With the introduction of Defender for Office 365, there are several more processes that play a role in scanning emails.

The Problem:

There is no clear or effective way to whitelist security training providers from link and attachment scanning whether in the web portal, API, or Powershell.

Impact:
One or more of the systems below consistently block, scan links and/or attachments that belong to security training (not actually malicious) from several major providers, and create false positives.

Rules in place:

Sending Server IPs are whitelisted and emails are modified to set message headers such as

1. "X-MS-Exchange-Organization-SkipSafeLinksProcessing" w/ value "1"
2. "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" w/ value "1"
3. Bypass SPAM = "-1"

There does not appear to be a way to whitelist from:

1. SpamZap - Get trapped as SPAM even with bypass.
2. PhishZap - Gets trapped as Phish regardless of rules.
3. MailboxIntelligenceProtection - Same as Phish.
4. Defender for Office 365 Scanning - The bots are clicking the links and creating false positives
5. Safe Documents - same as above.
6. Report Message Link Detonation - Detonates links regardless of whether it's whitelisted anywhere else.

Is anyone aware of a way to do this currently?
There are between 50-100 different wildcard domains needed to whitelist (if we had to do them individually).

A solution cannot include disabling the above services.