Ensuring mail delivery: When your MX record points to M365

Overview

Applies to: M365

When ensuring mail delivery, we want to make sure that Hoxhunt training emails reach your employees' inboxes without getting stuck in security filters or scans along the way. This article explains how to set these rules in place when your MX record points directly to M365.

If your MX record points somewhere else than M365 or you have an Hybrid environment, please follow the steps outlined in this article: Ensuring mail delivery when your MX record doesn't point to M365

Please note that the technical configuration needed is dependent on where your MX record is pointing to, so if you already know that changes will be happening in the future and your MX record will no longer point to M365, please reach out to your Hoxhunt Onboarding Manager or our Support team at support@hoxhunt.com for assistance on how to ensure mail delivery in your situation. 

The steps needed to ensure mail delivery are:

  1. Configure Advanced Delivery
  2. Skip link and attachment scanning for Hoxhunt training emails
  3. Add mail flow rule to force Hoxhunt training emails to land in Focused Inbox
  4. Optional: Add mail flow rules to prevent Hoxhunt training emails from being forwarded

Before you start

Before you start the configuration, make sure you meet the following requirements:

  • You have Admin access* to Hoxhunt Admin Portal

  • You have access to Email Delivery settings page in Hoxhunt Admin Portal

  • You have access to Advanced Delivery policy page in M365 Security & Compliance Center, and you see DKIM mentioned in the description (see image below).

1Advanced_Delivery_DKIM_note.png

  • (To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the Security Administrator role group in the Microsoft 365 Defender portal and a member of the Organization Management role group in Exchange Online.)

* If you are a third-party configuring Advanced Delivery for your customer, you might not have access to your customer's Hoxhunt Admin Portal. In that case, reach out to your customer's Hoxhunt contact person or Hoxhunt Support (support@hoxhunt.com) to obtain the required configuration details.

 

1. Configure Advanced Delivery

What is Advanced Delivery?

Secure by Default is a new security philosophy mandated by Microsoft. It will automatically quarantine any email considered as malware or high confidence phish to be delivered to mailboxes, regardless of any email transport rules (ETR). Existing ETRs continue to be honored except for high confidence phish. Malware is always blocked. The steps below will ensure that Hoxhunt emails do not get blocked as high confidence phish.

Advanced Delivery is a policy configurable by tenant Admins. It’s part of Secure by Default. Advanced Delivery allows Exchange Online Protection and Defender for Office 365 to properly detect Hoxhunt training emails and not mark them as threats. This ensures Hoxhunt training emails are safely delivered to user mailboxes and they cannot be reported as threats.

Read more here: Introducing Secure by Default and Advanced Delivery for Hoxhunt customers

 

2. Configuring Advanced Delivery

1.1. Log in to Hoxhunt Admin Portal.

1.2. From left-hand navigation, go to Settings > Email delivery.

(Alternatively, use this direct link: https://admin.hoxhunt.com/settings/email-delivery)

1.3. Make sure Use DKIM switch is ON. If it’s not, toggle it to ON position.
After the DKIM toggle has been enabled, all training emails will include:

 

DKIM-Signature: ... d=[YOUR_HOXHUNT_ORG_ID].hoxhuntsigning.com; ... s=key-a;

Admin_Portal_Email_Delivery_settings.png

1.4. Log in to M365 Security & Compliance Center.

1.5. Navigate to Threat Management > Policy > Advanced Delivery.
(Alternatively, use this direct link: https://security.microsoft.com/advanceddelivery)

1.6. Switch to Phishing simulation tab.

1.7. Click Add to create a new policy for Hoxhunt training emails.

1.8. Under Domain, copy and paste the DKIM domain displayed in Hoxhunt Admin Portal. Press Enter.

1.9. Under Sending IP, copy and paste the IP addresses displayed in Hoxhunt Admin Portal. Press Enter.

1.10. Click Save.

Your new Advanced Delivery policy for Hoxhunt is now listed on separate rows: one for IPs and one for DKIM domain.

From now on, Hoxhunt training emails are automatically detected as phishing simulations by Defender.

Hoxhunt training emails are visible in Threat Explorer and Threat Protection Status (TPS) report.  In Threat Explorer, you can filter by System override source > Phishing simulation. This will show you all of the messages allowed by Advanced Delivery as phishing simulations.

 

2. Skip link and attachment scanning for Hoxhunt training emails

Microsoft Defender (previously known as Advanced Threat Protection or ATP) is a security feature for Microsoft 365. It's automatically available to E5 subscriptions. The steps below sets up a mail flow rule to bypass Defender link processing.

 

A. Defender Link Bypass Rule

Below are the steps to set up a mail flow rule to bypass Defender link processing:

2.1. Log in to Exchange/M365 Admin Center.

2.2. In the left hand side navigation bar go to mail flow.

2.3. Choose + and Create a new rule.

2.4. Name the rule, for example "Bypass Defender Links for Hoxhunt".

2.3. Click More options.

2.4. Apply this rule if senders IP address is in the range of or exactly matches…

37.139.12.94

35.156.0.138

2.5. Do the following…

  • Set the message header…
    • X-MS-Exchange-Organization-SkipSafeLinksProcessing
  • To this value…
    • 1

Link_rule.png

2.6. Save your new rule.

 

B. Defender Attachment Bypass Rule

Below are the steps to set up a mail flow rule to bypass Defender Attachment Processing:

2.7. Log in to Exchange/M365 Admin Center.

2.8. In the left hand side navigation bar go to mail flow.

2.9. Choose + and Create a new rule.

2.10. Name the rule, for example "Bypass Defender Attachments for Hoxhunt".

2.11. Click More options.

2.12. Apply this rule if….

Senders IP address is in the range or exactly matches…

37.139.12.94

35.156.0.138 

2.13. Do the following…

Set the message header.....
      ▪    X-MS-Exchange-Organization-SkipSafeAttachmentProcessing

To this value…
               ▪    1

Bypass_Defender_Attachments_1.png

2.14. Save your new rule.

 

3. Add mail flow rule to force Hoxhunt training emails to land in Focused Inbox

Focused Inbox is a feature that automatically evaluates incoming emails and direct them to two views: "Focused" and "Other". To make sure Hoxhunt's training emails are always delivered to the user's "Focused" inbox, you must bypass the evaluation for Hoxhunt training emails.

3.1. Log in to Exchange/M365 Admin Center.

3.2. In the left hand side navigation bar go to mail flow.

3.3. Choose + and Create a new rule.

3.4. Give the rule a name, such as "Focused Inbox whitelisting for Hoxhunt".

3.5. Click on More options.

Focused_Inbox_-_More_options.png

3.6. Add the condition Apply this rule if...

3.7. Select The sender..., and select IP address is in any of these ranges or exactly matches. Specify the following sender IP addresses, then click OK.

37.139.12.94
35.156.0.138

3.8. Under "Do the following", select "Modify the message properties..." then "Set a Message Header".

3.9. Click on Set a message header "Enter text..."  add the following (case sensitive!):

X-MS-Exchange-Organization-BypassFocusedInbox

3.10. Click on ...to the value “Enter text…and add (case sensitive!):

true

3.11. This rule is now complete. ClickSave.

3.12.  In the rule list, we recommend having Hoxhunt rules as the top of the list (with the highest priority). You can adjust the order of the items on the list by using the arrows. 

Arrows.png

 

4. (Optional) Add mail flow rules to prevent Hoxhunt training emails from being forwarded

Mail flow rules can also be implemented to help the receiver notice if the forwarded email contains a Hoxhunt simulation. People might forward simulations to colleagues asking for help identifying the email - adding a mail flow rule to notify the receiver about the Hoxhunt simulation will save time and effort spent on analyzing the email.

Read more: Mail flow rule: Detect or block forwarded Hoxhunt simulations

 

Frequently Asked Questions

After allowing Hoxhunt training emails, we are receiving ETR Override alert notification emails from Microsoft.

Please see: Suppress ETR override notifications from Microsoft

I'm not receiving Hoxhunt emails after completing all the steps above

Check these articles for further guidance:

Questions?

If you have any questions about the configuration needed to ensure mail flow, please reach out to your Onboarding Manager or our support team at support@hoxhunt.com.

Was this article helpful?

3 out of 3 found this helpful

Have more questions? Submit a request