Forum Discussion
Is there a way to allow URLs that have been detonated and determined as malicious?
You can configure a whitelist of sorts as detailed here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-a-custom-do-not-rewrite-urls-list-with-atp?view=o365-worldwide
We had one of the leaders in on a proof-of-concept a year ago. I had to safelist everything; sending ranges, sending domains, landing zone domains, the lot. One mark of a good tester is that they will not only have this information to hand but also useful KB articles on what you need to do to EOP and ATP to let the tests through. Do your own diligence too, of course.
Once you are done, don't forget to remove these from your config. Some of the testers don't register / retain all of the domains they use, so an enterprising black hat might pick them up guessing that they will appear in safelists.
Thanks for the advice. I've stumbled across the vendor's guidance documents this afternoon when I was looking for something else, so I have clear instructions so I'm going to wade through that and see if it works.