How to enable Arsen phishing simulations using headers on Microsoft Office 365?
This procedure allows you to authorize our phishing simulations on your employees' email addresses by identifying them with a specific header on Microsoft 365.
This method is only recommended if you have a filtering solution upstream of your reception servers. In practical terms, this means that you need to whitelist our IP on your anti-phishing filter and then apply the header procedure on Microsoft Office 365.
If you don't have an upstream filtering solution for your emails, always prefer to use an IP address-based whitelisting procedure.
Remember to authorize our header or IP on your anti-spam or anti-phishing service to ensure the proper reception of our simulations.
Prerequisites
Step 1: Bypassing anti-spam and anti-clutter protection
Step 2: Avoid Quarantine
To follow this procedure, you must be the administrator of your company's Microsoft 365 account.
Log in to your administration portal and select Exchange under Administration Centers.
In Mail Flow, click on Rules.
Click on the + to add a rule and select Bypass Spam Filtering.
In the new rule window, choose a name like Arsen Anti-Phishing Authorization.
Select A message header in the Apply this rule if... menu, then select Includes any of these words.
On the right side, click the first Enter text...
And in the new window, enter the value of the header.
In the second Enter text..., enter "true" and click on the save button. The text should look like this:
In Do the following..., make sure that Set the spam confidence level (SCL) to... is selected and that Bypass spam filtering is set to the right.
Click on + to add an action
Select Modify the message properties and then Set a message header.
Click the first Enter text... and enter X-MS-Exchange-Organization-BypassClutter. Then click the second Enter text... and enter true.
Leave the other options as default, then click Next
This part of the procedure prevents our phishing simulations from being quarantined.
Still in the Exchange Admin Center, select "Mail Flow" and then "Rules" in the left menu.
Click the "+" button to add a rule.
Select "Bypass spam filtering"....
...and name the rule Arsen Quarantine Avoidance.
Click on "Apply this rule if..." and select A message header. Then select includes any of these words.
In the first Enter text... field, enter the value of the header. By default, this value is X-Arsen-Training, but we strongly recommend following the header customization procedure for greater security.
In the second Enter text... field, enter the text true and click the Save button.
Click the Do the following... dropdown, select Modify the message properties, then select Set a Message Header.
Click the first Enter text... to the right of "Set the message header" to define the header. Enter the text X-Forefront-Antispam-Report. Pay attention to capitalization: respect upper and lower case. Click OK.
Click the second Enter text... after to the value to the right of Set the message header. Enter SFV:SKI;CAT:NONE;. Respect the capitalization: everything must be in uppercase. Click OK once the text is entered. Here is the final configuration of the rule:
Click Next
This method is only recommended if you have a filtering solution upstream of your reception servers. In practical terms, this means that you need to whitelist our IP on your anti-phishing filter and then apply the header procedure on Microsoft Office 365.
If you don't have an upstream filtering solution for your emails, always prefer to use an IP address-based whitelisting procedure.
Remember to authorize our header or IP on your anti-spam or anti-phishing service to ensure the proper reception of our simulations.
Prerequisites
Step 1: Bypassing anti-spam and anti-clutter protection
Step 2: Avoid Quarantine
Prerequisites
To follow this procedure, you must be the administrator of your company's Microsoft 365 account.
Step 1 : Bypassing anti-spam and anti-clutter protection
Log in to your administration portal and select Exchange under Administration Centers.
In Mail Flow, click on Rules.
Click on the + to add a rule and select Bypass Spam Filtering.
In the new rule window, choose a name like Arsen Anti-Phishing Authorization.
Select A message header in the Apply this rule if... menu, then select Includes any of these words.
On the right side, click the first Enter text...
And in the new window, enter the value of the header.
In the second Enter text..., enter "true" and click on the save button. The text should look like this:
In Do the following..., make sure that Set the spam confidence level (SCL) to... is selected and that Bypass spam filtering is set to the right.
Click on + to add an action
Select Modify the message properties and then Set a message header.
Click the first Enter text... and enter X-MS-Exchange-Organization-BypassClutter. Then click the second Enter text... and enter true.
Leave the other options as default, then click Next
Step 2: Avoid Quarantine
This part of the procedure prevents our phishing simulations from being quarantined.
Still in the Exchange Admin Center, select "Mail Flow" and then "Rules" in the left menu.
Click the "+" button to add a rule.
Select "Bypass spam filtering"....
...and name the rule Arsen Quarantine Avoidance.
Click on "Apply this rule if..." and select A message header. Then select includes any of these words.
In the first Enter text... field, enter the value of the header. By default, this value is X-Arsen-Training, but we strongly recommend following the header customization procedure for greater security.
In the second Enter text... field, enter the text true and click the Save button.
Click the Do the following... dropdown, select Modify the message properties, then select Set a Message Header.
Click the first Enter text... to the right of "Set the message header" to define the header. Enter the text X-Forefront-Antispam-Report. Pay attention to capitalization: respect upper and lower case. Click OK.
Click the second Enter text... after to the value to the right of Set the message header. Enter SFV:SKI;CAT:NONE;. Respect the capitalization: everything must be in uppercase. Click OK once the text is entered. Here is the final configuration of the rule:
Click Next
Updated on: 29/01/2024
Thank you!