Forum Discussion

EtienneFiset's avatar
EtienneFiset
Brass Contributor
Jan 12, 2023

How to allow an email domain without using message rule (permanently)

I read every documentation with microsoft, i feel a little bit lost :   https://learn.microsoft.com/fr-ca/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365...
Microsoft Defender for Office 365
Ben_Harris's avatar
Ben_Harris
Icon for Microsoft rankMicrosoft

Hey EtienneFiset  - you may find my reply to this post helpful for context initially 🙂

 Re: Microsoft Defender for Email & Collaboration - "Whitelist" - Microsoft Community Hub

Allow listing something permanently is bad practice, as you're opening yourself up to attacks from people spoofing that domain, or using it for lateral movement (to you) should it get compromised. - it's something which was widely done years ago but has caused heartache for many people as attackers learned that there was an effortless way to get round filtering, just find the domains likely to be set to bypass that filtering!

If emails are not currently being blocked, great, no action needed. If they are currently being blocked, my response to the previous linked post should help, we need to fix the actual cause of the issue, which is the right way to go about this.

As you're aware - submission is the way to get an allow, but it will only work in instances where our verdicts were wrong, in cases like poor authentication, then thats something which should be fixed rather than ignored.

Hope that helps?

 

Thanks

 

Ben.

EtienneFiset's avatar
EtienneFiset
Brass Contributor
Jan 16, 2023

Thanks Ben, but that is not really accurate with what i wrote.... you say in another words the same thing as me but you forgot to take in consideration the rest of the text. What is the solution to allow a domain email without using message rule or submission ?

 

Regards

  • Ben_Harris's avatar
    Ben_Harris
    Icon for Microsoft rankMicrosoft
    Jan 16, 2023

    EtienneFiset The correct solution is to not do it at all, as this poses a security risk to your organisation and as mentioned in the post I linked with another reply, fixing the root cause is the best way to move forward. - so, we don't have a recommendation apart from to fix the underlying reason for requiring the allow if that makes sense.

     

    If you really wish to achieve this (it will not work for high confidence phish) and are happy to accept the risks of allowing a domain / sender, you should use the steps in the documentation you linked to create a transport rule, being sure to have more than one condition defined (step 2 in the "Use Mail flow Rules" section of the documentation.

    Hope that helps

     

    Ben.

Resources