SOLVED

Is there a way to allow URLs that have been detonated and determined as malicious?

%3CLINGO-SUB%20id%3D%22lingo-sub-1615845%22%20slang%3D%22en-US%22%3EIs%20there%20a%20way%20to%20allow%20URLs%20that%20have%20been%20detonated%20and%20determined%20as%20malicious%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1615845%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20attempting%20to%20run%20a%20phishing%20simulation%20using%20a%20non-Microsoft%20vendor%20(i.e.%20I'm%20not%20using%20the%20out-of-the-box%20Threat%20Simulator)%20and%2C%20during%20my%20test%20campaign%2C%20the%20phishing%20emails%20were%20being%20delivered%20to%20my%20chosen%20recipients'%20junk%20mail%20folders.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20put%20URLs%20on%20an%20allow%20list%20to%20prevent%20M365%20from%20junking%20my%20phishing%20simulation%20emails%3F%20Otherwise%2C%20I%20fear%20my%20test%20will%20only%20show%20that%20M365%20will%20junk%20the%20emails%20rather%20than%20help%20me%20provide%20education%20to%20customers%20and%20strengthen%20our%20email%20security%20posture.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20be%20immensely%20grateful%20for%20any%20feedback%20you%20can%20provide.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20attached%20screenshot%20from%20Threat%20Explorer%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Error%20Message.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214989i96DAA116D26C885C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Error%20Message.png%22%20alt%3D%22Error%20Message.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1615845%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EEmail%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Explorer%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616856%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20allow%20URLs%20that%20have%20been%20detonated%20and%20determined%20as%20malicious%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616856%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20configure%20a%20whitelist%20of%20sorts%20as%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fset-up-a-custom-do-not-rewrite-urls-list-with-atp%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fset-up-a-custom-do-not-rewrite-urls-list-with-atp%3Fview%3Do365-worldwide%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618922%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20allow%20URLs%20that%20have%20been%20detonated%20and%20determined%20as%20malicious%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618922%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F606480%22%20target%3D%22_blank%22%3E%40oliverbettsrichards%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20one%20of%20the%20leaders%20in%20on%20a%20proof-of-concept%20a%20year%20ago.%20I%20had%20to%20safelist%20everything%3B%20sending%20ranges%2C%20sending%20domains%2C%20landing%20zone%20domains%2C%20the%20lot.%20One%20mark%20of%20a%20good%20tester%20is%20that%20they%20will%20not%20only%20have%20this%20information%20to%20hand%20but%20also%20useful%20KB%20articles%20on%20what%20you%20need%20to%20do%20to%20EOP%20and%20ATP%20to%20let%20the%20tests%20through.%20Do%20your%20own%20diligence%20too%2C%20of%20course.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20you%20are%20done%2C%20don't%20forget%20to%20remove%20these%20from%20your%20config.%20Some%20of%20the%20testers%20don't%20register%20%2F%20retain%20all%20of%20the%20domains%20they%20use%2C%20so%20an%20enterprising%20black%20hat%20might%20pick%20them%20up%20guessing%20that%20they%20will%20appear%20in%20safelists.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618933%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20allow%20URLs%20that%20have%20been%20detonated%20and%20determined%20as%20malicious%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618933%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F523058%22%20target%3D%22_blank%22%3E%40ExMSW4319%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20advice.%20I've%20stumbled%20across%20the%20vendor's%20guidance%20documents%20this%20afternoon%20when%20I%20was%20looking%20for%20something%20else%2C%20so%20I%20have%20clear%20instructions%20so%20I'm%20going%20to%20wade%20through%20that%20and%20see%20if%20it%20works.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi folks,

 

I'm attempting to run a phishing simulation using a non-Microsoft vendor (i.e. I'm not using the out-of-the-box Threat Simulator) and, during my test campaign, the phishing emails were being delivered to my chosen recipients' junk mail folders.

 

Is there a way to put URLs on an allow list to prevent M365 from junking my phishing simulation emails? Otherwise, I fear my test will only show that M365 will junk the emails rather than help me provide education to customers and strengthen our email security posture.

 

I'd be immensely grateful for any feedback you can provide.

 

I've attached screenshot from Threat Explorer below:

 

Error Message.png

3 Replies
best response confirmed by oliverbettsrichards (New Contributor)

@oliverbettsrichards 

We had one of the leaders in on a proof-of-concept a year ago. I had to safelist everything; sending ranges, sending domains, landing zone domains, the lot. One mark of a good tester is that they will not only have this information to hand but also useful KB articles on what you need to do to EOP and ATP to let the tests through. Do your own diligence too, of course.  

 

Once you are done, don't forget to remove these from your config. Some of the testers don't register / retain all of the domains they use, so an enterprising black hat might pick them up guessing that they will appear in safelists.

@ExMSW4319 

 

Thanks for the advice. I've stumbled across the vendor's guidance documents this afternoon when I was looking for something else, so I have clear instructions so I'm going to wade through that and see if it works.