HowTo: Allow-List by X-Header in Exchange 2013, 2016, or Microsoft 365

Posted on
  • Allow-Listing X-Headers is necessary in order for CyberHoot to send simulated phishing emails to bypass your mail filter. We recommend whitelisting by IP address or hostname but depending on your system setup, allow-listing by headers may be the most fitting way to ensure phishing test emails are delivered to your user’s inboxes. Follow the instructions below to allow-list our headers:

Bypassing Clutter and Spam Filtering by Email Header (Exchange 2013, 2016, and M365) 

  1. Log into your mail server admin portal and select Exchange under Admin center.

  2. Click Mail flow
  3. Click Rules 
  4. Click Add a rule
  5. In the new rule window, click on Create a new rule
  6. Give the rule a name, such as “CyberHoot – Bypass Clutter & Spam Filtering by Email Header”.
  7. From the Apply this rule if… drop-down menu, select The message headers… then includes any of these words.
  8. Under those boxes, you will see *Enter text… and *Enter words
    • Click *Enter text… and type in the header name: Become_More_Aware and click on save.
  9. Click *Enter words … and type in CyberHoot and click the Add button and Save button.
  10. Next, under Do the following… ensure that this field on the left is set to Modify the message properties and set the spam confidence level (SCL) is set on the right side.
  11. Add a second action under the Do the following, by clicking the + sign (add action) button.
  12. From the drop-down menu, select Modify the message properties on the left side and set a message header on the right side
  13. Click the first *Enter text…. and type  X-MS-Exchange-Organization-BypassClutter and hit save, then click the second *Enter text… and type true and hit save.
  14. Review all settings to make sure they are correct. It should look like this:
  15. Click on Next.
  16. As a best practice, we recommend leaving the other options at their default settings.
  17. Click on Finish.

Bypassing the Junk Folder (M365 mail servers ONLY)

This rule will allow only simulated phishing emails from CyberHoot to bypass the Junk folder to ensure that your users are receiving simulated phishing emails in their inboxes.

  1. Under Admin center for M365 Exchange.
  2. Click Mail flow
  3. Click Rules 
  4. Click Add a rule
  5. In the new rule window, click on Create a new rule
  6. Give the rule a name, such as “
    CyberHoot – Skip Junk Filtering”.
  7. From the Apply this rule if… drop-down menu, select The message headers… then includes any of these words.
  8. Under those boxes, you will see *Enter text… and *Enter words
    • Click *Enter text… and type in the header name: Become_More_Aware and click on save.
  9. Click *Enter words … and type in CyberHoot and click the Add button and Save button.
  10. Next, under Do the following… ensure that this field on the left is set to Modify the message properties and set the spam confidence level (SCL) is set on the right side.
  11. Add a second action under the Do the following, by clicking the + sign (add action) button.
  12. From the drop-down menu, select Modify the message properties on the left side and set a message header on the right side
  13. Click the first *Enter text…. and typeX-Forefront-Antispam-Report (this value is case sensitive)  and hit save, then click the second *Enter text… and enter “SFV:SKI;CAT:NONE;(this value is case sensitive) and hit save.
  14. Click Next
  15. On the Set rule settings page, click Next, leaving the other values at their default settings.
  16. Set the priority to directly follow the rule you created in the previous section above.
  17. Review all settings to make sure they are correct. It should look like this:
  18. Make sure all options are filled out correctly.
  19. Click Save

    Once you have completed this setup please allow time for the new rules to generate. Then, set up a test phishing campaign for yourself or a small group to test out your new whitelisting rule.

    Setting Advanced Delivery on Microsoft Defender to Allow Phishing Simulation

    This will configure the IP addresses and sender domains that are used by CyberHoot as part of your phishing simulation email. These email messages are delivered unfiltered..

    1. Log into Microsoft Defender
    2. On the left side, click on Email & Collaboration then click on Policies & Rules
    3. Click on Threat policies.
    4. Click on Advanced delivery.
    5. Under Advanced delivery, click on Phishing Simulations.
    6. Click on Add, (unless you already have configured phishing simulations, otherwise click on Edit.)
    7.  Add the Domains and IP addresses listed in this document
    8. The final screen should look like this.
    10. Click on Save.

      Once you have completed this setup please allow time for the new rules to generate. Then, set up a test phishing campaign for yourself or a small group to test out your new whitelisting rule.

If you are looking for more assistance, head to our HowTo Library, or contact [email protected]

Leave a Reply

Related Posts