BeeMicrosoft Office 365 safelisting guide

To prevent Microsoft 365 Defender from blocking phishing and training campaign emails, you must allowlist the BullPhish ID domains, IP addresses, and simulation URLs in Microsoft 365 Defender.

At least one sending domain and one sending IP address must be configured. Also, you must allowlist simulation URLs to ensure they are not blocked when included in the campaign emails.

A maximum of 10 entries can be configured for each item. There must be at least one match between a sending domain and a sending IP.

Allowlist BullPhish ID domains, IP addresses, and simulation URLs in Microsoft 365 Defender

1. In the Microsoft 365 Defender navigation menu, select Email & collaboration > Policies & rules.
   
2. On the Policies & rules page, click Threat policies.
   
3. On the Threat policies page, in the Rules section, click Advanced delivery.
   
4. On the Advanced delivery page, click the Phishing simulation tab and perform one of the following steps:
   • If there are configurations for phishing simulations listed, click Edit. Note: When editing configurations, you can add new configurations and/or delete existing ones.
     
   • If there are no configurations for phishing simulations listed, click Add.
     

5. In the Add/Edit third-party phishing simulations modal, configure sending Domain entries:
   1. Open the Sending_Domains.csv file you downloaded as directed in the Prerequisites.
      
   2. Copy one of the sending domains you would like to use in your campaigns. For example, bp-service-support.com (do not copy the word Verified).
      
      Important: Your CSV file will include any custom-sending domains you have created, the status of which may currently be Not Verified. For example, in the step above, bell.com is a custom domain that has not been verified. A domain must be verified before it can be used in a phishing simulation. However, you can still configure a custom domain currently in the Not Verified status as long as you have completed the steps to verify the domain. It can take up to 48 hours for a custom domain to be verified. For more information, see the article Configuring a custom domain.
   3. In the Add/Edit Third-Party Phishing Simulations modal, click Domain.
      
   4. Past the copied domain and press Enter.
      
   5. For each of the sending domains you would like to use in your campaigns: in the CSV file, copy the sending domain, paste it into the Domain field, press Enter.
      
      If adding all global domains, the Domain field appears like the following:
      
      

NOTE  Later on, if you add a custom sending domain, download a new Sending_Domains.csv file as directed in the Prerequisites. To add the domain to the allowlist, perform steps 1 through 5.

6. In the Add/Edit third-party phishing simulations modal, configure Sending IP entries:
   1. Click Sending IP.
      
   2. Copy the first IP address listed below and paste it into the Sending IP field. Press Enter. Repeat for the second IP address (if applicable).
      • 34.237.252.20 (SMTP Server IP - Address from where we send Phishing & Training emails).
      • 168.245.13.192 (SendGrid IP – Needed for sending notification emails but only if you are using Dark Web ID as well as BullPhish ID).
        
        The Sending IP field appears like the following graphic:
        
        

7. In the Add/Edit third-party phishing simulations modal, configure sending Simulation URLs to allow entries:
   1. Click Simulation URLs to allow.
      
   2. Copy the first URL listed below and paste it into the Simulation URLs to allow field. Press Enter. Repeat for each remaining URL.
      • service-noreply.info/* -phishing
      • bpidtr.com/* -training
      • *.bpidtr.com/* - training
      • *.cloudsurveillance.net/* phishing
        
        The Simulation URLs to allow field appears like the following graphic:
        
        
        Note: To remove an allowlist item, click the X.

8. In the lower-left corner of the Add/Edit Third-Party Phishing Simulations modal, click Add (appears when configuring phishing simulations the first time) or Save (appears when editing phishing simulations).
9. Click Close. The configured phishing simulations are listed on the Phishing simulation tab.
   

Emails sent from domains not in your organization's Safe Senders list in Outlook may display a message that some email content, including images, may be blocked.

To prevent email content from being blocked, you need to add the BullPhish ID sending domains to the Safe Sender list in Outlook for each of your end users.

IMPORTANT  Perform these steps to add BullPhish ID sending domains manually to each user's Safe Senders list in Outlook. You will need to run this script every time you add new users to ensure all users have the BullPhish ID sending domains added to their Safe Senders list.

IMPORTANT  If you want the BullPhish ID sending domains to be added to each user's Safe Senders list in Outlook automatically, refer to the article Microsoft Office 365: Automatically adding safe senders to Microsoft Outlook.

If you do perform the steps to automatically add the BullPhish ID sending domains to each user's Safe Senders list in Outlook, you must come back to this article and complete the following sections:
- Preventing Microsoft Defender from rewriting BullPhish ID campaign links
- Preventing an email non-delivery error

Manually add BullPhish ID sending domains to each user's Safe Senders list in Outlook

1. On your taskbar, click the Windows icon.
   
2. Start typing Powershell. In the Windows Powershell pane, click Run as Administrator.
   
3. Copy the following command. Paste it into PowerShell and press Enter.

Install-Module ExchangeOnlineManagement

If Untrusted repository is displayed, type Y and press Enter.

NOTE  A message is displayed if ExchangeOnlineManagement is already installed.

Execute the following command to import the module:

Import-Module ExchangeOnlineManagement

4. Execute the following command to connect to Exchange Online.

Connect-ExchangeOnline -UserPrincipalName UPN

NOTE  UPN is your account in user-principal name (UPN) format, for example, xxxxx@contoso.com.

5. Copy the following code and paste it into a text file. Replace the example text in the $senders = command line with the sender domains you wish to add to the user's safe senders list. Each domain must be entered in quotes. Each domain must be separated by a comma.

NOTE  The list of sending domains is in the Sending_Domains.csv file you downloaded as directed in the Prerequisites.

$users = Get-EXOMailbox -ResultSize unlimited
$senders = "example@example.com" #add safe senders here, in quotes and comma-separated
foreach($user in $users){
$out = 'Adding Trusted Senders to {0}' -f $user.UserPrincipalName
Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains @{Add=$senders}
}
Write-Output "Finished!"

Example

$users = Get-EXOMailbox -ResultSize unlimited
$senders = "bp-service-support.com","bp-securityawareness.com","online-account.info",
"myonlinesecuritysupport.com","service-noreply.info","banking-alerts.info","bullphish.com",
"verifyaccount.help","suspected-fraud.info"
foreach($user in $users){
$out = 'Adding Trusted Senders to {0}' -f $user.UserPrincipalName
Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains @{Add=$senders}
}
Write-Output "Finished!"

6. Copy the script from the text file, paste it into PowerShell and press Enter. The Outlook mailboxes to which the domains are being added are listed.
   

7. To verify the domains have been added to each user's safe senders list, copy the following code and paste, execute in PowerShell.

$users = Get-EXOMailbox -ResultSize unlimited
foreach($user in $users){
$out = ‘Getting Trusted Senders from {0}' -f $user.UserPrincipalName
Write-Output $out
Get-MailboxJunkEmailConfiguration $user.UserPrincipalName
}
Write-Output "Finished!"

The TrustedSendersAndDomains field lists the added domains for each user's mailbox.

NOTE  For more information about connecting to Exchange Online PowerShell, see the article Connect to Exchange Online PowerShell.

Remove domains already added from the safe sender list

IMPORTANT  Running the script below will remove domains from each user's Safe Senders list in Outlook. After the domains are removed, any emails sent from these domains may be blocked.

1. Copy the following code and paste it into a text file. Replace the example text in the $senders = command line with the sender domains you wish to remove from the user's safe senders list. Each domain must be entered in quotes. Each domain must be separated by a comma.

$users = Get-EXOMailbox -ResultSize unlimited
$senders = "example@example.com" #add safe senders here,
in quotes and comma-separated
foreach($user in $users){
$out = 'Removing Trusted Senders from {0}' -f $user.UserPrincipalName
Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains @{Remove=$senders}
}
Write-Output "Finished!"

Example

$users = Get-EXOMailbox -ResultSize unlimited
$senders = "bp-securityawareness.com"
foreach($user in $users){
$out = 'Removing Trusted Senders from {0}' -f $user.UserPrincipalName
Write-Output $out
Set-MailboxJunkEmailConfiguration $user.UserPrincipalName -TrustedSendersAndDomains @{Remove=$senders}
}
Write-Output "Finished!"

2. Copy the script from the text file.
3. In PowerShell, paste the code and execute.
4. To verify the domains have been removed from each user's safe senders list, copy the following code and paste, execute in PowerShell.

$users = Get-EXOMailbox -ResultSize unlimited
foreach($user in $users){
$out = ‘Getting Trusted Senders from {0}' -f $user.UserPrincipalName
Write-Output $out
Get-MailboxJunkEmailConfiguration $user.UserPrincipalName
}
Write-Output "Finished!"

To ensure the BullPhish ID links included in campaign emails are not rewritten, the sending domains must be allowlisted. You need to create a rule in the Exchange admin center that prevents Microsoft from falsely indicating that a campaign link was clicked. Without such a rule, campaign results will not be accurate.  

1. Log into the Exchange admin center.
2. In the navigation menu, select Mail flow > Rules.
   
   
3. On the Rules page, click Add a rule.
   
   
4. Select Create a new rule.
   
   
5. On the Set rule conditions page, in the Name field, enter a name for the rule. For example, Bypass Safe Links for BullPhish ID.
   
   
6. In the Apply this rule if list, select The sender.
   
   
7. In the list box to the right, select IP address is in any of these ranges or exactly matches.
   
   
8. Copy the first IP address listed below and paste it into the specify IP address ranges field. Click Add. Repeat for the second IP address (if applicable).
   • 34.237.252.20 (SMTP Server IP - Address from where we send Phishing & Training emails).
   • 168.245.13.192 (SendGrid IP – Needed for sending notification emails but only if you are using Dark Web ID as well as BullPhish ID).
     
9. When finished, in the lower-left corner of the modal, click Save.
   
   
10. In the Do the following section:
    1. In the first list, select Modify the message properties.
    2. In the list to the right, select set a message header.
       
    3. In the sentence Set the message header... click the first Enter text.
       
    4. Copy the following text: X-MSExchange-Organization-SkipSafeLinksProcessing
       .
    5. In the message header field, paste the text.
       
    6. In the lower-left corner of the modal, click Save.
    7. In the sentence Set the message header... after to the value, click Enter text.
       
    8. In the message header field, enter 1.
       
    9. In the lower-left corner of the modal, click Save.

    NOTE  Don't make any selections in the Except if section.

11. In the lower-left corner of the Set rule conditions page, click Next.
12. On the Set rule settings page, leave the settings selected by default and click Next.
13. On the Review and finish page, click Finish. It may take a moment for the rule to save.
14. When the message Transport rule created successfully is displayed, at the bottom of the page, click Done.
    
15. In the Rules table, for the rule you just added, click Disabled.
    
16. In the modal, click the toggle to enable the rule.
    
    It may take a moment for the rule status to update to Enabled.
    
17. To close the modal, in the upper-right corner, click the X. In the Rules table, the rule's Status is Enabled.
     

If your organization sends a large volume of campaign emails that may possibly overwhelm the Microsoft Office 365 email servers, you may receive a non-delivery error. To resolve this issue, you can configure a connector from the BullPhish ID server(s) to Microsoft Office 365.

1. Log into the Exchange admin center.
2. Select Mail Flow > Connectors.
   
3. Click Add a connector.
   
4. In the Connection From section, select Partner organization and click Next.
   
5. In the Name field, enter a name for the connector. Description is optional. Leave Turn it on selected. Click Next.
   
6. Select By verifying that the IP address of the sending server matches one of the following IP addresses, which belong to your partner organization.
7. Copy the IP address 34.237.252.20 and paste it into the IP address field. Click the plus button.
   
8. If you are using Dark Web ID as well as BullPhish ID, copy the IP address 168.245.13.192 and paste it into the IP address field. Click the plus button.
   
9. Click Next.
10. On the Security restrictions page, leave Reject email messages if they aren't sent over TLS selected. Click Next.
11. On the Review connector page, click Create connector.
    
12. On the Connector created page, click Done. The connector is listed in the Connectors table.