Configuring Advanced Delivery Policy for KnowBe4

Issue/Question

How do I configure Defender for Office 365 to ignore simulated phishing messages from KnowBe4?

How do I configure Defender for Office 365 to ignore malicious messages in bucket@usd.edu

Environment

  • Defender for Microsoft 365

Cause

When customers report simulated phishing messages using the Microsoft Report Message button, Defender analyzes the links generating a false click and mistakenly enrolling the customer in training.

Resolution

ITS STAFF ONLY

Note: Please refer to Configure the delivery of third-party phishing simulations to users for more details and instructions

Configure Advanced Delivery Policies

Note: These instructions are from How to Use Advanced Delivery Policies in Microsoft 365

  1. Log into the Defender portal as an administrator
  2. Click Email & Collaboration
  3. Click Policies & rules
  4. Click Threat policies 
  5. Click Advanced delivery in the Rules section
  6. Click Phishing simulation tab
  7. Click Edit
    Note: Click Add if there are no existing policies
  8. Add psm.knowbe4.com to Sending Domain
  9. Add 3 Sending IPs
    • ​​​​​​​147.160.167.0/26
    • 23.21.109.197
    • 23.21.109.212
  10. ​​​Add the root domain for up to 10 Simulation URLs to allow
  11. Click Save

Limit KnowBe4 Simulation URLs

Note: These instructions are from Phishing Domain Management 

  1. Log into the KnowBe4 Dashboard as an administrator
  2. Click Phishing
  3. Click Domains
  4. Hide all but the 10 domains you listed above

Configure Spoof Intelligence Allow/Block List

Note: These instructions are from How to Use Spoof Intelligence Allow/Block List for Microsoft Defender

  1. Log into the Defender portal as an administrator
  2. Click Policies & rules
  3. Click Threat policies
  4. Click Tenant Allow/Block Lists
  5. Click Spoofing 
  6. Click Add
  7. Add new domain pair *, psm.knowbe4.com
  8. Select Internal for Spoof type
  9. Select Allow for Action
  10. Click Add

 

Details

Article ID: 6657
Created
Wed 9/8/21 5:09 PM
Modified
Fri 10/27/23 3:06 PM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance
Validated