Professional Documents
Culture Documents
Safelisting in Office 365
Safelisting in Office 365
Safelisting in Office 365
DESCRIPTION
Company uses Office 365 and Proofpoint Security Awareness Training
Situation Phishing emails and notifications are not passing through their mail servers or are
being quarantined
Proofpoint Security Awareness Training
Version Platform
Office 365
Depending on your mail flow:
QUESTION
How do I safelist Proofpoint Security Awareness Training within Office 365?
ANSWER
It depends on your mail flow.
When the mail leaves our platform where does it first go? Your email administrator should
be able to answer this question if you are unsure. We can query your MX (Mail eXchange)
records to see the first ‘hop’. After that we have no visibility into your environment so your
email administrator will be key to getting things safelisted correctly.
If your mail flow looks like this, you can follow the steps in the safelisting best practices as
they are written, using the mailer IP addresses.
If your mail flow has multiple hops, you won’t be able to safelist at the mail transport layer
by IP address, but we provide some solutions down below.
Article 000005328
Note: PPS is used as an example here. If your mail flow has multiple hops you will
need to use this approach.
For IP Address
1. From the drop-down menu, *Apply this rule if …, select The sender…, then
select IP Address is in any of these ranges or exactly matches
2. Enter Proofpoint Security Awareness Training’s IP addresses into the dialog
box. Click the + icon to add multiple IPs.
Note: The IPs for your server can be found in our Safelisting Guide.
3. Click OK
Article 000005328
4. From the drop-down menu, *Do the following …, select Modify the message
properties…, then select set the spam confidence level (SCL)
5. Select Bypass spam filtering and click OK. This sets the SCL to -1.
6. All other settings can be left with the default setting. Click Save at the lower right of
the rule.
You would follow the same steps as above, except instead of an IP you would do:
1. From the drop-down menu, *Apply this rule if …, select A message header
matches…
2. If you are using PPS – follow the steps in this guide to inject a header and use that
header information here: Safelisting in Proofpoint Protection Services
3. If you are using another secure mail gateway you could follow a similar approach if
you are able to inject a header.
4. If you cannot inject a header:
Option 1
• ThreatSim has 2 default headers that can be used (but this is not advised)
See ThreatSim - Searchable Message Header in Mail Server for more information.
Option 2
US
from mailer1.threatsim.com (mailer1.threatsim.com [107.23.16.222])
from mailer2.threatsim.com (mailer2.threatsim.com [54.173.83.138])
EU
mailer1.eu.threatsim.com(mailer1.eu.threatsim.com [52.17.45.98])
mailer2.eu.threatsim.com(mailer2.eu.threatsim.com [52.16.190.81])
AP
mailer1.ap.threatsim.com (mailer1.ap.threatsim.com [13.55.65.8])
mailer2.ap.threatsim.com (mailer2.ap.threatsim.com [13.55.54.143])
Article 000005328
Option 3
• Leverage the SPF header - You would want to create a rule that checks If X-
FEAS-SPF contains threatsim.com and the SPF signature is valid. This would
be the most secure of the three options.
Setting up a Connector
Article 000005328
Please note a connector has always been encouraged. In recent months we have seen
an increase in email deferment at Office 365 perimeter. If you are not getting message
or there is a significant delay you will need to install a connector.
For Drive by or Date Entry campaigns -- ThreatSim - Bypass Microsoft ATP Link
Processing
This will allow those emails to pass to the end users, without being subjected to the
scanning that is creating false positive results.
Note: After creating or modifying Exchange rules, allow up to 12 hours for the
configuration to propagate.