Allowlisting - Use M365 Defender to allow a Phishing Simulation

To ensure CanIPhish can effectively simulate phishing campaigns, you will need to allowlist our emails, or alternatively configure Direct Email Injection for Microsoft 365.

Note: If you find that website links are being re-written and lead to a "suspicious website" page after allowlisting, your organisation may need to add additional attachment and URL exemptions. To enable these exemptions please see our support article: Allowlisting - Bypass Safe Link/Attachment Processing of M365 Advanced Threat Protection (ATP)

Table of Contents:

• Part 1: Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy
• Part 2: Create an inbound connector to avoid email deferral/delays
• Appendix: PowerShell Allowlisting Script

Part 1: Use the Microsoft 365 Defender portal to configure third-party phishing simulations in the advanced delivery policy

Note: Prefer to use PowerShell? Use our prepared script

1. Login to Microsoft 365 Defender at the following link to go straight to the Phishing Simulation allowlisting form: https://security.microsoft.com/advanceddelivery?viewid=PhishingSimulation

Note: This form can also be accessed by going to https://security.microsoft.com/ and clicking through Email & Collaboration > Policies & Rules > Threat Policies > Advanced Delivery > Phishing Simulation

2. Click Edit or If there are no configured phishing simulations, click Add.

3. On the Edit third-party phishing simulation flyout that opens, configure the following settings:

Sending Domain: 

alerting-services.com
authwebmail.com
cloud-notification-services.com
securesupportcloud.com
office-365-notifications.com
webnotifications.net
paypaypal.net
cmail31.com
authenticationsecure.com
verificationweb.net
onlineverify.net
portal-login.net
email-forwarder.net
learn.caniphish.com (Optional)
caniphish.com (Optional)

Important Note: If you've white-labeled CanIPhish, replace caniphish.com and learn.caniphish.com with your white-labeled domains (e.g. phish.mybusiness.com and learn.phish.mybusiness.com).

Sending IP: 

3.106.21.22
13.237.47.221

Simulation URLs to allow: 

authwebmail.com/*
*.authwebmail.com/*
cmail31.com/*
*.cmail31.com/*
securesupportcloud.com/*
*.securesupportcloud.com/*
webnotifications.net/*
*.webnotifications.net/*
alerting-services.com/*
*.alerting-services.com/*

Note: All the above domains and IP addresses are under the sole control of CanIPhish. As such we can ensure that no unintended emails will originate from these IPs and domains after allowlisting occurs.

4. When you're finished, click Add/Save and then click Close.

Part 2: Create an inbound connector to avoid email deferral/delays

To ensure reliable email delivery and avoid inbound rate-limiting thresholds, create an inbound connector in Microsoft 365 that allows messages from our platform to be trusted and accepted.

5. Open the Exchange Admin Center.
6. In the left-hand menu, expand Mail flow, then select Connectors.
7. Click Add a connector.
8. Configure the connector type as follows, then click Next:

• Connection from: Partner organization
• Connection to: Office 365

9. Enter a name for the connector, such as: CanIPhish Email Connector

Note: You can also add an optional description. Make sure Turn it on is enabled, then click Next.

10. On the "How should Office 365 identify email from your partner organization?" screen, choose:

• By verifying that the IP address of the sending server matches one of the following IP addresses
• Add the following IP addresses:
  • 3.106.21.22
  • 13.237.47.221

Then click Next.
11. On the security restrictions screen, enable the following setting, then click Next:

• Reject email messages if they aren't sent over TLS

12. Review the configuration, then click Create connector.

Note: Allowlisting may take up to an hour to take effect.

All done! Allowlisting can be tricky... should you have any difficulties, please don't hesitate to contact us.

Troubleshooting: If you run into issues with emails continuing to go to spam/quarantine folders. You may have Microsoft Advanced Threat Protection (ATP) enabled which may require additional allowlisting. Please see our guide here to Bypass Safe Link/Attachment Processing of M365 ATP.

If issues still continue, try out our Microsoft 365 Direct Email Injection integration which bypasses the need for allowlisting.

Appendix: PowerShell Allowlisting Script

Want to automate the deployment of CanIPhish allowlisting? Use our prepared PowerShell script below.

Step 1. Ensure Exchange Online V3 For Powershell Is Installed

Install-Module -Name ExchangeOnlineManagement -Force

Step 2. Connect Exchange Online For Powershell To Your Microsoft 365 Tenant

Note: Please replace the value YOUR-ADMIN-EMAIL with the M365 administrator email that you wish to sign in with.

Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline `
-UserPrincipalName YOUR-ADMIN-EMAIL `
-ShowProgress:$false `
-LoadCmdletHelp # optional: if you want Get-Help for EXO cmdlets

Step 3. Create The Phishing Simulation Allowlist Policies And Configurations

Note: If you've white-labelled CanIPhish, make sure to replace the caniphish.com and learn.caniphish.com domains with your white-labelled domains.

# 1. Create the override policy
New-PhishSimOverridePolicy -Name PhishSimOverridePolicy

# 2. Confirm it’s there
Get-PhishSimOverridePolicy

# 3. Create the override rule pointing to the allowlisted domains & IPs
New-ExoPhishSimOverrideRule `
-Name PhishSimOverrideRule `
-Policy PhishSimOverridePolicy `
-Domains alerting-services.com,authwebmail.com,cloud-notification-services.com,securesupportcloud.com,office-365-notifications.com,webnotifications.net,paypaypal.net,cmail31.com,authenticationsecure.com,verificationweb.net,onlineverify.net,portal-login.net,email-forwarder.net,caniphish.com,learn.caniphish.com `
-SenderIpRanges 3.106.21.22,13.237.47.221

# 4. Allowlist the phishing website URLs in Defender’s tenant allow/block list
New-TenantAllowBlockListItems `
-Allow `
-ListType Url `
-ListSubType AdvancedDelivery `
-Entries authwebmail.com/*,*.authwebmail.com/*,cmail31.com/*,*.cmail31.com/*,securesupportcloud.com/*,*.securesupportcloud.com/*,webnotifications.net/*,*.webnotifications.net/*,alerting-services.com/*,*.alerting-services.com/* `
-NoExpiration

# 5. Create the inbound connector to avoid email deferral/delays
#    Equivalent to the Exchange Admin Center wizard:
#      - Connection from: Partner organization -> Connection to: Office 365
#      - Name: CanIPhish Email Connector (enabled)
#      - Identify by sender IP: 3.106.21.22, 13.237.47.221
#      - Reject email messages if they aren't sent over TLS
New-InboundConnector `
    -Name "CanIPhish Email Connector" `
    -ConnectorType Partner `
    -SenderDomains * `
    -SenderIPAddresses 3.106.21.22,13.237.47.221 `
    -RestrictDomainsToIPAddresses $true `
    -RequireTls $true `
    -Enabled $true `
    -Comment "Inbound connector for CanIPhish phishing simulation traffic. Avoids deferral/rate-limiting from a single sender. See https://help.caniphish.com/hc/en-us/articles/15746238429967"

# 6. Verify your rule and connector
Get-ExoPhishSimOverrideRule
Get-InboundConnector -Identity "CanIPhish Email Connector" | Format-List Name,Enabled,ConnectorType,SenderDomains,SenderIPAddresses,RestrictDomainsToIPAddresses,RequireTls

You're all done!