Allowlisting - Bypass Safe Link/Attachment Processing of M365 Advanced Threat Protection (ATP)

In order for CanIPhish emails to function correctly, there are two sections that require additional rules to bypass Microsoft's Advanced Threat Protection system.

• Step 1. Bypass ATP Attachments Scanning
• Step 2. Bypass ATP Safe Link Scanning
  • Defender for Office 365 Plan 1 - ATP Link Bypass Rule
  • Defender for Office 365 Plan 2 - ATP Link Rewriting Bypass Rule

Note: As a precaution, we recommend waiting 1 hour after enabling these bypass policies to begin testing.

Step 1. Bypass ATP Attachments Scanning

1. Visit your Microsoft 365 Admin Center and click "Exchange" to open the Exchange Admin Center page.
2. Switch to classic view.
3. Click rules, under mail flow.
4. Create a new mail flow rule by clicking the plus symbol and selecting "Bypass spam filtering".
   
5. Give the rule a name, e.g. "Bypass ATP Attachment Processing"
6. Hit "More Options"
7. Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
   
   • Enter CanIPhish's IP (This can be found here), and hit "+" 
8. Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
   • Set the message header: 
     • "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing"
   • to the value:
     • 1
9. Hit Save and then proceed to Step 2. Bypass ATP Attachments Scanning.

Step 2. Bypass ATP Safe Link Scanning

Note: The next rule to implement is dependant on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.

• If you use Plan 1, please ONLY implement the ATP Link Bypass Rule.
• If you use Plan 2, please ONLY implement the ATP Link Rewriting Bypass Rule. 

Do not implement BOTH rules below as they will interfere with each other.

If you do not know which Defender plan you have...

Simply follow the guide for Plan 2. If the Safe Links policy (on step 4) is not available, you have Plan 1.

Plan 1 - ATP Link Bypass Rule

To bypass ATP Link Processing, set up the following mail flow rule:

1. Go to your MS Exchange/Office Admin Center and click Mail Flow > Rules
2. Click the "+" and "Bypass spam filtering..."
3. Give the rule a name, e.g. "Bypass ATP Link Processing"
4. Hit "More Options"
5. Under "*Apply this rule if..." select "The Sender..." > "IP address is in any of these ranges or exactly matches..."
   
   • Enter CanIPhish's IP (This can be found here), and hit "+" 
6. Under "*Do the following..." select "Modify the message properties..." > "set a message header" and enter the following:
   • Set the message header: 
     • "X-MS-Exchange-Organization-SkipSafeLinksProcessing"
   • to the value:
     • 1
7. Hit Save

Plan 2 - ATP Link Rewriting Bypass Rule

1. Visit your Microsoft 365 Admin Center and click "Security" to open the Office 365 Security & Compliance page.
2. Click "Threat Management" > "Policy"
   
3. Click Safe Links 
4. Either edit the existing ATP Link Policy and click "Edit policy" (as shown in the example above) or click the "Create" button to make a new one. 
5. Finally, in the "Do not rewrite the following URLs" section, add domains that CanIPhish use for phishing landing pages. Please see our Allowlisting - Quick Reference article for a full list of our landing page domains.
   Note: Each domain must be added using the format https://[rootdomain]/* so if you are adding the root domain "authwebmail.com", you need to enter https://authwebmail.com/*
   
6. Select Save. And you're all done!