Overview
Applies to: On-premise Exchange Server (all versions), M365, Hybrid
NOTE: If your MX record points to M365, please refer to this article for your implementation guide:
Ensuring mail delivery when your MX record points to M365
Sometimes you may need to alter the standard mail flow rules. This applies especially to cases where the sender IP address can't be detected from the headers correctly because all incoming emails flow through a third-party security filter that alters the originating IP address in the email headers.
This consists of five rules and one additional step:
- Define custom header Name and Value
- Skip Spam filtering and Clutter
- Skip Focused Inbox
- Skip Junk Filtering (M365 only)
- Skip link scanning (M365+Defender only)
- Skip attachment scanning (M365+Defender only)
-
Optional: Add mail flow rules to prevent Hoxhunt training emails from being forwarded
- Optional: Configure Advanced Delivery
TIP: You can download screenshots of every rule at the end of this article.
IMPORTANT: You must complete the above steps for successful whitelisting!
IMPORTANT: If you have a Hybrid (On-premise Exchange + M365), complete the steps on both on-premise Exchange Server and M365.
1. Define custom header Name and Value
Step 1:
Define your custom header Name and Value.
For the name, please use a unique name such as xhoxhunttoken.
For the Value, please ensure that the custom header uses only numbers and letters, no hyphens, and you use at least 30 characters.
Step 2:
Add your custom header Name and Value to your Hoxhunt organization settings.
Navigate to https://admin.hoxhunt.com/settings/email-delivery
Scroll down to Custom email headers and choose Add+
Define your Name and Value and choose Save
2. Skip Spam filtering and Clutter
If you are configuring M365, log in to M365 and navigate to Admin > Admin Centers > Exchange.
If you are configuring on-premise Exchange, log in to Exchange Admin Center and navigate to Dashboard.
Step 2:
At the top-level of your Admin center, select Mail flow ( and "Rules" in New Exchange Admin Center).
Click the “+” icon and select “Bypass spam filtering...”
Name your rule as “Bypass filtering for Hoxhunt by header”.
Step 3:
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name you added to your Hoxhunt Organization settings in step 2 above.
Then, click *Enter words… and type in the value you added to your Hoxhunt Organization settings in step 2 above.
NOTE: If Hoxhunt defined the header name and value for you and shared them with you, you can also use those values. Please make sure the values you use match the ones you can see in the Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Click the + sign and OK.
Step 4:
Under "Do the following...", select "Modify the message properties..." > "set a message header".
Click on Set a message header "Enter text..." add type in X-MS-Exchange-Organization-BypassClutter
Click on ...to the value “Enter text…” and type in true
This rule is now complete and should like in the below picture.
Click Save.
3. Skip Focused Inbox
As it's only possible to set only one header per rule, let's create a new mail flow rule to bypass Focused Inbox evaluation.
Step 1:
Under Mail Flow > Rules, click the (+) and then Create a new Rule...
Name your rule as "Bypass Focused Inbox for Hoxhunt by header".
Step 2:
Click More Options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name you added to your Hoxhunt Organization settings in step 2 above.
Then, click *Enter words… and type in the value you added to your Hoxhunt Organization settings in step 2 above.
NOTE: If Hoxhunt defined the header name and value for you and shared them with you, you can also use those values. Please make sure the values you use match the ones you can see in the Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Click on Set a message header "Enter text..." add type in X-MS-Exchange-Organization-BypassFocusedInbox
Click on ...to the value “Enter text…” and type in true
This rule is now complete. Click Save.
4. Skip Junk Filtering (M365 only)
The following rule is required by all M365 mail services that have EOP (Exchange Online Protection) or Defender enabled.
Step 1:
Click (+) > Create a new rule...
Name your rule as "Bypass Junk filtering for Hoxhunt by header".
Step 2:
Click More options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name you added to your Hoxhunt Organization settings in step 2 above.
Then, click *Enter words… and type in the value you added to your Hoxhunt Organization settings in step 2 above.
NOTE: If Hoxhunt defined the header name and value for you and shared them with you, you can also use those values. Please make sure the values you use match the ones you can see in the Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Add a header X-Forefront-Antispam-Report and set it to value SFV:SKI;
This rule is now complete. Click Save.
5. Skip link scanning (M365+Defender only)
Step 1:
Click (+) > Create a new rule...
Name your rule as "Bypass Defender Links for Hoxhunt by header".
Step 2:
Click More options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name you added to your Hoxhunt Organization settings in step 2 above.
Then, click *Enter words… and type in the value you added to your Hoxhunt Organization settings in step 2 above.
NOTE: If Hoxhunt defined the header name and value for you and shared them with you, you can also use those values. Please make sure the values you use match the ones you can see in the Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Add a header X-MS-Exchange-Organization-SkipSafeLinksProcessing and set it to value 1
This rule is now complete. Click Save.
6. Skip attachment scanning (M365+Defender only)
Step 1:
Click (+) > Create a new rule...
Name the rule, for example "Bypass Defender Attachments for Hoxhunt"
Step 2:
Click More options.
Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
On the right side, click *Enter text... and type in the header name you added to your Hoxhunt Organization settings in step 2 above.
Then, click *Enter words… and type in the value you added to your Hoxhunt Organization settings in step 2 above.
NOTE: If Hoxhunt defined the header name and value for you and shared them with you, you can also use those values. Please make sure the values you use match the ones you can see in the Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Click the + sign and OK.
Step 3:
Under "Do the following", select "Modify the message properties..." > "set a message header".
Add a header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing and set it to value 1
This rule is now complete. Click Save.
Summary or mail flow rules you just created.
TIP
If you are able to detect Hoxhunt emails based on the sender IP address at your Edge transport server, you can create a transport rule that adds your own custom header+value to Hoxhunt emails. You can use this header to pass the email safely through to receiving email server. Additionally, you can create a rule that removes the custom header before delivering the email. This offers added security, as the header will only be used within your internal message path.
7. Optional: Add mail flow rules to prevent Hoxhunt training emails from being forwarded
Mail flow rules can also be implemented to help the receiver notice if the forwarded email contains a Hoxhunt simulation. People might forward simulations to colleagues asking for help identifying the email - adding a mail flow rule to notify the receiver about the Hoxhunt simulation will save time and effort spent on analyzing the email.
Read more: Mail flow rule: Detect or block forwarded Hoxhunt simulations
8. Optional: Configure Advanced Delivery
What is Advanced Delivery?
Secure by Default is a new security philosophy mandated by Microsoft. It will automatically quarantine any email considered as malware or high confidence phish to be delivered to mailboxes, regardless of any ETRs. Existing ETRs continue to be honored except for high confidence phish. Malware is always blocked. The steps below will ensure that Hoxhunt emails do not get blocked as high confidence phish.
Advanced Delivery is a policy configurable by tenant Admins. It’s part of Secure by Default. Advanced Delivery allows Exchange Online Protection and Defender for Office 365 to properly detect Hoxhunt training emails and not mark them as threats. This ensures Hoxhunt training emails are safely delivered to user mailboxes and they cannot be reported as threats.
How do I know if I need to configure Advanced Delivery?
Your organization needs to complete this configuration if your default MX is pointing to M365 directly, or if you have agreed that Hoxhunt sends its training emails directly to your M365, bypassing your default, non-M365 MX.
If your domain's default public MX record doesn't point to Microsoft 365 (and/or Hoxhunt training emails are routed somewhere else first), Secure by Default will not apply, and your existing mail flow rules will continue to be honored.
IMPORTANT: Hoxhunt doesn't currently show you which MX it is targeting. Therefore you might not know if all of this applies to you. However, we highly recommend to configure Advanced Delivery in any case because:
- if Hoxhunt target's your M365 MX, the configuration works.
- if Hoxhunt doesn't target your M365 MX, the configuration does no harm.
Also, you eventually would need to configure Advanced Delivery when your email routing is changed to go through M365’s MX in the future.
Read more here: Introducing Secure by Default and Advanced Delivery for Hoxhunt customers
Before you start
Before you start the configuration, make sure you meet the following requirements:
-
You have Admin access* to Hoxhunt Admin Portal.
-
You have access to Email Delivery settings page in Hoxhunt Admin Portal
-
You have access to Advanced Delivery policy page in M365 Security & Compliance Center, and you see DKIM mentioned in the description (see image below).
-
(To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.)
* If you are a third-party configuring Advanced Delivery for your customer, you might not have access to your customer's Hoxhunt Admin Portal. In that case, reach out to your customer's Hoxhunt contact person or Hoxhunt Support (support@hoxhunt.com) to obtain the required configuration details.
2. Configuring Advanced Delivery
1.1. Log in to the Hoxhunt Admin Portal.
1.2. From left-hand navigation, go to Settings > Email delivery.
Alternatively, use this direct link: https://admin.hoxhunt.com/settings/email-delivery
1.3. Make sure Use DKIM switch is ON. If it’s not, toggle it to ON position.
After the DKIM toggle has been enabled, all training emails will include:
DKIM-Signature:
... d=[YOUR_HOXHUNT_ORG_ID].hoxhuntsigning.com;
... s=key-a;
1.4. Log in to M365 Security & Compliance Center.
1.5. Navigate to Threat Management > Policy > Advanced Delivery.
(Alternatively, use this direct link: https://security.microsoft.com/advanceddelivery)
1.6. Switch to Phishing simulation tab.
1.7. Click Add to create a new policy for Hoxhunt training emails.
1.8. Under Domain, copy and paste the DKIM domain displayed in Hoxhunt Admin Portal. Press Enter.
1.9. Under Sending IP, copy and paste the IP addresses displayed in Hoxhunt Admin Portal. Press Enter.
1.10. Click Save.
Your new Advanced Delivery policy for Hoxhunt is now listed on separate rows: one for IPs and one for DKIM domain.
Frequently Asked Questions
What is Clutter?
Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure Hoxhunt's simulation emails are always delivered to the user's inbox, you must bypass the Clutter evaluation for Hoxhunt simulation emails.
What is Focused Inbox?
Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: "Focused" and "Others". To make sure Hoxhunt's simulation emails are always delivered to the user's "Focused" inbox, you must bypass the evaluation for Hoxhunt simulation emails.
If you have any questions about the configuration needed to ensure mail flow, please reach out to your Onboarding Manager or our support team at support@hoxhunt.com.