WhitelistXHeaderLogo

Unlocking the Power of X-Header Allow-Listing in Exchange 2013, 2016 & Microsoft 365

Mastering X-Header Allow-Listing in Exchange & Microsoft 365

Allow-listing X-Headers is your golden ticket to ensuring CyberHoot’s simulated phishing emails land right in your users’ inboxes, bypassing mail filters like a charm. While IP address or hostname whitelisting is our usual go-to, allow-listing by headers can be the perfect fit depending on your system setup. Let’s dive into the nitty-gritty of allow-listing our headers like a pro.

Bypassing Clutter and Spam Filtering by Email Header (Exchange 2013, 2016, and M365)

Ready to bypass clutter and spam filtering by email header? Just follow these simple steps:

Step-by-Step Guide

  1. Log into your mail server admin portal and select Exchange under Admin center.
  2. Click on Mail flow, then Rules, and hit Add a rule.
  3. In the new rule window, click on Create a new rule.
  4. Give your rule a catchy name, like “CyberHoot – Bypass Clutter & Spam Filtering by Email Header”.
  5. From the Apply this rule if… drop-down menu, select The message headers… then includes any of these words.
  6. You’ll see *Enter text… and *Enter words…. Click *Enter text… and type in the header name: Become_More_Aware, then click save.
  7. Click *Enter words… and type in CyberHoot, then click the Add button and Save button.
  8. Under Do the following…, make sure the left field is set to Modify the message properties and the spam confidence level (SCL) is set on the right side.
  9. Add a second action under Do the following by clicking the + sign (add action) button.
  10. From the drop-down menu, select Modify the message properties on the left side and set a message header on the right side.
  11. Click the first *Enter text… and type X-MS-Exchange-Organization-BypassClutter, hit save, then click the second *Enter text… and type true, then hit save again.
  12. Review all settings to make sure they’re correct, then click Next.
  13. As a best practice, leave the other options at their default settings, then click Finish.

Bypassing the Junk Folder (M365 mail servers ONLY)

This rule lets only CyberHoot’s simulated phishing emails bypass the Junk folder, ensuring your users receive these emails in their inboxes.

Step-by-Step Guide

  1. Under Admin center for M365 Exchange, click Mail flow, then Rules, and hit Add a rule.
  2. In the new rule window, click on Create a new rule.
  3. Give your rule a name, like “CyberHoot – Skip Junk Filtering”.
  4. From the Apply this rule if… drop-down menu, select The message headers… then includes any of these words.
  5. You’ll see *Enter text… and *Enter words…. Click *Enter text… and type in the header name: Become_More_Aware, then click save.
  6. Click *Enter words… and type in CyberHoot, then click the Add button and Save button.
  7. Under Do the following…, make sure the left field is set to Modify the message properties and the spam confidence level (SCL) is set on the right side.
  8. Add a second action under Do the following by clicking the + sign (add action) button.
  9. From the drop-down menu, select Modify the message properties on the left side and set a message header on the right side.
  10. Click the first *Enter text… and type X-Forefront-Antispam-Report (this value is case sensitive), hit save, then click the second *Enter text… and enter “SFV:SKI;CAT:NONE;” (this value is case sensitive), then hit save.
  11. Click Next. On the Set rule settings page, click Next again, leaving the other values at their default settings.
  12. Set the priority to directly follow the rule you created in the previous section.
  13. Review all settings to make sure they’re correct, then click Save.

Setting Advanced Delivery on Microsoft Defender for Phishing Simulation

This configures the IP addresses and sender domains used by CyberHoot for your phishing simulation emails, ensuring these messages are delivered unfiltered.

Step-by-Step Guide

  1. Log into Microsoft Defender.
  2. On the left side, click on Email & Collaboration, then Policies & Rules.
  3. Click on Threat policies, then Advanced delivery.
  4. Under Advanced delivery, click on Phishing Simulations.
  5. Click on Add (unless you’ve already configured phishing simulations, then click on Edit).
  6. Add the Domains and IP addresses listed in the document, then click Save.

Once you’ve completed this setup, give the new rules some time to generate. Then, set up a test phishing campaign for yourself or a small group to test your new whitelisting rule.

Need more help? Check out our HowTo Library or contact support@cyberhoot.com.

Similar Posts