This article explains how Microsoft’s Secure By Default policy and Advanced Delivery feature apply to you.
For instructions on how to configure Advanced Delivery for Hoxhunt, please check 1. Configure Advanced Delivery.
Understanding Secure by Default and Advanced Delivery
What is Secure by Default?
Secure by Default is a new security philosophy mandated by Microsoft. It will automatically quarantine any email considered as malware or high confidence phish to be delivered to mailboxes, regardless of any ETRs. Existing ETRs continue to be honored except for high confidence phish. Malware is always blocked.
What is Advanced Delivery?
Advanced Delivery is a policy configurable by tenant Admins. It’s part of Secure by Default. Advanced Delivery allows Exchange Online Protection and Defender for Office 365 to properly detect Hoxhunt training emails and not mark them as threats. This ensures Hoxhunt training emails are safely delivered to user mailboxes and they cannot be reported as threats.
Do Secure by Default and Advanced Delivery completely replace mail flow rules?
No. For the time being, keep all your existing mail flow rules for Hoxhunt in place.
Mail flow rules will continue to be available and function as intended, but in the case of high confidence phish verdicts, those messages will be sent to quarantine. Mail flow rules can still be used as previously done for other verdicts like spam and normal confidence phish.
Additionally, Hoxhunt training emails include fail links utilising dozens of different domains. Because Advanced Delivery doesn’t support more than 10 URLs on the Allowed URLs list, specific mail flow rules are still needed to ensure your employees are able to click on fail links without being blocked.
What’s the release timeline?
Microsoft is targeting a global release of the DKIM domain enhancement of Advanced Delivery around end of September (estimating September 28th, 2021).
From that moment, Microsoft gives about 4 weeks for Hoxhunt customers to configure Advanced Delivery with DKIM domains (instructions further down).
Microsoft will enable Secure by Default for Hoxhunt customer tenants around end of October (estimating October 26th, 2021).
The timeline is too tight for us!
The timeline is controlled by Microsoft. If you are unable to configure Advanced Delivery by October 26th, you have few options:
- A) Ask Hoxhunt to pause Hoxhunt training until you have completed the configuration.
- B) Contact Microsoft and ask if your tenant can stay on the Secure by Default exclusion list until configuration is done. Please note this may not be feasible for Microsoft.
- C) Hoxhunt training continues without Advanced Delivery but some training emails may be quarantined. This option is not advisable.
Does this apply to us?
Your organization needs to complete this configuration if your default MX is pointing to M365 directly, or if you have agreed that Hoxhunt sends its training emails directly to your M365, bypassing your default, non-M365 MX.
If your domain's default public MX record doesn't point to Microsoft 365 (and/or Hoxhunt training emails are routed somewhere else first), Secure by Default will not apply, and your existing mail flow rules will continue to be honored.
IMPORTANT: Hoxhunt doesn't currently show you which MX it is targeting. Therefore you might not know if all of this applies to you. However, we highly recommend to configure Advanced Delivery in any case because:
- if Hoxhunt target's your M365 MX, the configuration works.
- If Hoxhunt doesn't target your M365 MX, the configuration does no harm.
Also, you eventually would need to configure Advanced Delivery when your email routing is changed to go through M365’s MX in the future.
Why is this configuration needed?
Microsoft’s Secure by Default policy will not allow high-confidence phish to pass through to your user mailboxes by using traditional transport rules (a.k.a. mail flow rules). As Hoxhunt training emails are sometimes considered as high-confidence phish, Microsoft offers a way to let Hoxhunt training emails through without inspection (malware checks and ZAP are still applied).
Why Hoxhunt has a unique DKIM signing domain for each customer?
In order to improve security Hoxhunt decided to implement support for Advanced Delivery in a manner where each customer will receive simulations that are signed by a unique domain. Furthermore Hoxhunt uses two different certificates that allow us to do seamless certificate rotation periodically.
What concrete changes and benefits can we see?
Hoxhunt training emails are not quarantined anymore by Exchange Online Protection (EOP) or Defender for Office 365.
ETR delivery alerts are not triggered for delivered Hoxhunt training emails.
Admin submissions generates an automatic response saying that the message is part of a phishing simulation campaign and isn't a real threat. Alerts and AIR will not be triggered. The admin submissions experience will show Hoxhunt training emails as a simulated threat.
When a user reports a phishing simulation message using the Report Phishing add-in for Outlook, the system will not generate an alert, investigation, or incident. The message will also show up on the User reported messages tab of the submissions page.
TIP: You should also configure Advanced Delivery for your SecOps mailbox!
You can read more about if, when and how Advanced Delivery applies to your organization:
For official release information from Microsoft, please read:
MS message center post: MC286993, Microsoft Defender for Office 365: DomainKeys Identified Mail (DKIM) support for Advanced Delivery
MS message center post: MC266483, (Updated) Microsoft Defender for Office 365: Secure by Default Delayed for Hoxhunt Phish Simulation Customers
How can we configure Advanced Delivery?
For instructions on how to configure Advanced Delivery for Hoxhunt, please follow instructions under 1. Configure Advanced Delivery.