Allowlisting Hoxhunt simulation domains in Microsoft Defender SmartScreen

Microsoft Defender SmartScreen helps protect Windows users against malicious or compromised websites. If you’re running a phishing simulation or legitimate tests via Hoxhunt, you might need to allowlist specific URLs or domains in Defender SmartScreen to allow training emails and links to function without being blocked.

 

Prerequisites

  • Administrative privileges on Windows workstations or Active Directory Group Policy (for domain-wide application).
  • A list of the domains or URLs you want to allow.

About Hoxhunt simulation domains

Hoxhunt has several domains used in its simulations. Please see an overview of them below.

Sender domains: You can obtain a list of Hoxhunt sender email domains via Admin Portal and via External API.

Landing page domains: Used in Credential harvester simulations. Please find a CSV attached to the end of this article.

Fail link domains: This group contains both landing page domains as well as all other domains used in fail link URLs. A comprehensive list is currently not available. Instead, please use Sender domains and Landing page domains for your click-through allowlisting.

 

Allowlisting via group policy

1. Access Group Policy Management

  • On your domain controller, open the Group Policy Management Console (GPMC).
  • Create or edit an existing Group Policy Object linked to the relevant organizational unit(s).

2. Navigate to SmartScreen Policies

  • Go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge (for Edge settings) or Internet Explorer (if still in use).
  • Look for SmartScreen Settings or Defender SmartScreen configurations (this varies with OS and browser versions).

3. Configure allowlist settings

  • Locate the policy setting for Configure Windows Defender SmartScreen or SmartScreen Allowlist.
  • Enable the policy, then input the domain(s) or URL(s) you want to allowlist.
  • Save and close the Group Policy Editor.

4. Update Group Policy

  • Run gpupdate /force in Command Prompt on client machines or wait for the regular policy update interval.
  • Ensure the GPO is applied correctly by reviewing the Group Policy Results.

5. Confirm functionality

  • Test access to the allowlisted URLs from a client machine.
  • SmartScreen warnings should no longer appear for these domains.

 

Allowlisting steps for local machine (non-domain devices)

1. Open Windows Security

  • Click the Start menu and select Settings > Update & Security > Windows Security.
  • Choose App & browser control.

2. Manage SmartScreen Settings

  • Under SmartScreen, choose Reputation-based protection settings.
  • While there might not be a direct “allowlist” field for personal devices, you can modify the alert level to reduce false positives.

3. Set up a local policy or registry setting

  • For better control on a standalone system, you can adjust the registry to disable or modify SmartScreen checks for specific domains.
  • This method is advanced and not recommended unless you understand registry modifications.

 

Steps to allowlist in Intune (Mac and Windows)

  1. Navigate to devices in Intune.
  2. Select the OS you want to configure (Mac or Windows).
  3. Click Configuration.
  4. Click Create > New policy.
  5. Select Settings catalog > Create.
  6. Give a name for your profile, for example Defender SmartScreen allowlist for Hoxhunt domains, and click Next.
  7. Click Add settings.
  8. Search for “smartscreen”. Click Microsoft Edge.
  9. Select Configure Microsoft Defender SmartScreen and configure the list of domains for which Microsoft Defender SmartScreen shouldn’t trigger warnings.
  10. Enable Configure Microsoft Defender SmartScreen on the left side.
  11. Import the list of Hoxhunt domains and click Next.
  12. Under Scope tags, click Next.
  13. Under Assignments, assign the profile to a group and click Next.
  14. Review and create the profile.

 

Verification

  • Attempt to open any of the allowlisted domains on a test machine.
  • Confirm no warnings appear and that users can click through training links without obstruction.
  • Open Microsoft Edge and navigate to edge://policy/ . The list of allowed domains should be listed here.

For more information, see Microsoft Defender SmartScreen overview

 

Steps to allowlist Microsoft Defender for endpoint indicators

  1. Navigate to https://security.microsoft.com/.
  2. On the left side, in the bottom of the navigation pane, click Settings.
  3. Click Endpoints.
  4. Under Rules, click Indicators.
  5. Click Import, choose the CSV containing the domains and click Import.
    (If you want to allowlist just a specific domain, open URLs/Domains tab and click Add item.)

TIP: You can modify the CSV to make the domains to expire at a desired date and time. If you don't want the domain allowlisting to never expire, leave that column empty. The format is YYYY-MM-DDTHH:MM:SS.0Z

For more information, see Create indicators for IPs and URLs/domains - Microsoft Defender for Endpoint

 

When to use this method?

  • If users report issues accessing training domains across multiple browsers and IT teams want a more comprehensive allowlisting solution.
  • If security teams require strict control over allowlisted domains outside of browser-based controls.

Which method should we use?

  • If the goal is browser-level allowlisting, use Chrome Safe Browsing & Microsoft SmartScreen policies (recommended for most customers).
  • If security teams need wider allowlisting at the endpoint level and have the right licensing, Defender for Endpoint IoCs can be considered—but may not be practical for large domain lists.

 

Additional Considerations

  • Only allowlist trusted, verified domains to prevent security risks.
  • Periodically audit your list of allowlisted URLs for relevance and safety.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request