How to bypass Microsoft Office 365 Advanced Threat Protection (ATP) Safe Link/Attachment Processing?
If you use the Advanced Threat Protection (ATP) feature and have noticed unlikely clicks on your phishing simulations, it's likely that the ATP analysis system has generated false events. Therefore, it's necessary to configure your email environment to bypass this protection during your phishing simulations with Arsen.
This procedure complements the procedures for authorizing Arsen phishing simulations.
As with these, there are two ways to identify and authorize our simulations: by IP or by header.
Choose to authorize by IP if you don't have anti-phishing protection upstream of your mail server.
Choose to authorize by header if you have anti-phishing protection, as it may replace the IP address seen by your mail server and exclusion rules won't apply if you use IP authorization.
Create a new Mail Flow rule. The Set rule conditions menu is open.
Name it : Arsen Safe Link bypass
Click on More options...
Select The senders in Apply this rule if..., then select IP address is in any of these ranges or exactly matches.
In the new window, enter our IP address : 161.38.204.14, then press Add and Save
In Do the following..., select Modify the message properties..., then set a message header
Click on the first link Enter text.. and enter: X-MS-Exchange-Organization-SkipSafeLinksProcessing
Click on the second link. Enter text... and enter : 1
Click Next
Create a new Mail Flow rule
Name it : Arsen Safe Link bypass
Select A message header... in Apply this rule if..., then select includes any of these words
Click on the first Enter text... and in the specify header name window, enter the header available in your account. For more information on setting up this header, refer to this article: how to customize the header of phishing simulation emails?
Click on the second Enter text... and enter true
In Do the following..., select Modify the message properties..., then set a message header
Click on the first link Enter text... and enter : X-MS-Exchange-Organization-SkipSafeLinksProcessing
Click on the second link. Enter text... and enter : 1
Click Next
This procedure complements the procedures for authorizing Arsen phishing simulations.
As with these, there are two ways to identify and authorize our simulations: by IP or by header.
Choose to authorize by IP if you don't have anti-phishing protection upstream of your mail server.
Choose to authorize by header if you have anti-phishing protection, as it may replace the IP address seen by your mail server and exclusion rules won't apply if you use IP authorization.
Bypass Safe Link by allowing IP address
Create a new Mail Flow rule. The Set rule conditions menu is open.
Name it : Arsen Safe Link bypass
Click on More options...
Select The senders in Apply this rule if..., then select IP address is in any of these ranges or exactly matches.
In the new window, enter our IP address : 161.38.204.14, then press Add and Save
In Do the following..., select Modify the message properties..., then set a message header
Click on the first link Enter text.. and enter: X-MS-Exchange-Organization-SkipSafeLinksProcessing
Click on the second link. Enter text... and enter : 1
Click Next
Bypass Safe Link by allowing the header
Create a new Mail Flow rule
Name it : Arsen Safe Link bypass
Select A message header... in Apply this rule if..., then select includes any of these words
Click on the first Enter text... and in the specify header name window, enter the header available in your account. For more information on setting up this header, refer to this article: how to customize the header of phishing simulation emails?
Click on the second Enter text... and enter true
In Do the following..., select Modify the message properties..., then set a message header
Click on the first link Enter text... and enter : X-MS-Exchange-Organization-SkipSafeLinksProcessing
Click on the second link. Enter text... and enter : 1
Click Next
Updated on: 07/11/2023
Thank you!