Article 000005328

DESCRIPTION
Company uses Office 365 and Proofpoint Security Awareness Training
Situation Phishing emails and notifications are not passing through their mail servers or are
being quarantined
Proofpoint Security Awareness Training
Version Platform
Office 365
Depending on your mail flow:

• Safelist the mailer IP addresses

Summary • Create a Transport Rule
• Set up a Connector
• Insert Headers for Microsoft ATP

QUESTION
How do I safelist Proofpoint Security Awareness Training within Office 365?

ANSWER
It depends on your mail flow.

When the mail leaves our platform where does it first go? Your email administrator should
be able to answer this question if you are unsure. We can query your MX (Mail eXchange)
records to see the first ‘hop’. After that we have no visibility into your environment so your
email administrator will be key to getting things safelisted correctly.

If your mail flow looks like this, you can follow the steps in the safelisting best practices as
they are written, using the mailer IP addresses.

If your mail flow has multiple hops, you won’t be able to safelist at the mail transport layer
by IP address, but we provide some solutions down below.
Article 000005328

Note: PPS is used as an example here. If your mail flow has multiple hops you will
need to use this approach.

We have two articles that explain this in more depth: Safelisting

Considerations and Safelisting Explained

Follow the steps below to Safelist in Office 365.

Create a Transport Rule

You should create a transport rule that sets the SCL (Spam Confidence Level) of the emails
sent from ThreatSim to -1. This bypasses spam protection.

1. Login to the Office 365 Admin portal

2. Select the Admin Center icon and then select Exchange from the menu to access
the Exchange Admin Center (EAC)
3. Click mail flow and then rules, then click the + icon to Create a new rule
4. Enter a name for the new rule
5. Choose More options . . . This must be done to continue setting up the Rule.
6. Select the appropriate option below - IP Address or Message Header

For IP Address

1. From the drop-down menu, *Apply this rule if …, select The sender…, then
select IP Address is in any of these ranges or exactly matches
2. Enter Proofpoint Security Awareness Training’s IP addresses into the dialog
box. Click the + icon to add multiple IPs.

Note: The IPs for your server can be found in our Safelisting Guide.

3. Click OK
Article 000005328

4. From the drop-down menu, *Do the following …, select Modify the message
properties…, then select set the spam confidence level (SCL)
5. Select Bypass spam filtering and click OK. This sets the SCL to -1.
6. All other settings can be left with the default setting. Click Save at the lower right of
the rule.

For Message Header

You would follow the same steps as above, except instead of an IP you would do:

1. From the drop-down menu, *Apply this rule if …, select A message header
matches…
2. If you are using PPS – follow the steps in this guide to inject a header and use that
header information here: Safelisting in Proofpoint Protection Services
3. If you are using another secure mail gateway you could follow a similar approach if
you are able to inject a header.
4. If you cannot inject a header:

Option 1

• ThreatSim has 2 default headers that can be used (but this is not advised)

See ThreatSim - Searchable Message Header in Mail Server for more information.

Option 2

• Leverage the Received header:

US
from mailer1.threatsim.com (mailer1.threatsim.com [107.23.16.222])
from mailer2.threatsim.com (mailer2.threatsim.com [54.173.83.138])

EU
mailer1.eu.threatsim.com(mailer1.eu.threatsim.com [52.17.45.98])
mailer2.eu.threatsim.com(mailer2.eu.threatsim.com [52.16.190.81])

AP
mailer1.ap.threatsim.com (mailer1.ap.threatsim.com [13.55.65.8])
mailer2.ap.threatsim.com (mailer2.ap.threatsim.com [13.55.54.143])
Article 000005328

Option 3

• Leverage the SPF header - You would want to create a rule that checks If X-
FEAS-SPF contains threatsim.com and the SPF signature is valid. This would
be the most secure of the three options.

This is an example of what those headers might look like:

X-FEAS-SPF: spf-result=pass, ip=54.173.83.138,

helo=mailer1.threatsim.com, mailFrom=info@techsupport-corp.com
X-FEAS-DKIM: Valid
Tip: If you are using option #2 or #3 the best thing to do is to take an email you
received (either in your inbox or Exchange Quarantine) and copy and paste the
headers & values from there. The syntax might be slightly different in each
environment. The header and values is case sensitive and must be exact. For these
reasons copy and paste is encouraged.

Setting up a Connector
Article 000005328

Please note a connector has always been encouraged. In recent months we have seen
an increase in email deferment at Office 365 perimeter. If you are not getting message
or there is a significant delay you will need to install a connector.

1. Login to the Office 365 Admin portal

2. Select the Admin Center icon and then select Exchange from the menu to access
the Exchange Admin Center (EAC)
3. Click mail flow and then Connectors, then click the + icon to create a new rule
4. Select your Mail Flow Scenario and set the From to Partner
Organization and To to Office 365 then click Next
5. Select the Name of the Connector and a write an optional description. You will then
want to make sure the box underneath What do you want to do after connector is
saved? is checked and click Next
6. Choose how Proofpoint Security Awareness Training should be identified. You
will want to Use the sender’s IP address, then click Next
7. Enter our IP addresses into the dialog box. Click the + icon to add multiple IPs.
Click Next when done.
8. Check the box - Reject email messages if they aren't sent over TLS,
Click Next when done
9. Click Save

Microsoft ATP (Advanced Threat Protection)

ATP provides limited abilities for safelisting or creating exceptions directly for Attachments
or Safe Links. Mail Flow Rules can be setup to insert Headers into the received emails that
allow the system to bypass the ATP functions for those messages. This can be configured
based on the sending IP addresses so that only those emails received from Proofpoint are
subject to this behavior.
Follow the steps in these articles to insert these headers:

For Drive by or Date Entry campaigns -- ThreatSim - Bypass Microsoft ATP Link
Processing

For Attachment based campaigns - ThreatSim - Bypass Microsoft ATP Attachment

Processing

This will allow those emails to pass to the end users, without being subjected to the
scanning that is creating false positive results.

Note: After creating or modifying Exchange rules, allow up to 12 hours for the
configuration to propagate.