cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Is there a way to allow URLs that have been detonated and determined as malicious?

oliverbettsrichards
Copper Contributor

‎Aug 27 2020 03:56 AM - last edited on ‎May 24 2021 02:11 PM by

‎Aug 27 2020 03:56 AM - last edited on ‎May 24 2021 02:11 PM by

Is there a way to allow URLs that have been detonated and determined as malicious?

Hi folks,

 

I'm attempting to run a phishing simulation using a non-Microsoft vendor (i.e. I'm not using the out-of-the-box Threat Simulator) and, during my test campaign, the phishing emails were being delivered to my chosen recipients' junk mail folders.

 

Is there a way to put URLs on an allow list to prevent M365 from junking my phishing simulation emails? Otherwise, I fear my test will only show that M365 will junk the emails rather than help me provide education to customers and strengthen our email security posture.

 

I'd be immensely grateful for any feedback you can provide.

 

I've attached screenshot from Threat Explorer below:

 

Error Message.png

1,404 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by oliverbettsrichards (Copper Contributor)
Vasil Michev

‎Aug 27 2020 10:37 AM

‎Aug 27 2020 10:37 AM

Solution

Re: Is there a way to allow URLs that have been detonated and determined as malicious?

You can configure a whitelist of sorts as detailed here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-a-custom-do-not-r...

1 Like
Reply
ExMSW4319

‎Aug 28 2020 07:20 AM

‎Aug 28 2020 07:20 AM

Re: Is there a way to allow URLs that have been detonated and determined as malicious?

@oliverbettsrichards 

We had one of the leaders in on a proof-of-concept a year ago. I had to safelist everything; sending ranges, sending domains, landing zone domains, the lot. One mark of a good tester is that they will not only have this information to hand but also useful KB articles on what you need to do to EOP and ATP to let the tests through. Do your own diligence too, of course.  

 

Once you are done, don't forget to remove these from your config. Some of the testers don't register / retain all of the domains they use, so an enterprising black hat might pick them up guessing that they will appear in safelists.

1 Like
Reply
oliverbettsrichards

‎Aug 28 2020 07:30 AM

‎Aug 28 2020 07:30 AM

Re: Is there a way to allow URLs that have been detonated and determined as malicious?

@ExMSW4319 

 

Thanks for the advice. I've stumbled across the vendor's guidance documents this afternoon when I was looking for something else, so I have clear instructions so I'm going to wade through that and see if it works.

0 Likes
Reply
1 best response

Accepted Solutions