Microsoft 365 Advanced Threat Protection (ATP) Bypass Rules

Written By Hive Systems

The below instructions will show you how to allow list ePHISHiency’s phishing simulation emails through Microsoft 365’s Advanced Threat Protection (ATP) filters.

If you are using Advanced Threat Protection (ATP) in your mail environment, you can set up additional mail flow rules that allow our phishing simulations to bypass safe links and attachments processing (Option 1 below). However, if you have a mail filter in front of your mail server, we recommend you use Option 2 to allow list in ATP by email header instead.

Before you begin:

  • In alignment with our commitment to advocating for systems that promote equity, inclusivity, and embrace diversity, Hive Systems uses the term “allow list” instead of “whitelist.” Some companies may still refer to it as the latter, but the cybersecurity concept is the same.

  • You must complete all of these steps to successfully allow list.

Option 1: Direct Bypass

Complete both of the below steps to implement the ATP bypass:

Part A: ATP Link Bypass

  1. From the Exchange admin center, select mail flow from the left-hand menu.

  2. Give the rule a name such as "Bypass ATP Links".

  3. Click More options....

  4. From the Apply this rule if…. drop-down menu, select The senders then select IP address is in any of these ranges or exactly matches.

  5. Enter our IP address. For the most up-to-date IP information, please see, please see this article.

  6. From the Do the following… drop-down menu, select Modify the message properties... and then set a message header.

    • Click the first *Enter text... link and set the message header to:

      • X-MS-Exchange-Organization-SkipSafeLinksProcessing

    • Click the second *Enter text... link and set the value to:

      • 1

  7. Click Save and proceed to Part B. An example of the rule is below:

Part B: ATP Attachment Bypass

  1. From the Exchange admin center, select mail flow from the left-hand menu.

  2. Give the rule a name such as “Bypass ATP Attachments”.

  3. Click more options.

  4. From the Apply this rule if… drop-down, select The senders then select IP address is in any of these ranges or exactly matches.

  5. Enter our IP address. For the most up-to-date IP information, please see, please see this article.

  6. From the Do the following… drop-down, select Modify the message properties... and then set a message header.

    • Click the first *Enter text... link and set the message header to:

      • X-MS-Exchange-Organization-SkipSafeAttachmentProcessing

    • Click the second *Enter text... link and set the value to:

      • 1

  7. Click Save. An example of the rule is below:

Option 2: Header Bypass

Complete both of the below steps to implement the header ATP bypass:

Part A: ATP Link Bypass with Headers

  1. From the Exchange admin center, select mail flow from the left-hand menu.

  2. Give the rule a name such as “Bypass ATP Links by Header”.

  3. Click more options....

  4. From the Apply this rule if… drop-down menu, select A message header... then selects includes any of these words.

  5. On the right side of that rule, you will see *Enter text... and *Enter words...

  6. Click *Enter text... to open the specify header name window. In this window, enter the “Value” field from our header information. For the most up-to-date header information, please see, please see this article.

  7. Click *Enter words … and enter the “Text” field from our header information. For the most up-to-date header information, please see, please see this article. When you’re done, click the + sign.

  8. From the Do the following… drop-down menu, select Modify the message properties... and then set a message header.

    • Click the first *Enter text... link and set the message header to:

      • X-MS-Exchange-Organization-SkipSafeLinksProcessing

    • Click the second *Enter text... link and set the value to:

      • 1

  9. Click Save and proceed to Part B. An example of the rule is below:

Part B: ATP Attachment Bypass with Headers

From the Exchange admin center, select mail flow from the left-hand menu.

  1. Give the rule a name such as “Bypass ATP Attachments by Header”.

  2. Click more options....

  3. From the Apply this rule if… drop-down menu, select A message header... then selects includes any of these words.

  4. On the right side of that rule, you will see *Enter text... and *Enter words...

  5. Click *Enter text... to open the specify header name window. In this window, enter the “Value” field from our header information. For the most up-to-date header information, please see, please see this article.

  6. Click *Enter words … and enter the “Text” field from our header information. For the most up-to-date header information, please see, please see this article. When you’re done, click the + sign.

  7. From the Do the following… drop-down menu, select Modify the message properties... and then set a message header.

    • Click the first *Enter text... link and set the message header to:

      • X-MS-Exchange-Organization-SkipSafeAttachmentProcessing

    • Click the second *Enter text... link and set the value to:

      • 1

  8. Click Save. An example of the rule is below:

Step 3: Let us know you’re ready!

Contact ePHISHiency support (using the button below) and let us know that you’re all setup. We’ll send a test email to you, or a few people if you want, to make sure everything is working, and then we’ll be on our way to reducing your risk from phishing!

 

Having trouble?

More KB Articles

Hive Systems
Previous

Allow Listing by Header in Google Workspace
Next

How to Prevent Microsoft 365 Defender from Rewriting ePHISHiency Links