Applies to: On-premise Exchange Server (all versions), M365, Hybrid
IMPORTANT: Although it's possible to bypass many filter systems with allowlisting, Hoxhunt strongly recommends to configure a Receive Connector. Some filter vendors won't guarantee 100% deliverability for Hoxhunt training emails due to the filter system's design principles.
Overview
The easiest method to allowlist Hoxhunt emails is by Hoxhunt's sender IP addresses. However, in some scenarios you might need to customize your allowlisting criteria.
This article is designed for organizations where incoming emails are not arriving directly to their M365 tenant's MX, or there's a third-party security filter in front of their Exchange service (on-premise Exchange Server or Exchange Online) that changes the originating IP address of Hoxhunt emails.
(If your MX record points directly to your M365 tenant, please refer to this implementation article: Ensuring mail delivery when your MX record points to M365)
This article consists of the following steps:
- Define custom header Name and Value for Hoxhunt emails
- Skip Spam filtering and Clutter
- Skip Focused Inbox
- Skip Junk Filtering (M365 only)
- Skip link scanning (M365+Defender only)
- Skip attachment scanning (M365+Defender only)
- Configure Advanced Delivery
- Optional: Prevent Hoxhunt training emails from being forwarded
NOTE: If you have a Hybrid (On-premise Exchange Server + M365), complete the steps on both on-premise Exchange Server and M365.
IMPORTANT: You must complete the above steps for successful allowlisting. If you encounter issues in Hoxhunt email deliverability, carefully double-check you have completed each step in this article.
IMPORTANT: Although it's possible to bypass many filter systems with allowlisting, Hoxhunt strongly recommends to configure a Receive Connector. Some filter vendors won't guarantee 100% deliverability for Hoxhunt training emails due to the filter system's design principles.
1. Define custom header Name and Value for Hoxhunt emails
Step 1 - Define your custom header name and value
For the name, please use a unique name such as x-hoxhunt-token.
For the value, make sure to use only numbers and letters (no hyphens), and that you use length of at least 30 characters.
Step 2 - Add the custom header name and value to your Hoxhunt settings
1. Navigate to Admin Portal > Settings > Email delivery.
2. Scroll down to Custom email headers and click Add+.
3. Define your Name and Value and click Save.
2. Skip Spam filtering and Clutter
If you are configuring M365, log in to M365 and navigate to Admin > Admin Centers > Exchange.
If you are configuring on-premise Exchange, log in to Exchange Admin Center and navigate to Dashboard.
Step 2 - Create new rule to bypass spam filtering
1. At the top-level view, select Mail flow > rules.
2. Click “+” icon and select Create a new rule....
Step 3 - Name the new rule
1. Name your rule as “Bypass filtering for Hoxhunt by header”.
Step 4 - Set the conditions when the rule should be applied
1. Click More Options. This will reveal more conditions and actions for you to choose from.
2. Add the following condition:
"Apply this rule if..." > "The message headers..." > "includes any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 4 - Set spam confidence level to -1
1. Under "Do the following...", select "Modify the message properties" > "set the spam confidence level (SCL)".
2. Select Bypass spam filtering and click Save.
Step 5 - Set the additional actions the rule should perform
1. Click the + sign to add an additional action.
2. Select "Do the following...", select "Modify the message properties" > "set a message header".
3. Click on Set a message header "Enter text..." and type in X-MS-Exchange-Organization-BypassClutter.
4. Click on ...to the value “Enter text…” and type in true.
This rule is now complete and should look like in the picture above.
IMPORTANT: Make sure you have the Spam Confidence Level set to -1 (bypass)!
4. To finish the first mail flow rule, click Save.
3. Skip Focused Inbox
Next, let's create a new mail flow rule to bypass Focused Inbox evaluation.
Step 1 - Create new rule
1. Under Mail flow > rules, click the (+) and then Create a new rule...
2. Name your rule as "Bypass Focused Inbox for Hoxhunt by header".
Step 2 - Set the conditions when the rule should be applied
1. Click More Options. This will reveal more conditions and actions for you to choose from.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Click on Set a message header "Enter text..." and type in X-MS-Exchange-Organization-BypassFocusedInbox.
3. Click on ...to the value “Enter text…” and type in true.
This rule is now complete.
4. To finish the mail flow rule, click Save.
4. Skip Junk Filtering (M365 only)
The following rule is required by all M365 mail services that have EOP (Exchange Online Protection) or Defender enabled.
Step 1 - Create new rule
1. Click (+) > Create a new rule...
2. Name your rule as "Bypass Junk filtering for Hoxhunt by header".
Step 2 - Set the conditions when the rule should be applied
1. Click More options. This will reveal more conditions and actions for you to choose from.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Add a header X-Forefront-Antispam-Report and set it to value SFV:SKI;
This rule is now complete.
3. To finish the mail flow rule, click Save.
5. Skip link scanning (M365+Defender only)
Step 1 - Create new rule
1. Click (+) > Create a new rule...
2. Name your rule as "Bypass Defender Links for Hoxhunt by header".
Step 2 - Set the conditions when the rule should be applied
1. Click More options. This will reveal more conditions and actions for you to choose from.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Add a header X-MS-Exchange-Organization-SkipSafeLinksProcessing and set it to value 1
This rule is now complete.
3. To finish the mail flow rule, click Save.
6. Skip attachment scanning (M365+Defender only)
Step 1 - Create new rule
1. Click (+) > Create a new rule...
2. Name the rule as "Bypass Defender Attachments for Hoxhunt".
Step 2 - Set the conditions when the rule should be applied
1. Click More options. This will reveal more conditions and actions for you to choose from.
2. Add the following condition:
"Apply this rule if..." > "A message header includes..." > "any of these words".
3. Click Enter text... and type in the header name you added to your Hoxhunt Organization settings.
4. Click Enter words… and type in the value you added to your Hoxhunt Organization settings.
5. Click the + sign and OK.
NOTE: If Hoxhunt defined the header name and value for you, you can check them from Hoxhunt Admin Portal at https://admin.hoxhunt.com/settings/email-delivery
Step 3 - Set the actions the rule should perform
1. Under "Do the following", select "Modify the message properties..." > "set a message header".
2. Add a header X-MS-Exchange-Organization-SkipSafeAttachmentProcessing and set it to value 1
This rule is now complete.
3. To finish the mail flow rule, click Save.
Summary of mail flow rules
Summary or mail flow rules you just created.
TIP: If you can detect Hoxhunt emails based on their sender IP address at your Edge transport server, you can create a transport rule that adds your own custom header+value to Hoxhunt emails. You can then use this header to pass the email safely through to your receiving email server. Additionally, you can create a rule that removes the custom header before delivering the email. This offers additional security, as the header will only be used within your internal message path.
7. Configure Advanced Delivery
What is Advanced Delivery?
Secure by Default is a new security framework imposed by Microsoft. It will automatically quarantine any email considered as malware or high confidence phish to be delivered to mailboxes, regardless of any ETRs (Exchange Transport Rule a.k.a. mail flow rule). Existing ETRs continue to be honored except for high confidence phish. Malware is always blocked. The steps below will ensure that Hoxhunt emails do not get blocked as high confidence phish.
Advanced Delivery is a policy configurable by tenant Admins. It’s part of Secure by Default. Advanced Delivery allows Exchange Online Protection and Defender for Office 365 to properly detect Hoxhunt training emails and not mark them as threats. This ensures Hoxhunt training emails are safely delivered to user mailboxes and they cannot be reported as threats.
How do I know if I need to configure Advanced Delivery?
Your organization must complete this configuration if you have mailboxes in M365.
Read more here: Introducing Secure by Default and Advanced Delivery for Hoxhunt customers
Before you start
Before you start the configuration, make sure you meet the following requirements:
-
You have Admin access* to Hoxhunt Admin Portal.
-
You have access to Email Delivery settings page in Hoxhunt Admin Portal
-
You have access to Advanced Delivery policy page in M365 Security & Compliance Center, and you see DKIM mentioned in the description (see image below).
-
(To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.)
* If you are a third-party configuring Advanced Delivery for your customer, you might not have access to your customer's Hoxhunt Admin Portal. In that case, reach out to your customer's Hoxhunt contact person or Hoxhunt Support (support@hoxhunt.com) to obtain the required configuration details.
2. Configuring Advanced Delivery
1.1. Log in to the Hoxhunt Admin Portal.
1.2. From left-hand navigation, go to Settings > Email delivery.
Alternatively, use this direct link: https://admin.hoxhunt.com/settings/email-delivery
1.3. Make sure Use DKIM switch is ON. If it’s not, toggle it to ON position.
After the DKIM toggle has been enabled, all training emails will include:
DKIM-Signature:
... d=[YOUR_HOXHUNT_ORG_ID].hoxhuntsigning.com;
... s=key-a;
1.4. Log in to M365 Security & Compliance Center.
1.5. Navigate to Threat Management > Policy > Advanced Delivery.
(Alternatively, use this direct link: https://security.microsoft.com/advanceddelivery)
1.6. Switch to Phishing simulation tab.
1.7. Click Add to create a new policy for Hoxhunt training emails.
1.8. Under Domain, copy and paste the DKIM domain displayed in Hoxhunt Admin Portal. Press Enter.
1.9. Under Sending IP, copy and paste the IP addresses displayed in Hoxhunt Admin Portal. Press Enter.
1.10. Click Save.
Your new Advanced Delivery policy for Hoxhunt is now listed on separate rows: one for IPs and one for DKIM domain.
8. Optional: Prevent Hoxhunt training emails from being forwarded
Mail flow rules can also be used to let the recipient notice if the forwarded email is a Hoxhunt simulation. Employees might forward simulations to their colleagues asking for help verifying the email - adding a mail flow rule to notify the receiver about the Hoxhunt simulation will save your SOC team time and effort spent on analyzing a Hoxhunt training email.
Read more: Mail flow rule: Detect or block forwarded Hoxhunt simulations
Frequently Asked Questions
What is Clutter?
Clutter is a feature that moves low-priority emails out of user's inbox to a folder called Clutter. Clutter analyzes user's email habits, and based on past behavior, it determines the messages that the user most likely to ignore. To make sure Hoxhunt's simulation emails are always delivered to the user's inbox, you must bypass the Clutter evaluation for Hoxhunt simulation emails.
What is Focused Inbox?
Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: "Focused" and "Others". To make sure Hoxhunt's simulation emails are always delivered to the user's "Focused" inbox, you must bypass the evaluation for Hoxhunt simulation emails.
If you have any questions about the configuration needed to ensure mail flow, please reach out to your Onboarding Manager or our support team at support@hoxhunt.com.