Overview
Sometimes you may need to alter the standard mail flow rules described in this Hoxhunt article. This applies especially to cases where the sender IP address can't be detected from the headers correctly because all incoming emails flow through a third-party security filter that alters the originating IP address in the email headers.
The instructions below are mostly identical to standard mail flow rules article but it replaces the sender IP address with a custom header+value. It also omits the connection filter setup, as that's IP-based.
This consists of five rules:
- Skip Spam filtering and Clutter
- Skip Focused Inbox
- Skip Junk Filtering (O365 only)
- Skip link scanning (O365+ATP only)
- Skip attachment scanning (O365+ATP only)
TIP: You can download screenshots of every rule at the end of this article.
IMPORTANT: You must complete the above steps for successful whitelisting!
IMPORTANT: If you have a Hybrid (On-premise Exchange + O365), complete the steps on both on-premise Exchange Server and O365.
1. Skip Spam filtering and Clutter
Step 1:
If you are configuring O365, log in to O365 and navigate to Admin > Admin Centers > Exchange.
If you are configuring on-premise Exchange, log in to Exchange Admin Center and navigate to Dashboard.
Step 2:
At the top-level of your Admin center, select Mail flow. Click the “+” icon and select “Bypass spam filtering...”
Name your rule as “Bypass filtering for Hoxhunt by header”.
Step 3:
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name provided by Hoxhunt.
Then, click *Enter words… and type in the value provided by Hoxhunt. Click the + sign and OK.
Step 4:
Select "Add action" and then select "Modify the message properties..." > "set a message header".
Click on Set a message header "Enter text..." add type in X-MS-Exchange-Organization-BypassClutter
Click on ...to the value “Enter text…” and type in true
This rule is now complete. Click Save.
2. Skip Focused Inbox
As it's only possible to set only one header per rule, let's create a new mail flow rule to bypass Focused Inbox evaluation.
Step 1:
Under Mail Flow > Rules, click the (+) and then Create a new Rule...
Name your rule as "Bypass Focused Inbox for Hoxhunt by header".
Step 2:
Click More Options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name provided by Hoxhunt.
Then, click *Enter words… and type in the value provided by Hoxhunt. Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Click on Set a message header "Enter text..." add type in X-MS-Exchange-Organization-BypassFocusedInbox
Click on ...to the value “Enter text…” and type in true
This rule is now complete. Click Save.
3. Skip Junk Filtering (O365 only)
The following rule is required by all O365 mail services that have EOP (Exchange Online Protection) or ATP (Advanced Threat Protection) enabled.
Step 1:
Click (+) > Create a new rule...
Name your rule as "Bypass Junk filtering for Hoxhunt by header".
Step 2:
Click More options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name provided by Hoxhunt.
Then, click *Enter words… and type in the value provided by Hoxhunt. Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Add a header X-Forefront-Antispam-Report and set it to value SFV:SKI;
This rule is now complete. Click Save.
4. Skip link scanning (O365+ATP only)
Step 1:
Click (+) > Create a new rule...
Name your rule as "Bypass ATP Links for Hoxhunt by header".
Step 2:
Click More options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name provided by Hoxhunt.
Then, click *Enter words… and type in the value provided by Hoxhunt. Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Add a header X-MS-Exchange-Organization-SkipSafeLinksProcessing and set it to value 1
This rule is now complete. Click Save.
5. Skip attachment scanning (O365+ATP only)
Step 1:
Click (+) > Create a new rule...
Name the rule, for example "Bypass ATP Attachments for Hoxhunt"
Step 2:
Click More options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name provided by Hoxhunt.
Then, click *Enter words… and type in the value provided by Hoxhunt. Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Add a header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing and set it to value 1
This rule is now complete. Click Save.
Summary or mail flow rules you just created.
TIP
If you are able to detect Hoxhunt emails based on the sender IP address at your Edge transport server, you can create a transport rule that adds your own custom header+value to Hoxhunt emails. You can then use this header to pass the email safely through to receiving email server. Then, before delivering the email, you create a rule that removes the custom header. This offers added security, as the header will only be used within your internal message path.
Troubleshooting
Emails are still not delivered correctly
Check this article for further troubleshooting tips.
Frequently Asked Questions
What is Clutter?
Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure Hoxhunt's simulation emails are always delivered to the user's inbox, you must bypass the Clutter evaluation for Hoxhunt simulation emails.
What is Focused Inbox?
Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: "Focused" and "Others". To make sure Hoxhunt's simulation emails are always delivered to the user's "Focused" inbox, you must bypass the evaluation for Hoxhunt simulation emails.