Whitelist and Safelist problems

%3CLINGO-SUB%20id%3D%22lingo-sub-2193816%22%20slang%3D%22en-US%22%3EWhitelist%20and%20Safelist%20problems%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193816%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20introduction%20of%20Defender%20for%20Office%20365%2C%20there%20are%20several%20more%20processes%20that%20play%20a%20role%20in%20scanning%20emails.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EThe%20Problem%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EThere%20is%20no%20clear%20or%20effective%20way%20to%20whitelist%20security%20training%20providers%20from%20link%20and%20attachment%20scanning%20whether%20in%20the%20web%20portal%2C%20API%2C%20or%20Powershell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EImpact%3A%3C%2FSTRONG%3E%3CBR%20%2F%3EOne%20or%20more%20of%20the%20systems%20below%20consistently%20block%2C%20scan%20links%20and%2For%20attachments%20that%20belong%20to%20security%20training%20(not%20actually%20malicious)%20from%20several%20major%20providers%2C%20and%20create%20false%20positives.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ERules%20in%20place%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ESending%20Server%20IPs%20are%20whitelisted%20and%20emails%20are%20modified%20to%20set%20message%20headers%20such%20as%3C%2FP%3E%3COL%3E%3CLI%3E%22%3CSPAN%3EX-MS-Exchange-Organization-SkipSafeLinksProcessing%22%20w%2F%20value%20%221%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3E%22X-MS-Exchange-Organization-SkipSafeAttachmentProcessing%22%20w%2F%20value%20%221%22%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3EBypass%20SPAM%26nbsp%3B%3CSPAN%3E%3D%20%22-1%22%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EThere%20does%20not%20appear%20to%20be%20a%20way%20to%20whitelist%20from%3A%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3ESpamZap%20-%20Get%20trapped%20as%20SPAM%20even%20with%20bypass.%3CBR%20%2F%3EPhishZap%20-%20Gets%20trapped%20as%20Phish%20regardless%20of%20rules.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EMailboxIntelligenceProtection%20-%20Same%20as%20Phish.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EDefender%20for%20Office%20365%20Scanning%20-%20The%20bots%20are%20clicking%20the%20links%20and%20creating%20false%20positives%3CBR%20%2F%3ESafe%20Documents%20-%20same%20as%20above.%3CBR%20%2F%3E%3CSTRONG%3EReport%20Message%3C%2FSTRONG%3E%20Link%20Detonation%20-%20Detonates%20links%20regardless%20of%20whether%20it's%20whitelisted%20anywhere%20else.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EIs%20anyone%20aware%20of%20a%20way%20to%20do%20this%20currently%3F%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CEM%3EThere%20are%20between%2050-100%20different%20wildcard%20domains%20needed%20to%20whitelist%20(if%20we%20had%20to%20do%20them%20individually).%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EA%20solution%20cannot%20include%20disabling%20the%20above%20services.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2193816%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConfiguration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%20Defender%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPhishing%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Intelligence%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2238133%22%20slang%3D%22en-US%22%3ERe%3A%20Whitelist%20and%20Safelist%20problems%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2238133%22%20slang%3D%22en-US%22%3EHi%20Jonathan%2C%20this%20is%20a%20concern%20we%20hear%20from%20other%20customers%20as%20well.%20We%20are%20aware%20of%20the%20unique%20challenges%20with%20security%20training%20and%20simulation%20providers%2C%20and%20will%20be%20releasing%20capabilities%20to%20address%20this%20in%20the%20near%20future%2C%20so%20stay%20tuned!%3C%2FLINGO-BODY%3E
Occasional Contributor

With the introduction of Defender for Office 365, there are several more processes that play a role in scanning emails.

The Problem:

There is no clear or effective way to whitelist security training providers from link and attachment scanning whether in the web portal, API, or Powershell.

 

Impact:
One or more of the systems below consistently block, scan links and/or attachments that belong to security training (not actually malicious) from several major providers, and create false positives.

 

Rules in place:

Sending Server IPs are whitelisted and emails are modified to set message headers such as

  1. "X-MS-Exchange-Organization-SkipSafeLinksProcessing" w/ value "1"
  2. "X-MS-Exchange-Organization-SkipSafeAttachmentProcessing" w/ value "1"
  3. Bypass SPAM = "-1"

There does not appear to be a way to whitelist from:

  1. SpamZap - Get trapped as SPAM even with bypass.
  2. PhishZap - Gets trapped as Phish regardless of rules.
  3. MailboxIntelligenceProtection - Same as Phish.
  4. Defender for Office 365 Scanning - The bots are clicking the links and creating false positives
  5. Safe Documents - same as above.
  6. Report Message Link Detonation - Detonates links regardless of whether it's whitelisted anywhere else.

Is anyone aware of a way to do this currently?
There are between 50-100 different wildcard domains needed to whitelist (if we had to do them individually).

A solution cannot include disabling the above services.

1 Reply
Hi Jonathan, this is a concern we hear from other customers as well. We are aware of the unique challenges with security training and simulation providers, and will be releasing capabilities to address this in the near future, so stay tuned!