Configuring Advanced Delivery Policy for KnowBe4

Summary

How to guide for configuring Microsoft 365 and KnowBe4 such that phishing simulations do not trigger false positives.

Body

Issue/Question

How do I configure Defender for Office 365 to ignore simulated phishing messages from KnowBe4?

How do I configure Defender for Office 365 to ignore malicious messages in bucket@usd.edu

Environment

  • Defender for Microsoft 365

Cause

When customers report simulated phishing messages using the Microsoft Report Message button, Defender analyzes the links generating a false click and mistakenly enrolling the customer in training.

Resolution

ITS STAFF ONLY

Note: Please refer to Configure the delivery of third-party phishing simulations to users for more details and instructions

Configure Advanced Delivery Policies

Note: These instructions are from How to Use Advanced Delivery Policies in Microsoft 365

  1. Security Team must approve any changes
  2. Log into the Defender portal as an administrator
  3. Click Email & Collaboration
  4. Click Policies & rules
  5. Click Threat policies 
  6. Click Advanced delivery in the Rules section
  7. Click Phishing simulation tab
  8. Click Edit
    Note: Click Add if there are no existing policies
  9. Add psm.knowbe4.com to Sending Domain
  10. Add 3 Sending IPs
    • 147.160.167.0/26
    • 23.21.109.197
    • 23.21.109.212
  11. ​​​Add the root domain for up to 10 Simulation URLs to allow
  12. Click Save

Limit KnowBe4 Simulation URLs

Note: These instructions are from Phishing Domain Management 

  1. Security Team must approve any changes
  2. Log into the KnowBe4 Dashboard as an administrator
  3. Click Phishing
  4. Click Domains
  5. Hide all but the 10 domains you listed above

Configure Spoof Intelligence Allow/Block List

Note: These instructions are from How to Use Spoof Intelligence Allow/Block List for Microsoft Defender

  1. Security Team must approve any changes
  2. Log into the Defender portal as an administrator
  3. Click Policies & rules
  4. Click Threat policies
  5. Click Tenant Allow/Block Lists
  6. Click Spoofing 
  7. Click Add
  8. Add new domain pair *, psm.knowbe4.com
  9. Select Internal for Spoof type
  10. Select Allow for Action
  11. Click Add

 

Details

Details

Article ID: 6657
Created
Wed 9/8/21 6:09 PM
Modified
Fri 3/15/24 6:38 PM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance
Validated