Issue/Question
How do I configure Defender for Office 365 to ignore simulated phishing messages from KnowBe4?
How do I configure Defender for Office 365 to ignore malicious messages in bucket@usd.edu
Environment
- Defender for Microsoft 365
Cause
When customers report simulated phishing messages using the Microsoft Report Message button, Defender analyzes the links generating a false click and mistakenly enrolling the customer in training.
Resolution
ITS STAFF ONLY
Note: Please refer to Configure the delivery of third-party phishing simulations to users for more details and instructions
Configure Advanced Delivery Policies
Note: These instructions are from How to Use Advanced Delivery Policies in Microsoft 365
- Security Team must approve any changes
- Log into the Defender portal as an administrator
- Click Email & Collaboration
- Click Policies & rules
- Click Threat policies
- Click Advanced delivery in the Rules section
- Click Phishing simulation tab
- Click Edit
Note: Click Add if there are no existing policies
- Add psm.knowbe4.com to Sending Domain
- Add 3 Sending IPs
- 147.160.167.0/26
- 23.21.109.197
- 23.21.109.212
- Add the root domain for up to 10 Simulation URLs to allow
- Click Save
Limit KnowBe4 Simulation URLs
Note: These instructions are from Phishing Domain Management
- Security Team must approve any changes
- Log into the KnowBe4 Dashboard as an administrator
- Click Phishing
- Click Domains
- Hide all but the 10 domains you listed above
Configure Spoof Intelligence Allow/Block List
Note: These instructions are from How to Use Spoof Intelligence Allow/Block List for Microsoft Defender
- Security Team must approve any changes
- Log into the Defender portal as an administrator
- Click Policies & rules
- Click Threat policies
- Click Tenant Allow/Block Lists
- Click Spoofing
- Click Add
- Add new domain pair *, psm.knowbe4.com
- Select Internal for Spoof type
- Select Allow for Action
- Click Add