IMPORTANT NOTICE: Since Microsoft rolled out the “Secure by Default” standard in October 2021, the required method of allowlisting has changed. To correctly allowlist in Exchange and Office 365 environments, please see our article Allowlisting via Microsoft Advanced Delivery.

In order for the Counterphish emails to function correctly, there are two sections that require additional rules to bypass all of Microsoft’s Advanced Threat Protection system.

These two sections can be divided as follows:

  • Mail flow rules
  • URL rewriting rules

Mail flow rules

NOTE:
As a precaution, we recommend waiting one hour after enabling the mail flow rules before testing them on a small group of recipients before running any large phishing campaigns.

Advanced Threat Protection (ATP) Attachment Bypass Rule – By IP address

NOTE:

If you are using a cloud-based spam filter you must create a mail flow rule to bypass ATP link processing by email header. This is because your cloud-based spam filter will change the IP address of the mail we send. To configure an ATP bypass Rule when a cloud-based spam filter is in use please follow this guide.

To bypass ATP Attachment Processing, set up the following mail flow rule:

  1. Log into the Microsoft 365 (formerly Office 365) portal and select “Admin centers” > “Exchange“.
    ATP - Attachment Bypass Rule - IP addresses - Exchange.png
  2. Select “Mail flow” to expand the settings menu then select “Rules“.
    ATP - Attachment Bypass Rule - IP addresses - Mail Flow.png
  3. Click “Add a rule“.
    ATP - Attachment Bypass Rule - IP addresses - New Rule.png
  4. Click “Create a new rule“.
    ATP - Attachment Bypass Rule - IP addresses - Create Rule.png
  5. Give the rule a name, e.g., “Bypass ATP Attachment Processing – IP Address“.
    ATP - Attachment Bypass Rule - IP addresses - Rule conditions.png
  6. Under “Apply this rule if” select “The Sender… > IP address is in any of these ranges or exactly matches
    ATP - Attachment Bypass Rule - IP addresses - Apply Rule.png

  7. Then enter each of the Counterphish IP addresses, clicking the “Add” button for each. (A complete list of our IP addresses can be found here.) Then hit “Save”.
    ATP - Attachment Bypass Rule - IP addresses - IP range.png

  8. Under “*Do the following” select “Modify the message properties…” > “set a message header“.
    ATP - Attachment Bypass Rule - IP addresses - Do.png
  9. Edit the properties of this by selecting the “Enter text” buttons:
    ATP - Attachment Bypass Rule - IP addresses - Enter text.png

    Use the following entries:
    Set the message header to “X-MS-Exchange-Organization-SkipSafeAttachmentProcessing” and set the value to “1“.
    ATP - Attachment Bypass Rule - IP addresses - Value Header.png

  10. Click “Next“.
  11. Leave all settings in “Set rule settings” as their default values and click “Next“.
    ATP - Attachment Bypass Rule - IP addresses - Rule Settings.png
  12. Review your settings and click “Finish“.
    ATP - Attachment Bypass Rule - IP addresses - Finish.png

WARNING, PLEASE READ CAREFULLY:

The next rule to implement is dependent on whether you use Defender for Office 365 (ATP) Plan 1 or Plan 2.

Do not implement BOTH rules below as they will interfere with each other.

If you do not know which Defender plan you have…

Simply follow the guide for PLAN 2If the Safe Links policy (on step 5) is not available, you have PLAN 1.

Plan 1 – Advanced Threat Protection (ATP) Link Bypass Rule – By IP Address

To bypass ATP Link Processing, set up the following mail flow rule:

  1. Log into the Microsoft 365 (formerly Office 365) portal and select “Admin centers” > “Exchange“.
    ATP - Attachment Bypass Rule - IP addresses - Exchange.png
  2. Select “Mail flow” to expand the settings menu then select “Rules“.
    ATP - Attachment Bypass Rule - IP addresses - Mail Flow.png
  3. Click “Add a rule“.
    ATP - Attachment Bypass Rule - IP addresses - New Rule.png
  4. Click “Create a new rule“.
    ATP - Attachment Bypass Rule - IP addresses - Create Rule.png
  5. Give the rule a name, e.g. “Bypass ATP Link Processing – IP Address“.
    ATP - Link Bypass Rule - By IP Address - Name.png
  6. Under “Apply this rule if” select “The Sender > IP address is in any of these ranges or exactly matches“.
    ATP - Link Processing Rule - By IP Address - Apply this rule.png

  7. Then enter each of the Counterphish IP addresses, clicking the “Add” button for each. (A complete list of our IP addresses can be found here.) Then hit “Save”.
    ATP - Attachment Bypass Rule - IP addresses - IP range.png
  8. Under “*Do the following” select “Modify the message properties…” > “set a message header“.
    ATP - Link Processing Rule - By IP Address - Do.png
  9. Edit the properties of this by selecting the “Enter text” buttons:
    ATP - Link Processing Rule - By IP Address - Enter Text.png

    Use the following entries:
    Set the message header to “X-MS-Exchange-Organization-SkipSafeLinksProcessing” set the value to”1“.
    ATP - Link Processing Rule - By IP Address - Entry.png

  10. Click “Next“.
  11. Leave all settings in “Set rule settings” as their default values and click “Next“.
    ATP - Link Processing Rule - By IP Address - Rule Settings.png
  12. Review your settings and click “Finish“.
    ATP - Link Processing Rule - By IP Address - Review.png

Plan 2 – URL rewriting rules

  1. Log into the Microsoft 365 (formerly Office 365) portal and select Admin centers > Security.
    Microsoft_ATP_rules_2.2.png
  2. Under “Email & collaboration” in the left-hand column click “Policies & rules“.
    ATP_-_URL_rewriting_rules_-_Policies___Rules.png
  3. Click “Threat policies“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies.png
  4. Click “Safe Links“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links.png
  5. Click “Create“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Create.png
  6. Enter a name for your Policy, then click “Next“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Name_Policy.png
  7. Specify the users, groups, or domains you would like to use this policy. Then click “Next“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Users.png
  8. For the “Email” section we recommend disabling:
    • Apply Safe Links to email messages sent within the organization.
    • Wait for URL scanning to complete before delivering the message.
      ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Settings.png
  9. Under “Do not rewrite the following URLs in email” click “Manage 0 URLs
  10. Click “Add URLs“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Manage_URLs.png

  11. Finally, in the “ADD URLs” section, add the list of root domains from the page in Step 1. Each domain must be added using the format https://[rootdomain]/* so if you are adding the root domain “phishingdomain.com”, you need to enter https://phishingdomain.com/*
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Add_URLs.png

  12. Click “Save“.
  13. Click “Done“.
  14. The settings within “Teams“, “Office 365 Apps“, and “Click protection settings” can be left as the default setting.
    ATP_-_URL_rewriting_rules_-_Safe_Links_-_Teams__Apps__Click.png
  15. Click “Next“.
  16. The notification settings can be left as the default setting.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Notification.png

  17. Click “Next“.
  18. Review your ATP Link Policy and click “Submit“.
    ATP_-_URL_rewriting_rules_-_Threat_Policies_-_Safe_Links_-_Review.png