If you're using Trend Micro Cloud App Security, you should allowlist CanIPhish's simulated phishing emails and training notifications. This article will guide you on how to add CanIPhish's IP addresses and domains to Trend Micro's allowlist.
Table of Contents
- 1. Advanced Spam Protection
- 2. Malware Scanning
- 3. File Blocking
- 4. Web Reputation
- 5. Virtual Analyzer
- Appendix A: Other Trend Micro Email Security Products
- Appendix B: Trend Micro with Microsoft 365
Allowlisting in Trend Micro is broken into 5 section. Each section contains specific steps for allowlisting CanIPhish.
1. Advanced Spam Protection
- Navigate to the Advanced Threat Protection tab > Add.
- Select the policy to create based on the service:
- Exchange
- OneDrive
- SharePoint
- Box
- Dropbox
- On the left, select Advanced Spam Protection.
- Check the Enable Advanced Spam Protection option.
- Select the Approved/Blocked Sender List section.
- Check the box next to the Enable the approved sender list option.
- Enter *@caniphish.com in the text field and click the Add > button.
- Select the Rules configuration section.
- Under the Apply to: drop-down menu, select the Incoming messages option.
- For Detection Level:, select the Medium option.
2. Malware Scanning
- On the left, select Malware Scanning.
- Select the Rules configuration section.
- Under the Apply to: drop-down menu, select the All messages option.
- Under Malware Scanning, select Scan all files and check the box next to Scan message body and Enable IntelliTrap.
- Select the Action configuration section.
- For Action:, select the Trend Micro recommend actions option from the drop-down menu.
- For Notification:, select the Notify option from the drop-down menu.
3. File Blocking
- On the left, select File Blocking and select Enable File Blocking. We recommend keeping File Blocking on because you cannot limit this option to CanIPhish messages. Turning off File Blocking could allow potentially malicious attachments through to your users.
4. Web Reputation
- On the left, select Web Reputation.
- Check the Enable Web Reputation option.
- Select the Rules configuration section.
- Under the Apply to: drop-down menu, select the All messages option.
- For Security Level:, select the Medium option.
- Select the Approved/Blocked URL List section.
- Check the box next to the Enable the approved URL list option.
- Check the box next to the Add internal domains to the approved URL list option.
- Enter the phish link root domains enabled in your KSAT console. For more information, see our How to Manage Phish Link Domains article.
- Then, click the Add > button.
Note: You can click the Import button to import URLs in batches.
5. Virtual Analyzer
- On the left, select Virtual Analyzer.
- Check the Enable Virtual Analyzer option.
- Click the Save button.
Once all steps in each section are completed, your new policy will appear under the Advanced Threat Protection tab.
Appendix A: Other Trend Micro Email Security Products
If you're using one of Trend Micro's many other solutions for email security, you can find additional guidance on allowlisting directly from Trend Micro.
This guidance will need to be used inconjunction with CanIPhish's Allowlisting Quick Reference which outlines the IPs and Domains used for phishing simulations.
-
Hosted Email Security
- Managing the Web Reputation Approved List (external link)
- Allowlisting instructions for Hosted Email Security (external link)
-
Email Security Advanced
- Identical to Hosted Email Security.
-
InterScan Messaging Gateway Virtual Appliance (IMSVA)
- Allowlisting instructions (external link)
Appendix B: Trend Micro with Microsoft 365
Due to the nature of how Microsoft 365 email security works, you will need to implement additional allowlisting within Microsoft 365 to guarantee email delivery. There are two options available:
Option 1. Microsoft 365 Direct Email Injection
This approach bypasses the need for traditional email allowlisting, as email are directly inserted into users inboxes via the Microsoft Graph API. Depending on which Trend Micro products you are using, and how they're configured, this may even bypass the need for you to allowlist within Trend Micro.
Option 2. Microsoft 365 Phishing Simulation Allowlisting
This approach follows standard Microsoft 365 Phishing Simulation allowlisting guidance.
Note: If you experience difficulties with this approach it could be due to how Trend Micro email security is setup. For example, if Trend Micro is configured as an email proxy, where by it receives emails, and then forwards them to Microsoft, it will interfere with this allowlisting approach as the source IP of simulated phishing emails gets overriden (i.e. Microsoft can't see that the email originated from CanIPhish). If this is the case, we recommend proceeding with Option 1.
Comments
0 comments
Please sign in to leave a comment.