Is there any documentation for Attack Simulator emails bypassing mail flow rules? We have a mailflow rule that marks and appends a disclaimer to all external emails coming in. When using the Attack Simulator, emails are bypassed.

That's by design, the whole idea is to see how the end users react to a bad email, not to test your hygiene configuration.

Attack Simulator emails bypass mail flow rules

ExMSW4319
Iron Contributor
Feb 19, 2023
Look in Threat Explorer and you will see that the mails do not even arrive via the conventional delivery pipeline so do not appear there. They are simply written directly from the simulator to each recipient's Inbox. If you want your simulations to display your normal disclaimer for external mail, you will need to include your disclaimer block in the payload.
VasilMichev
MVP
Feb 17, 2023
That's by design, the whole idea is to see how the end users react to a bad email, not to test your hygiene configuration.
- ShaunB93
  Copper Contributor
  Jun 04, 2025
  You've missed the point here, and with a somewhat arrogant response.
  
  If every single inbound email from an external source contains an appended disclaimer and attack simulations do not, this is an immediate tell to the user that this is not a normal email. They'll likely report the email as phishing on this basis alone rather than based on the actual content of the email (the test we actually care about).
  
  A real-world phishing email would contain the disclaimer (as these most likely have entered the mail environment from the outside) thus phishing simulations should also present in an identical fashion as to mirror a real-world phishing email.
  
  Without this disclaimer being appended by a mail flow rule, there is a heavy administrative burden to modify each and every payload template manually with the HTML for the disclaimer.