Applies to: On-premise Exchange Server (all versions), M365, Hybrid
Overview
The easiest method to allowlist Hoxhunt emails is by Hoxhunt's sender IP addresses. However, in some scenarios you might need to customize your allowlisting criteria.
This article is designed for organizations where incoming emails are not arriving directly to their M365 tenant's MX, or there's a third-party security filter in front of their Exchange service (on-premise Exchange Server or Exchange Online) that changes the originating IP address of Hoxhunt emails.
(If your MX record points directly to your M365 tenant, please refer to this implementation article: Ensuring mail delivery when your MX record points to M365)
This article consists of the following steps:
- Define custom header Name and Value for Hoxhunt emails
- Skip Spam filtering and Clutter
- Skip Focused Inbox
- Skip Junk Filtering (M365 only)
- Skip link scanning (M365+Defender only)
- Skip attachment scanning (M365+Defender only)
-
Optional: Prevent Hoxhunt training emails from being forwarded
- Optional: Configure Advanced Delivery
IMPORTANT: You must complete the above steps for successful allowlisting. If you encounter issues in Hoxhunt email deliverability, carefully double-check you have completed each step in this article.
NOTE: If you have a Hybrid (On-premise Exchange Server + M365), complete the steps on both on-premise Exchange Server and M365.
1. Define custom header Name and Value for Hoxhunt emails
Step 1 - Define your custom header name and value
For the name, please use a unique name such as x-hoxhunt-token.
For the value, make sure to use only numbers and letters (no hyphens), and that you use length of at least 30 characters.
Step 2 - Add the custom header name and value to your Hoxhunt settings
1. Navigate to Admin Portal > Settings > Email delivery.
2. Scroll down to Custom email headers and click Add+.
3. Define your Name and Value and click Save.
2. Skip Spam filtering and Clutter
If you are configuring M365, log in to M365 and navigate to Admin > Admin Centers > Exchange.
If you are configuring on-premise Exchange, log in to Exchange Admin Center and navigate to Dashboard.
Step 2 - Create new rule to bypass spam filtering
1. At the top-level view, select Mail flow > rules.
2. Click “+” icon and select Create a new rule....
Step 3 - Name the new rule
1. Name your rule as “Bypass filtering for Hoxhunt by header”.
Step 4 - Set the conditions when the rule should be applied
1. Add the following condition:
"Apply this rule if..." > "The message headers..." > "includes any of these words".
2. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
3. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
4. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 4 - Set spam confidence level to -1
1. Under "Do the following...", select "Modify the message properties" > "set the spam confidence level (SCL)".
2. Select Bypass spam filtering and click Save.
Step 5 - Set the additional actions the rule should perform
1. Click the + sign to add an additional action.
2. Select "Do the following...", select "Modify the message properties" > "set a message header".
3. Click on Set a message header "Enter text..." and type in X-MS-Exchange-Organization-BypassClutter.
4. Click on ...to the value “Enter text…” and type in true.
This rule is now complete and should look like in the picture above.
IMPORTANT: Make sure you have the Spam Confidence Level set to -1 (bypass)!
4. To finish the first mail flow rule, click Save.
3. Skip Focused Inbox
Next, let's create a new mail flow rule to bypass Focused Inbox evaluation.
Step 1 - Create new rule
1. Under Mail flow > rules, click the (+) and then Create a new rule...
2. Name your rule as "Bypass Focused Inbox for Hoxhunt by header".
Step 2 - Set the conditions when the rule should be applied
1. Click More Options.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Click on Set a message header "Enter text..." and type in X-MS-Exchange-Organization-BypassFocusedInbox.
3. Click on ...to the value “Enter text…” and type in true.
This rule is now complete.
4. To finish the mail flow rule, click Save.
4. Skip Junk Filtering (M365 only)
The following rule is required by all M365 mail services that have EOP (Exchange Online Protection) or Defender enabled.
Step 1 - Create new rule
1. Click (+) > Create a new rule...
2. Name your rule as "Bypass Junk filtering for Hoxhunt by header".
Step 2 - Set the conditions when the rule should be applied
1. Click More options.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Add a header X-Forefront-Antispam-Report and set it to value SFV:SKI;
This rule is now complete.
3. To finish the mail flow rule, click Save.
5. Skip link scanning (M365+Defender only)
Step 1 - Create new rule
1. Click (+) > Create a new rule...
2. Name your rule as "Bypass Defender Links for Hoxhunt by header".
Step 2 - Set the conditions when the rule should be applied
1. Click More options.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Add a header X-MS-Exchange-Organization-SkipSafeLinksProcessing and set it to value 1
This rule is now complete.
3. To finish the mail flow rule, click Save.
6. Skip attachment scanning (M365+Defender only)
Step 1 - Create new rule
1. Click (+) > Create a new rule...
2. Name the rule as "Bypass Defender Attachments for Hoxhunt".
Step 2 - Set the conditions when the rule should be applied
1. Click More options.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Add a header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing and set it to value 1
This rule is now complete.
3. To finish the mail flow rule, click Save.
Summary of mail flow rules
Summary or mail flow rules you just created.
TIP: If you can detect Hoxhunt emails based on their sender IP address at your Edge transport server, you can create a transport rule that adds your own custom header+value to Hoxhunt emails. You can then use this header to pass the email safely through to your receiving email server. Additionally, you can create a rule that removes the custom header before delivering the email. This offers additional security, as the header will only be used within your internal message path.
7. Optional: Prevent Hoxhunt training emails from being forwarded
Mail flow rules can also be used to let the recipient notice if the forwarded email is a Hoxhunt simulation. Employees might forward simulations to their colleagues asking for help verifying the email - adding a mail flow rule to notify the receiver about the Hoxhunt simulation will save your SOC team time and effort spent on analyzing a Hoxhunt training email.
Read more: Mail flow rule: Detect or block forwarded Hoxhunt simulations
8. Optional: Configure Advanced Delivery
What is Advanced Delivery?
Secure by Default is a new security framework imposed by Microsoft. It will automatically quarantine any email considered as malware or high confidence phish to be delivered to mailboxes, regardless of any ETRs (Exchange Transport Rule a.k.a. mail flow rule). Existing ETRs continue to be honored except for high confidence phish. Malware is always blocked. The steps below will ensure that Hoxhunt emails do not get blocked as high confidence phish.
Advanced Delivery is a policy configurable by tenant Admins. It’s part of Secure by Default. Advanced Delivery allows Exchange Online Protection and Defender for Office 365 to properly detect Hoxhunt training emails and not mark them as threats. This ensures Hoxhunt training emails are safely delivered to user mailboxes and they cannot be reported as threats.
How do I know if I need to configure Advanced Delivery?
Your organization needs to complete this configuration if your default MX is pointing to M365 directly, or if you have agreed that Hoxhunt sends its training emails directly to your M365, bypassing your default, non-M365 MX.
If your domain's default public MX record doesn't point to Microsoft 365 (and/or Hoxhunt training emails are routed somewhere else first), Secure by Default will not apply, and your existing mail flow rules will continue to be honored.
IMPORTANT: Hoxhunt doesn't currently show you which MX it is targeting. Therefore, you might not know if all of this applies to you. However, we highly recommend configuring Advanced Delivery in any case because:
- if Hoxhunt target's your M365 MX, the configuration works.
- if Hoxhunt doesn't target your M365 MX, the configuration does no harm.
Also, you eventually would need to configure Advanced Delivery when your email routing is changed to go through M365’s MX in the future.
Read more here: Introducing Secure by Default and Advanced Delivery for Hoxhunt customers
Before you start
Before you start the configuration, make sure you meet the following requirements:
-
You have Admin access* to Hoxhunt Admin Portal.
-
You have access to Email Delivery settings page in Hoxhunt Admin Portal
-
You have access to Advanced Delivery policy page in M365 Security & Compliance Center, and you see DKIM mentioned in the description (see image below).
-
(To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.)
* If you are a third-party configuring Advanced Delivery for your customer, you might not have access to your customer's Hoxhunt Admin Portal. In that case, reach out to your customer's Hoxhunt contact person or Hoxhunt Support (support@hoxhunt.com) to obtain the required configuration details.
2. Configuring Advanced Delivery
1.1. Log in to the Hoxhunt Admin Portal.
1.2. From left-hand navigation, go to Settings > Email delivery.
Alternatively, use this direct link: https://admin.hoxhunt.com/settings/email-delivery
1.3. Make sure Use DKIM switch is ON. If it’s not, toggle it to ON position.
After the DKIM toggle has been enabled, all training emails will include:
DKIM-Signature: ... d=[YOUR_HOXHUNT_ORG_ID].hoxhuntsigning.com; ... s=key-a;
1.4. Log in to M365 Security & Compliance Center.
1.5. Navigate to Threat Management > Policy > Advanced Delivery.
(Alternatively, use this direct link: https://security.microsoft.com/advanceddelivery)
1.6. Switch to Phishing simulation tab.
1.7. Click Add to create a new policy for Hoxhunt training emails.
1.8. Under Domain, copy and paste the DKIM domain displayed in Hoxhunt Admin Portal. Press Enter.
1.9. Under Sending IP, copy and paste the IP addresses displayed in Hoxhunt Admin Portal. Press Enter.
1.10. Click Save.
Your new Advanced Delivery policy for Hoxhunt is now listed on separate rows: one for IPs and one for DKIM domain.
Frequently Asked Questions
What is Clutter?
Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure Hoxhunt's simulation emails are always delivered to the user's inbox, you must bypass the Clutter evaluation for Hoxhunt simulation emails.
What is Focused Inbox?
Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: "Focused" and "Others". To make sure Hoxhunt's simulation emails are always delivered to the user's "Focused" inbox, you must bypass the evaluation for Hoxhunt simulation emails.
If you have any questions about the configuration needed to ensure mail flow, please reach out to your Onboarding Manager or our support team at support@hoxhunt.com.
<%= heading %>