Bypassing Exchange 2016 Content Filter for Phishing Test

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3138854%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EBypassing%20Exchange%202016%20Content%20Filter%20for%20Phishing%20Test%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3138854%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EHi%20Everyone%2C%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EMy%20organization%20is%20trying%20to%20set%20up%20cybersecurity%20training%20for%20our%20staff%20which%20includes%20a%20phishing%20email%20campaign.%20I%20have%20configured%20the%20rules%20according%20to%20the%20provider's%20documentation%20but%20the%20test%20phishing%20emails%20are%20still%20getting%20quarantined%20by%20the%20content%20filter.%20We%20have%20a%20single%20Exchange%202016%20server%20and%20most%20of%20the%20test%20emails%20are%20showing%20up%20in%20our%20spam%20mailbox%20with%20the%20following%20error%20message%3A%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%3CSTRONG%3E%22Remote%20Server%20returned%20'550%205.2.1%20Content%20Filter%20agent%20quarantined%20this%20message'%22%26lt%3B%5C%2FSTRONG%26gt%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EI%20have%20added%20their%20IP%20addresses%20to%20the%20IP%20Allow%20List%20and%20they%20show%20up%20when%20I%20run%20Get-IPAllowListEntry.%26nbsp%3B%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EI%20have%20set%20up%20the%20three%20rules%20listed%20below%20as%20instructed%20by%20the%20training%20provider%3A%26lt%3B%5C%2FP%26gt%3B%3COL%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%3CLI%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EBypass%20Spam%20Filtering%20-%20Sender's%20IP%20addresses%20same%20as%20ones%20listed%20above%20in%20IP%20Allow%20List.%3CBR%20%2F%3E*%20Set%20the%20message%20header%20to%20this%20value%20-%20Set%20the%20message%20header%20'X-Forefront-Antispam-Report'%20to%20the%20value%20'SFV%3ASKI'%3CBR%20%2F%3E*%20Set%20the%20spam%20confidence%20level%20(SCL)%20to%20-%20Bypass%20spam%20filtering%3CBR%20%2F%3E*%20Priority%20%3D%200%3CBR%20%2F%3E*%20Enforce%20checked%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EBypass%20Focused%20Inbox%20-%20Sender's%20IP%20addresses%20same%20as%20the%20ones%20listed%20above%20in%20IP%20Allow%20List.%3CBR%20%2F%3E*%20Set%20the%20message%20header%20to%20this%20value%20-%20Set%20the%20message%20header%20'X-MS-Exchange-Organization-BypassFocusedInbox'%20to%20the%20value%20'true'%3CBR%20%2F%3E*%20Priority%20%3D%201%3CBR%20%2F%3E*%20Enforce%20checked%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EBypass%20Clutter%20-%20Sender's%20IP%20addresses%20same%20as%20the%20ones%20listed%20above%20in%20IP%20Allow%20List.%3CBR%20%2F%3E*%20Set%20the%20message%20header%20to%20this%20value%20-%20Set%20the%20message%20header%20'X-MS-Exchange-Organization-BypassClutter'%20to%20the%20value%20'true'%3CBR%20%2F%3E*%20Priority%20%3D%202%3CBR%20%2F%3E*%20Enforce%20checked%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2FLI%26gt%3B%26lt%3B%5C%2FOL%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3EDoes%20anyone%20have%20any%20ideas%20on%20what%20I%20might%20be%20missing%3F%20Having%20to%20manually%20release%20all%20of%20the%20test%20phishing%20emails%20for%20a%20few%20hundred%20users%20will%20get%20pretty%20tedious.%26nbsp%3B%26nbsp%3BI%20did%20read%20that%20the%20IP%20Allow%20List%20might%20only%20work%20on%20an%20Edge%20Transport%20server.%26nbsp%3B%20We%20only%20have%20one%20Exchange%20server%20so%20would%20this%20cause%20a%20problem%20with%20the%20IP%20Allow%20List%3F%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%20class%3D%22%5C%26quot%3B%5C%26quot%3B%22%3E%3CBR%20%2F%3EThanks!%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3CLINGO-LABS%20id%3D%22%5C%26quot%3Blingo-labs-3138854%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CLINGO-LABEL%3E2016%26lt%3B%5C%2Flingo-label%26gt%3B%3CLINGO-LABEL%3EExchange%20Server%26lt%3B%5C%2Flingo-label%26gt%3B%26lt%3B%5C%2Flingo-labs%26gt%3B%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3C%2FP%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E
Occasional Visitor

Hi Everyone,

 

My organization is trying to set up cybersecurity training for our staff which includes a phishing email campaign. I have configured the rules according to the provider's documentation but the test phishing emails are still getting quarantined by the content filter. We have a single Exchange 2016 server and most of the test emails are showing up in our spam mailbox with the following error message:

 

"Remote Server returned '550 5.2.1 Content Filter agent quarantined this message'"

 

I have added their IP addresses to the IP Allow List and they show up when I run Get-IPAllowListEntry.  

 

I have set up the three rules listed below as instructed by the training provider:

  1. Bypass Spam Filtering - Sender's IP addresses same as ones listed above in IP Allow List.
    * Set the message header to this value - Set the message header 'X-Forefront-Antispam-Report' to the value 'SFV:SKI'
    * Set the spam confidence level (SCL) to - Bypass spam filtering
    * Priority = 0
    * Enforce checked

  2. Bypass Focused Inbox - Sender's IP addresses same as the ones listed above in IP Allow List.
    * Set the message header to this value - Set the message header 'X-MS-Exchange-Organization-BypassFocusedInbox' to the value 'true'
    * Priority = 1
    * Enforce checked

  3. Bypass Clutter - Sender's IP addresses same as the ones listed above in IP Allow List.
    * Set the message header to this value - Set the message header 'X-MS-Exchange-Organization-BypassClutter' to the value 'true'
    * Priority = 2
    * Enforce checked

Does anyone have any ideas on what I might be missing? Having to manually release all of the test phishing emails for a few hundred users will get pretty tedious.  I did read that the IP Allow List might only work on an Edge Transport server.  We only have one Exchange server so would this cause a problem with the IP Allow List?


Thanks!

0 Replies