HowTo: Avanan Allow-Listing in Google Workspace

Posted on

This HowTo article explains how to configure Avanan’s Allow Listing to allow Attack Phishing tests to reach end users.

Warning: CyberHoot supports fake email Attack-Phishing for customers.  Please keep in mind this approach uses negative reinforcement to reduce click rates in employees.  To be successful, always pair with Positive Reinforcement, educational, and realistic HootPhish phishing simulations for the best Affect and Effect on end users.

Allow List Cyberhoot.com Domain

In this activity, you will add the domain CyberHoot.com to a newly created or existing Allow-List in GSuite’s Admin Console. Domain Name: cyberhoot.com

  1. Log in to https://admin.google.com and select Apps.
  2. Apps -> GMail -> spam/phishing/malware
  3. Spam
  4. Edit existing rule or add new one
  5. Add training rule or edit existing training rule to have cyberhoot.com
  6. Make sure the rule is selected

Allowlist CyberHoot by Their IP

1. Log in to https://admin.google.com and select Apps.

2. Select G Suite.

3. Select Gmail.

4. Select Advanced settings.note

5. In the Organizations section, highlight your Domain. Do not select an organizational unit (OU).

NOTE: G SUITE DOES NOT PERMIT ALLOW-LISTING BY IP ADDRESS FOR INDIVIDUAL IPS, ONLY THE ENTIRE DOMAIN.

6. In the Email whitelist section, enter our IP addresses

    • 3.212.253.236/32
    • 34.235.208.123/32
    • 44.209.10.205/32
    • 52.200.160.242/32
    • 54.164.218.52/32
    • 54.240.125.36/32
    • 54.240.125.37/32

7. Click Save.

Add Cyberhoot IP as Inbound Gateway

Please Note: We have found that this process exempts CyberHoot simulated phishing emails from the Gmail banner warnings. However, this is not documented by Google as an allow-list recommendation.

Video here: https://youtu.be/7IhKiz4gTXQ

  1. Log in to your Google Admin Console.
  2. Navigate to Apps > G Suite > Gmail > Advanced settings.
  3. Under General Settings, select your top-level organization (typically your primary domain) on the left.
  4. Scroll down to the Inbound Gateway setting located under the Spam section. Hover over the setting and click the Edit button. This will open the Inbound gateway screen.
  5. Configure the Inbound gateway using the settings below:
    1. Gateway IPs
      • 3.212.253.236/32
      • 34.235.208.123/32
      • 44.209.10.205/32
      • 52.200.160.242/32
      • 54.164.218.52/32
      • 54.240.125.36/32
      • 54.240.125.37/32
    2. IMPORTANT: Leave the Reject all mail not from gateway IPs option unchecked. If this is checked, all email will stop flowing to your client.
    3. Check Require TLS for connections from the email gateways listed above.
    4. Message Tagging
      you should already see “X-CLOUD-SEC-AV-SCL: true” — leave this as is if there is nothing there, you can enter something random instead – jlakdfuadoflualdsfj
    5. Select the Disable Gmail spam evaluation on mail from this gateway; only use header value option.
    6. Click the SAVE button.

If Avanan, create or modify Avanan Rule

  1. Gmail -> Settings -> Compliance 
  2. Scroll Down to Content Compliance
  3. Rules
    1. If Avanan is in place, you will see the 4 avanan rules – the one you need to edit is the last one, ending in “_inline)ei”

4. REMEMBER THAT THE BYPASS RULE IS “IS WITHIN THE RANGE” and the INLINE RULE IS “IS NOT WITHIN THE RANGE”

5. Rule Name: Security Awareness Bypass 

  1. Inbound
  2. If ANY of the following match the message
    • metadata match: source up is within the range
      • Leave 149 if its there
      • Add
        • 54.240.125.36/32
        • 54.240.125.37/32
        • 3.212.253.236/32
        • 34.235.208.123/32
        • 44.209.10.205/32
        • 52.200.160.242/32
        • 54.164.218.52/32
  3. if match
    1. modify message
    2. add custom headers
      • YOU HAVE TO CHANGE THE VALUE TO MATCH THE AVANAN PORTAL IP – e.g. tenantname becomes <shortname>  for <Tenant Full Name> — set message header ‘X-CLOUD-SEC-AV-INFO’ (set message header ‘X-CLOUD-SEC-AV-INFO’ — ONLY PASTE IN CLOUD-SEC-AV-INFO) with the value ‘tenantname,google_mail,inline’
        • (don’t forget to change the tenant name)
        • ONLY PASTE IN CLOUD-SEC-AV-INFO) or you’ll get the two x’s

6. Edit of existing Avanan Compliance Rule “xyz_inline_el”

MAKE SURE THIS IS SET TO ALL, NOT ANY, OR ALL EMAIL WILL BREAK

ONLY change metadata match, source ip to include the IP’s for Cyberhoot under “not within range”

  • 54.240.125.36/32
  • 54.240.125.37/32
  • 3.212.253.236/32
  • 34.235.208.123/32
  • 44.209.10.205/32
  • 52.200.160.242/32
  • 54.164.218.52/32

Related Posts