Overview

Applies to: M365

When ensuring mail delivery, we want to make sure that Hoxhunt training emails reach your employees' inboxes without getting stuck in security filters or scans along the way. This article explains how to set these rules in place when your email environment is Microsoft 365 Exchange Online and Hoxhunt send its emails directly to your M365 tenant.

If you have Hybrid Exchange or On-premise Exchange, please follow the steps outlined in this article: Ensuring mail delivery when your MX record doesn't point to M365

The steps needed to ensure mail delivery are:

1. Mandatory: Configure Advanced Delivery
2. Mandatory: Add mail flow rule to force Hoxhunt training emails to land in Focused Inbox
3. Optional: Skip link scanning for Hoxhunt training emails
4. Optional: Add mail flow rules to prevent Hoxhunt training emails from being forwarded

Before you start

Before you start the configuration, make sure you meet the following requirements:

• You have Admin access* to Hoxhunt Admin Portal and to Email Delivery settings page in Hoxhunt Admin Portal
• You have access to Advanced Delivery policy page in Microsoft Defender portal, and you see the view below, in the Phishing simulation > Edit.

• (To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft Defender portal and a member of the Organization Management role group in Exchange Online.)

* If you are a third-party configuring Advanced Delivery for your customer, you might not have access to your customer's Hoxhunt Admin Portal. In that case, reach out to your customer's Hoxhunt contact person or Hoxhunt Support (support@hoxhunt.com) to obtain the required configuration details.
 

1. Configure Advanced Delivery

What is Advanced Delivery?

Secure by Default is Microsoft’s security approach that automatically quarantines emails flagged as malware or high-confidence phishing, regardless of any email transport rules (ETR). ETRs do still apply except for high-confidence phishing, and malware is still always blocked. 

The steps below ensure Hoxhunt emails are not flagged as high-confidence phishing.

Advanced Delivery, part of Secure by Default, can be set up by tenant admins. It lets Exchange Online Protection and Defender for Office 365 correctly recognize Hoxhunt training emails so they’re delivered safely and not flagged as suspicious.

Read more here: Introducing Secure by Default and Advanced Delivery for Hoxhunt customers

How to Configure Advanced Delivery - (Video) 

If you don't want to watch the video, there is text documentation on below

How to Configure Advanced Delivery - (Text) 

1.1. Log in to Hoxhunt Admin Portal.

1.2. From left-hand navigation, go to Settings > Email delivery.

1.3. Make sure DKIM is enabled switch is ON. If it’s not, toggle it to ON position.
After the DKIM toggle has been enabled, the header section of all training emails will include:
 

DKIM-Signature: ... d=[YOUR_HOXHUNT_ORG_ID].hoxhuntsigning.com; ... s=key-a;

1.4. Log in to Microsoft Defender portal.

1.5. Navigate to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.

1.6. Switch to Phishing simulation tab.

1.7. Click Add/Edit to create a new policy for Hoxhunt training emails.

1.8. Under Domain, copy-paste the DKIM domain displayed in Hoxhunt Admin Portal > Email delivery. Press Enter.

1.9. Under Sending IP, copy-paste the IP addresses displayed in Hoxhunt Admin Portal > Email delivery. Press Enter.

1.10. Click Save.

Your new Advanced Delivery policy for Hoxhunt is now listed on separate rows: one for each IP and one for DKIM domain.

From now on, Hoxhunt training emails are automatically detected as phishing simulations by Defender and are allowed through.

2. Add mail flow rule to force Hoxhunt training emails to land in Focused Inbox

Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: "Focused" and "Other". To make sure Hoxhunt's training emails are always delivered to the user's "Focused" inbox, you must bypass the evaluation for Hoxhunt training emails.

2.1. Log in to M365 Exchange Admin Center.

2.2. In the left hand side navigation bar go to Mail flow > Rules.

2.3. Choose + Add a rule > Create a new rule.

2.4. Give the rule a name, such as "Focused Inbox allowlisting for Hoxhunt".

2.5. Add the condition Apply this rule if...

2.6. Select The sender..., and select IP address is in any of these ranges or exactly matches. Specify the following sender IP addresses (below), then click Add > Save.

193.3.183.0/25
35.156.0.138
 

2.7. Under "Do the following", select "Modify the message properties..." then "Set a Message Header".

2.8. Click on Set a message header "Enter text..."  add the following (case sensitive!):

X-MS-Exchange-Organization-BypassFocusedInbox

2.9. Click on ...to the value “Enter text…” and add: true (case sensitive!) and Click Save.

2.10. In Set rule Settings > Set Enforce > Click Next.

2.11. In the Review and finish section proceed to click Finish.

2.12.  In the rule list, we recommend having Hoxhunt rules as the top of the list (with the highest priority). You can adjust the order of the items on the list by using the arrows. 

3. (Optional) Skip link re-writing scanning for Hoxhunt training emails

The steps below sets up a mail flow rule to bypass Defender link processing. In essence, the link processing re-writes all URLs in incoming emails as Safe Links. If you want to keep links included in Hoxuhnt training emails intact, please set up this rule.

Defender Link Processing Bypass Rule

Below are the steps to set up a mail flow rule to bypass Defender link processing:

3.1. Log in to M365 Exchange Admin Center.

3.2. In the left hand side navigation bar go to Mail flow > Rules.

3.3. Choose + Add a rule > Create a new rule.

3.4. Name the rule, for example "Bypass Defender link processing for Hoxhunt".

3.5. Select The sender..., and select IP address is in any of these ranges or exactly matches. Specify the following sender IP addresses (below), then click Add > Save.

193.3.183.0/25
35.156.0.138

3.6 Under Do the following…

• Choose Modify the message properties > set a message header
  • X-MS-Exchange-Organization-SkipSafeLinksProcessing
• To this value…
  • 1

3.7. Save your new rule.

4. (Optional) Add mail flow rules to prevent Hoxhunt training emails from being forwarded

Mail flow rules can also be implemented to help the receiver notice if the forwarded email is a Hoxhunt simulation. People might forward simulations to colleagues asking for help identifying the email - adding a mail flow rule to notify the receiver about the Hoxhunt simulation will save time and effort spent on analyzing the email.

You can also prevent Hoxhunt simulation emails from being forwarded within or even outside your organization.

Read more: Mail flow rule: Detect or block forwarded Hoxhunt simulations

Frequently asked questions

After allowing Hoxhunt training emails, we are receiving ETR Override alert notification emails from Microsoft.

Please see: Suppress ETR override notifications from Microsoft

I'm not receiving Hoxhunt emails after completing all the steps above

Check these articles for further guidance:

• Troubleshoot: Hoxhunt emails are not arriving correctly

Does Hoxhunt support Direct Mail Injection (DMI) in Exchange infrastructure?

Hoxhunt doesn't support Direct Mail Injection (DMI). Microsoft Advanced Delivery policy has proven to provide better balance over security, required permissions and allowlisting effectiveness. In addition, Microsoft has retired Application Impersonation admin role used by Microsoft DMI connections in February 2025, effectively breaking DMI.

Questions?

If you have any questions about the configuration needed to ensure mail flow, please reach out to your Onboarding Manager or our support team at support@hoxhunt.com.