for third-party phishing simulations in email routing scenarios that involve mail coming to Exchange online twice (for example, internet email routed to Microsoft 365, then to an on-premises environment or third-party security service, and then back to Microsoft 365). EOP can't identify the true IP address of the message source. Don't try to work around this limitation by adding the IP addresses of the on-premises or third-party sending infrastructure to the third-party phishing simulation. Doing so effectively bypasses spam filtering for any internet sender who impersonates the domain that's specified in the third-party phishing simulation. Routing scenarios where the MX record points to a third party service and then mail is routed to Exchange Online are supported if Enhanced Filtering for Connectors is configured.

Currently, the advanced delivery policy for third-party phishing simulations doesn't support simulations within the same organization (DIR:INT), especially when email is routed through an Exchange Server gateway before Microsoft 365 in Hybrid mail flow. To work around this issue, you have the following options:

  • Create a dedicated send connector that doesn't authenticate the phishing simulation messages as internal.
  • Configure the phishing simulation to bypass the Exchange Server infrastructure and route mail directly to your Microsoft 365 MX record (for example, contoso-com.mail.protection.outlook.com).
  • Although you can set intra-organization message scanning to None in anti-spam policies we don't recommend this option because it affects other email messages.

If you're using the Built-in protection preset security policy or your custom Safe Links policies have the setting Do not rewrite URLs, do checks via SafeLinks API only enabled, time of click protection doesn't treat phishing simulation links in email as threats in Outlook on the web, Outlook for iOS and Android, Outlook for Windows v16.0.15317.10000 or later, and Outlook for Mac v16.74 (23061100) or later. If you're using older versions of Outlook, consider disabling the Do not rewrite URLs, do checks via SafeLinks API only setting in custom Safe Links policies.

Adding phishing simulation URLs to the Do not rewrite the following URLs in email section in Safe Links policies might result in unwanted alerts for URL clicks. Phishing simulation URLs in email messages are automatically allowed both during mail flow and at time of click.

Currently, the advanced delivery policy for SecOps mailboxes doesn't support intra-organizational messages (DIR:INT), and these messages will be quarantined. As a workaround, you can use an separate anti-spam policy for SecOps mailboxes that doesn't quarantine intra-organizational messages. We don't recommend disabling intra-org protection for all mailboxes.

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

    On the Advanced delivery page, select the Phishing simulation tab.

  2. On the Phishing simulation tab, select the Add button in the No third party phishing simulations configured area of the page.

    If there are already existing entries on the Phishing simulation tab, select Edit (the Add button isn't available).

  3. In the Add third party phishing simulations flyout that opens, configure the following settings:

    • Domain: Expand this setting and enter at least one email address domain by clicking in the box, entering a value (for example, contoso.com), and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 50 entries. Use one of the following values:

      • The domain in the 5321.MailFrom address (also known as the MAIL FROM address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message.
      • The DKIM domain as specified by the phishing simulation vendor.
    • Sending IP: Expand this setting and enter at least one valid IPv4 address by clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. Repeat this step as many times as necessary. You can add up to 10 entries. Valid values are:

      • Single IP: For example, 192.168.1.1.
      • IP range: For example, 192.168.0.1-192.168.0.254.
      • CIDR IP: For example, 192.168.0.1/25.
    • Simulation URLs to allow: This setting isn't required for links in email phishing simulations. Use this setting to optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.

      Add URL entries by expanding this setting, clicking in the box, entering a value, and then pressing the ENTER key or selecting the value that's displayed below the box. You can add up to 30 entries. For the URL syntax, see URL syntax for the Tenant Allow/Block List.

    To remove an existing domain, IP, or URL value, select remove next to the value.

    Consider the following example:

    Authentication-Results: spf=pass (sender IP is 172.17.17.7)
    smtp.mailfrom=contoso.com; dkim=pass (signature was verified)
    header.d=contoso-simulation.com; dmarc=pass action=none header.from=contoso-simulation.com;
    
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=contoso-simulation.com;
    s=selector1;
    h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
    bh=UErATeHehIIPIXPeUAfZWiKo0w2cSsOhb9XM9ulqTX0=;
    
    • The connecting IP address is 172.17.17.7.
    • The domain in the MAIL FROM address (smtp.mailfrom) is contoso.com.
    • The DKIM domain (header.d) is contoso-simulation.com.

    From the example, you can use one of the following combinations to configure a third-party phishing simulation:

    Domain: contoso.com
    Sending IP: 172.17.17.7

    Domain: contoso-simulation.com
    Sending IP: 172.17.17.7

  4. When you're finished in the Add third party phishing simulations flyout, select Add.

  5. Review the information in the Changes to phishing simulation override saved flyout, and then select Close.

Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are now listed:

  • The Value column contains the domain, IP address or URL entry.
  • The Type column contains the value Sending IP, Domain, or Allowed simulation URL for each entry.
  • The Date column shows when the entry was created.
  • To change the list of entries from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.

Use the Microsoft Defender portal to modify or remove third-party phishing simulations in the advanced delivery policy

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section. Or, to go directly to the Advanced delivery page, use https://security.microsoft.com/advanceddelivery.

    On the Advanced delivery page, select the Phishing simulation tab.

  2. On the Phishing simulation tab, select Edit.

  3. In the Edit third-party phishing simulation flyout that opens, add or remove entries for Domain, Sending IP, and Simulation URLs as described in Step 3 in the Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy section.

    To remove all entries, select remove next to each value until there are no more domains, IPs, or URLs selected.

  4. When you're finished in the Edit third-party phishing simulation flyout, select Save.

  5. Review the information in the Changes to phishing simulation override saved flyout, and then select Close.

Back on the Phishing simulation tab, the third-party phishing simulation entries that you configured are displayed. If you removed all entries, the list is empty.

Additional scenarios that require filtering bypass

In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios where you might need to bypass filtering for messages:

  • Third-party filters: If your domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), secure by default isn't available. If you'd like to add protection, you need to enable Enhanced Filtering for Connectors (also known as skip listing). For more information, see Manage mail flow using a third-party cloud service with Exchange Online. If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see Use mail flow rules to set the SCL in messages.

  • False positives under review: You might want to temporarily allow good messages that are incorrectly identified as bad (false positives) that you reported via admin submissions, but the messages are still being analyzed by Microsoft. As with all overrides, we highly recommended that these allowances are temporary.

PowerShell procedures for SecOps mailboxes in the advanced delivery policy

In PowerShell, the basic elements of SecOps mailboxes in the advanced delivery policy are:

  • The SecOps override policy: Controlled by the *-SecOpsOverridePolicy cmdlets.
  • The SecOps override rule: Controlled by the *-ExoSecOpsOverrideRule cmdlets.

This behavior has the following results:

  • You create the policy first, then you create the rule that identifies the policy that the rule applies to.
  • When you remove a policy from PowerShell, the corresponding rule is also removed.
  • When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.

Use PowerShell to configure SecOps mailboxes

Configuring a SecOps mailbox in the advanced delivery policy in PowerShell is a two-step process:

  1. Create the SecOps override policy.
  2. Create the SecOps override rule that specifies the policy that the rule applies to.

Step 1: Use PowerShell to create the SecOps override policy

In Exchange Online PowerShell, use the following syntax:

New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>

Regardless of the Name value you specify, the policy name is SecOpsOverridePolicy, so you might as well use that value.

This example creates the SecOps mailbox policy.

New-SecOpsOverridePolicy -Name SecOpsOverridePolicy -SentTo secops@contoso.com

For detailed syntax and parameter information, see New-SecOpsOverridePolicy.

Step 2: Use PowerShell to create the SecOps override rule

In Exchange Online PowerShell, run the following command:

New-ExoSecOpsOverrideRule -Name SecOpsOverrideRule -Policy SecOpsOverridePolicy

Regardless of the Name value you specify, the rule name will be _Exe:SecOpsOverrid:<GUID\> [sic] where <GUID> is a unique GUID value (for example, 312c23cf-0377-4162-b93d-6548a9977efb9).

For detailed syntax and parameter information, see New-ExoSecOpsOverrideRule.

Use PowerShell to view the SecOps override policy

In Exchange Online PowerShell, this example returns detailed information about the one and only SecOps mailbox policy.

Get-SecOpsOverridePolicy

For detailed syntax and parameter information, see Get-SecOpsOverridePolicy.

Use PowerShell to view SecOps override rules

In Exchange Online PowerShell, this example returns detailed information about SecOps override rules.

Get-ExoSecOpsOverrideRule

Although the previous command should return only one rule, a rule that's pending deletion might also be included in the results.

This example identifies the valid rule (one) and any invalid rules.

Get-ExoSecOpsOverrideRule | Format-Table Name,Mode

After you identify the invalid rules, you can remove them by using the Remove-ExoSecOpsOverrideRule cmdlet as described later in this article.

For detailed syntax and parameter information, see Get-ExoSecOpsOverrideRule.

Use PowerShell to modify the SecOps override policy

In Exchange Online PowerShell, use the following syntax:

Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy [-AddSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>] [-RemoveSentTo <EmailAddress1>,<EmailAddress2>,...<EmailAddressN>]

This example adds secops2@contoso.com to the SecOps override policy.

Set-SecOpsOverridePolicy -Identity SecOpsOverridePolicy -AddSentTo secops2@contoso.com

Note

If an associated, valid SecOps override rule exists, the email addresses in the rule is also updated.

For detailed syntax and parameter information, see Set-SecOpsOverridePolicy.

Use PowerShell to modify a SecOps override rule

The Set-ExoSecOpsOverrideRule cmdlet doesn't modify the email addresses in the SecOps override rule. To modify the email addresses in the SecOps override rule, use the Set-SecOpsOverridePolicy cmdlet.

For detailed syntax and parameter information, see Set-ExoSecOpsOverrideRule.

Use PowerShell to remove the SecOps override policy

In Exchange Online PowerShell, this example removes the SecOps Mailbox policy and the corresponding rule.

Remove-SecOpsOverridePolicy -Identity SecOpsOverridePolicy

For detailed syntax and parameter information, see Remove-SecOpsOverridePolicy.

Use PowerShell to remove SecOps override rules

In Exchange Online PowerShell, use the following commands:

  • Remove any SecOps override rules:

    Get-ExoSecOpsOverrideRule | Remove-ExoSecOpsOverrideRule
    
  • Remove the specified SecOps override rule:

    Remove-ExoSecOpsOverrideRule -Identity "_Exe:SecOpsOverrid:312c23cf-0377-4162-b93d-6548a9977efb"
    

For detailed syntax and parameter information, see Remove-ExoSecOpsOverrideRule.

PowerShell procedures for third-party phishing simulations in the advanced delivery policy

In PowerShell, the basic elements of third-party phishing simulations in the advanced delivery policy are:

  • The phishing simulation override policy: Controlled by the *-PhishSimOverridePolicy cmdlets.
  • The phishing simulation override rule: Controlled by the *-ExoPhishSimOverrideRule cmdlets.
  • The allowed (unblocked) phishing simulation URLs: Controlled by the *-TenantAllowBlockListItems cmdlets.

Note

As previously described, identifying URLs isn't required for links in email-based phishing simulations. You can optionally identify links in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.

This behavior has the following results:

  • You create the policy first, then you create the rule that identifies the policy that the rule applies to.
  • You modify the settings in the policy and the rule separately.
  • When you remove a policy from PowerShell, the corresponding rule is also removed.
  • When you remove a rule from PowerShell, the corresponding policy isn't removed. You need to remove the corresponding policy manually.

Use PowerShell to configure third-party phishing simulations

Configuring a third-party phishing simulation in PowerShell is a multi-step process:

  1. Create the phishing simulation override policy.
  2. Create the phishing simulation override rule that specifies:
    • The policy that the rule applies to.
    • The source IP address of the phishing simulation messages.
  3. Optionally, identity the phishing simulation URLs in non-email phishing simulations (links in Teams messages or in Office documents) that shouldn't be treated as real threats at time of click.

Step 1: Use PowerShell to create the phishing simulation override policy

In Exchange Online PowerShell, this example creates the phishing simulation override policy.

New-PhishSimOverridePolicy -Name PhishSimOverridePolicy

Regardless of the Name value you specify, the policy name is PhishSimOverridePolicy, so you might as well use that value.

For detailed syntax and parameter information, see New-PhishSimOverridePolicy.

Step 2: Use PowerShell to create the phishing simulation override rule

In Exchange Online PowerShell, use the following syntax:

New-ExoPhishSimOverrideRule -Name <ArbitraryTextValue> -Policy PhishSimOverridePolicy -Domains <Domain1>,<Domain2>,...<Domain10> -SenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntry10>

Regardless of the Name value you specify, the rule name will be _Exe:PhishSimOverr:<GUID\> [sic] where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).

A valid IP address entry is one of the following values:

  • Single IP: For example, 192.168.1.1.
  • IP range: For example, 192.168.0.1-192.168.0.254.
  • CIDR IP: For example, 192.168.0.1/25.

This example creates the phishing simulation override rule with the specified settings.

New-ExoPhishSimOverrideRule -Policy PhishSimOverridePolicy -Domains fabrikam.com,wingtiptoys.com -SenderIpRanges 192.168.1.55

For detailed syntax and parameter information, see New-ExoPhishSimOverrideRule.

Step 3: (Optional) Use PowerShell to identify the phishing simulation URLs to allow

In Exchange Online PowerShell, use the following syntax:

New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries "<URL1>","<URL2>",..."<URL10>" <[-NoExpiration] | [-ExpirationDate <DateTime>]>

For details about the URL syntax, see URL syntax for the Tenant Allow/Block List

This example adds a URL allow entry for the specified third-party phishing simulation URL with no expiration.

New-TenantAllowBlockListItems -Allow -ListType Url -ListSubType AdvancedDelivery -Entries *.fabrikam.com -NoExpiration

For detailed syntax and parameter information, see New-TenantAllowBlockListItems.

Use PowerShell to view the phishing simulation override policy

In Exchange Online PowerShell, this example returns detailed information about the one and only phishing simulation override policy.

Get-PhishSimOverridePolicy

For detailed syntax and parameter information, see Get-PhishSimOverridePolicy.

Use PowerShell to view phishing simulation override rules

In Exchange Online PowerShell), this example returns detailed information about phishing simulation override rules.

Get-ExoPhishSimOverrideRule

Although the previous command should return only one rule, any rules that are pending deletion might also be included in the results.

This example identifies the valid rule (one) and any invalid rules.

Get-ExoPhishSimOverrideRule | Format-Table Name,Mode

After you identify the invalid rules, you can remove them by using the Remove-ExoPhishSimOverrideRule cmdlet as described later in this article.

For detailed syntax and parameter information, see Get-ExoPhishSimOverrideRule.

Use PowerShell to view the allowed phishing simulation URL entries

In Exchange Online PowerShell, run the following command:

Get-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery

For detailed syntax and parameter information, see Get-TenantAllowBlockListItems.

Use PowerShell to modify the phishing simulation override policy

In Exchange Online PowerShell, use the following syntax:

Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy [-Comment "<DescriptiveText>"] [-Enabled <$true | $false>]

This example disables the phishing simulation override policy.

Set-PhishSimOverridePolicy -Identity PhishSimOverridePolicy -Enabled $false

For detailed syntax and parameter information, see Set-PhishSimOverridePolicy.

Use PowerShell to modify phishing simulation override rules

In Exchange Online PowerShell, use the following syntax:

Get-ExoPhishSimOverrideRule| Set-ExoPhishSimOverrideRule [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]

or

Set-ExoPhishSimOverrideRule -Identity <PhishSimOverrideRuleIdentity> [-Comment "<DescriptiveText>"] [-AddSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-RemoveSenderDomainIs <DomainEntry1>,<DomainEntry2>,...<DomainEntryN>] [-AddSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>] [-RemoveSenderIpRanges <IPAddressEntry1>,<IPAddressEntry2>,...<IPAddressEntryN>]

Use the Get-ExoPhishSimOverrideRule cmdlet to find the <PhishSimOverrideRuleIdentity> values. The name of the rule uses the following syntax: _Exe:PhishSimOverr:<GUID\> [sic] where <GUID> is a unique GUID value (for example, 6fed4b63-3563-495d-a481-b24a311f8329).

This example modifies the (presumably only) phishing simulation override rule with the following settings:

  • Add the domain entry blueyonderairlines.com.
  • Remove the IP address entry 192.168.1.55.

These changes don't affect existing entries in the rule.

Get-ExoPhishSimOverrideRule| Set-ExoPhishSimOverrideRule| Set-ExoPhishSimOverrideRule -AddSenderDomainIs blueyonderairlines.com -RemoveSenderIpRanges 192.168.1.55

For detailed syntax and parameter information, see Set-ExoPhishSimOverrideRule.

Use PowerShell to modify the allowed phishing simulation URL entries

You can't modify the URL values directly. You can remove existing URL entries and add new URL entries as described in this article.

In Exchange Online PowerShell, to modify other properties of an allowed phishing simulation URL entry (for example, the expiration date or comments), use the following syntax:

Set-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity> -ListType URL -ListSubType AdvancedDelivery <[-NoExpiration] | [-ExpirationDate <DateTime>]> [-Notes <String>]

You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).

This example modified the expiration date of the specified entry.

Set-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

For detailed syntax and parameter information, see Set-TenantAllowBlockListItems.

Use PowerShell to remove a phishing simulation override policy

In Exchange Online PowerShell, this example removes the phishing simulation override policy and the corresponding rule.

Remove-PhishSimOverridePolicy -Identity PhishSimOverridePolicy

For detailed syntax and parameter information, see Remove-PhishSimOverridePolicy.

Use PowerShell to remove phishing simulation override rules

In Exchange Online PowerShell, use the following commands:

  • Remove any phishing simulation override rules:

    Get-ExoPhishSimOverrideRule | Remove-ExoPhishSimOverrideRule
    
  • Remove the specified phishing simulation override rule:

    Remove-ExoSPhishSimOverrideRule -Identity "_Exe:PhishSimOverr:6fed4b63-3563-495d-a481-b24a311f8329"
    

For detailed syntax and parameter information, see Remove-ExoPhishSimOverrideRule.

Use PowerShell to remove the allowed phishing simulation URL entries

In Exchange Online PowerShell, use the following syntax:

Remove-TenantAllowBlockListItems <-Entries "<URL1>","<URL2>",..."<URLN>" | -Ids <Identity> -ListType URL -ListSubType AdvancedDelivery

You identify the entry to modify by its URL values (the Entries parameter) or the Identity value from the output of the Get-TenantAllowBlockListItems cmdlet (the Ids parameter).

This example modified the expiration date of the specified entry.

Remove-TenantAllowBlockListItems -ListType Url -ListSubType AdvancedDelivery -Entries "*.fabrikam.com" -ExpirationDate 9/11/2021

For detailed syntax and parameter information, see Remove-TenantAllowBlockListItems.