Microsoft
      Back to home
      1. Sealknowledge
      2. Whitelisting
      3. Microsoft

      Microsoft Defender for Office 365 - Bypass Rules

      If you are using Advanced Threat Protection (ATP) and have encountered wrong clicks or wrong opening of attachments, it is because the ATP rules for link processing and attachment processing stop them. With additional Mailflow rules, they can bypass ATP processing of links and attachments based on IT-Seal's IP address - 84.16.227.187. 

       

      If you use other mail filters in front of your Microsoft mail server, it is possible that our IP address is not correctly passed on to the ATP system. In this case we recommend whitelisting based on the email header.

      ATP-Link-Bypass-Rule by IP

      1. Create a new mail flow rule in your Exchange/Office Admin Center.
      2. Give the rule a name, e.g. "ATP-SafeLinks-Bypass".
      3. Click on "More options...".
      4. In the drop-down menu "Apply this rule if..." select the option "The senders" and then select "IP address is in one of these ranges or matches exactly".
        1. Insert the IT-Seal IP address here.
      5. Select "Change message properties..." in the drop-down menu under the item "Proceed as follows...". Then click on "Set message header".
        1. Another window appears with additional options. Enter "X-MS-Exchange-Organisation-SkipSafeLinksProcessing" for the first field and "1" for the second field.
      6. Click on "Save"

      ATP-Attachment-Bypass-Rule by IP

      1. Create a new mail flow rule in your Exchange/Office Admin Center.
      2. Give the rule a name, e.g. "ATP-SafeAttachments-Bypass".
      3. Click on "More options...".
      4. In the drop-down menu "Apply this rule if...", select the option "The senders" and then select "IP address is in one of these ranges or matches exactly".
        1. Insert the IT-Seal IP address here. 
      5. Select "Change message properties..." in the drop-down menu under the item "Proceed as follows...". Then click on "Set message header".
        1. Another window appears with additional options. Enter "X-MS-Exchange-Organisation-SkipSafeAttachmentProcessing" for the first field and "1" for the second field. 
      6. Click on "Save". 

       

      ALTERNATIVE

      The following part of the instructions represents an alternative method.

      If it is not possible to implement the above rules based on the sender IP, the same process can be done based on an individual X header value in our mails.

      Please note, however, that for security reasons we do not recommend whitelisting via X-Header exclusively.

      The intended use of this method are cases where mails would be delivered to a second security solution after passing the first security solution, and identifying the original sender IP of our mails in security solution 2 is no longer possible. Thus, security solution 2 whitelisting can be done based on the individual X header value.

       

      ATP-Link-Bypass-Rule by Header

      1. Create a new mail flow rule in your Exchange/Office Admin Center.
      2. Give the rule a name, e.g. "ATP-SafeLinks-Bypass".
      3. Click on "More options...".
      4. In the drop-down menu "Apply this rule if...", select the option "A message header" and then select "Contains one of these words".
        1. On the right-hand side of this rule you will see a box with "Enter text..." and "Enter words...". Click on "Enter text..." to open the Set Header Name window.  
        2. In this window, they insert the appropriate X-header from IT-Seal provided by their awareness contact. 
      5. Click on "Enter words..." and enter "IT-Seal" and click on the "+" symbol. 
      6. In the drop-down menu, under the item "Proceed as follows...", select the item "Change message properties...". Then click on "Set message header".
        1. Another window appears with additional options. Enter "X-MS-Exchange-Organisation-SkipSafeLinksProcessing" for the first field and "1" for the second field. 
      7. Click on "Save".

      ATP-Attachments-Bypass-Regel nach Header

      1. Create a new mail flow rule in your Exchange/Office Admin Center.
      2. Give the rule a name, e.g. "ATP-SafeLinks-Bypass".
      3. Click on "More options...".
      4. In the drop-down menu "Apply this rule if...", select the option "A message header" and then select "Contains one of these words".
        1. On the right-hand side of this rule you will see a box with "Enter text..." and "Enter words...". Click on "Enter text..." to open the Set Header Name window.  
        2. In this window, they insert the appropriate X-header from IT-Seal provided by their awareness contact. 
      5. Click on "Enter words..." and enter "IT-Seal" and click on the "+" symbol. 
      6. In the drop-down menu, under the item "Proceed as follows...", select the item "Change message properties...". Then click on "Set message header".
        1. Another window appears with additional options. Enter "X-MS-Exchange-Organisation-SkipSafeAttachmentProcessing" for the first field and "1" for the second field.
      7. Click on "Save".