Advanced Delivery for third party phishing attack scenario

Occasional Contributor

Hello MSFT Team,

 

Normally every quarterly we perform the third party phishing attack simulator in the Organization to educate the end user's but this time all the phishing testing emails are getting quarantined by marking as high phishing.

After searching on the google found below link to use O365 advanced delivery policy for third party phishing. In the advanced delivery policy we have added:

Domain : added sending domain
Sending IP : added sending IP
Simulation URLs to allow : added simulation URLs as well

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-deliv...


Followed the above msft blog and added the rule successfully but still the testing phishing emails are getting quarantined and marked as high phish.

 

But one thing has been observed that third party phishing simulator is hosted on amazonses.com and sending domain is different but we have added only the sending domain.

Do I need to add the amazonses.com domain as well in advanced delivery policy.

 

Please can someone shed some light on it as I searching lot of blogs on advanced delivery policy but found nothing.

 

Any help really appreciated.

 

Regards

Anand Sunka

 

5 Replies

Hi @ANAND_SUNKA, please open a support case so that our engineering team can investigate further, look at the configuation of your tenant and provide our recommendation here.

 

Hi Sundeep_Saini,
Thanks for the reply.
I have resolved the issue by looking at 5321.fromadress and whitelisted that address and issue got resolved.

But now we are facing different issue with url's getting blocked by using ATP policies.
I have whitelisted the urls in Advanced delivery as well as in ATP safe links policy.
But still no luck.

Why does the adavanced delivery urls whitelisted is not working.
Any help really appreciated.


Regards
Anand Sunka
I have faced the same issue with 3rd party simulator also it is showing false reports i added the list of domains,Ip and urls and specially the from address in the header it worked. But now it is giving false reporting i guess microsft is mentioning that despite of any configuration they will inspect the mail
You can't bypass malware filtering or ZAP for malware
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-advanced-deliv...
Hi Kazaki82,
Thanks for the update in my scenario I was using third party phishing simulation hosted at amazonses.com and it got 2 From addresses where I was blocking only the single from address.
That's why the issue was happened.
But after whitelisting the second from address my issue was resolved.

Yes as you said we can't bypass malware filtering or ZAP as they implemented secure by default.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-by-default?view=o...

Anyways thank you.

Regards
Anand Sunka
This very know the third party I think u mean cofense